Merge remote-tracking branch 'origin/eSense_eIDAS_development' into eSense_eIDAS_development

9 files changed, 610 insertions, 97 deletions

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
index 9f347b4ee..1d4556459 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java
@@ -28,8 +28,8 @@ package at.gv.egovernment.moa.id.auth.modules.eidas;
  */
 public class Constants {
 
-	//public static final String eIDAS_SAML_ENGINE_NAME = "MOA_eIDASEninge";
 	public static final String eIDAS_SAML_ENGINE_NAME = "default";
+	public static final String SSLSOCKETFACTORYNAME = "eIDASMetadataSSLSocketFactory";
 		
 	//default keys for eIDAS SAML-engine configuration
 	public static final String eIDAS_SAML_ENGINE_NAME_ID_BASICCONFIG = "SamlEngineConf";
@@ -45,20 +45,30 @@ public class Constants {
 	public static final String CONIG_PROPS_EIDAS_PREFIX="moa.id.protocols.eIDAS";
 	public static final String CONIG_PROPS_EIDAS_SAMLENGINE="samlengine";
 	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX=CONIG_PROPS_EIDAS_PREFIX + "." + CONIG_PROPS_EIDAS_SAMLENGINE;
-	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + ".config.file";
-	
+	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_BASIC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + ".config.file";	
 	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_SIGN="sign";
 	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT="enc";
 	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_SIGN_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "." 
 			+ CONIG_PROPS_EIDAS_SAMLENGINE_SIGN + ".config.file";
 	public static final String CONIG_PROPS_EIDAS_SAMLENGINE_ENC_CONFIGFILE = CONIG_PROPS_EIDAS_SAMLENGINE_PREFIX + "." 
-			+ CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file";
+			+ CONIG_PROPS_EIDAS_SAMLENGINE_ENCRYPT + ".config.file";	
+	public static final String CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE = CONIG_PROPS_EIDAS_PREFIX + ".metadata.validation.truststore";
 	
-	public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000;  //2 minutes skew time for response validation
+	//timeouts and clock skews
+	public static final long CONFIG_PROPS_SKEWTIME = 2 * 60 * 1000;  			//2 minutes skew time for response validation
+	public static final int CONFIG_PROPS_METADATA_SOCKED_TIMEOUT = 20 * 1000;  	//20 seconds metadata socked timeout
 	
+	//eIDAS attribute names
 	public static final String eIDAS_ATTR_PERSONALIDENTIFIER = "PersonIdentifier";
 	public static final String eIDAS_ATTR_DATEOFBIRTH = "DateOfBirth";
 	public static final String eIDAS_ATTR_CURRENTGIVENNAME = "CurrentGivenName";
 	public static final String eIDAS_ATTR_CURRENTFAMILYNAME = "CurrentFamilyName";
+		
+	//http endpoint descriptions
+	public static final String eIDAS_HTTP_ENDPOINT_SP_POST = "/eidas/sp/post";
+	public static final String eIDAS_HTTP_ENDPOINT_SP_REDIRECT = "/eidas/sp/redirect";
+	public static final String eIDAS_HTTP_ENDPOINT_IDP_POST = "/eidas/idp/post";
+	public static final String eIDAS_HTTP_ENDPOINT_IDP_REDIRECT = "/eidas/idp/redirect";
+	public static final String eIDAS_HTTP_ENDPOINT_METADATA = "/eidas/metadata";
 	
 }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java
index 556947572..49f0451cb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/eIDASSignalServlet.java
@@ -22,30 +22,19 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.eidas;
 
-import java.io.ByteArrayInputStream;
-
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServletRequest;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpression;
-import javax.xml.xpath.XPathFactory;
 
 import org.apache.commons.lang.StringEscapeUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.util.xml.SimpleNamespaceContext;
-import org.w3c.dom.Document;
 
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.Base64Utils;
 
 /**
  * @author tlenz
  *
  */
-@WebServlet(urlPatterns = { "/eidas/post",  "/eidas/redirect"}, loadOnStartup = 1)
+@WebServlet(urlPatterns = { "/eidas/sp/post",  "/eidas/sp/redirect"}, loadOnStartup = 1)
 public class eIDASSignalServlet extends ProcessEngineSignalServlet {
 
 	private static final long serialVersionUID = 8215688005533754459L;
@@ -53,7 +42,7 @@ public class eIDASSignalServlet extends ProcessEngineSignalServlet {
 	public eIDASSignalServlet() {
 		super();
 		Logger.debug("Registering servlet " + getClass().getName() + 
-				" with mappings '/eidas/post' and '/eidas/redirect'.");
+				" with mappings '/eidas/sp/post' and '/eidas/sp/redirect'.");
 		
 	}
 	
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
new file mode 100644
index 000000000..f1b14015b
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -0,0 +1,290 @@
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Timer;
+
+import javax.net.ssl.SSLHandshakeException;
+import javax.xml.namespace.QName;
+
+import org.apache.commons.httpclient.MOAHttpClient;
+import org.apache.commons.httpclient.params.HttpClientParams;
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.ChainingMetadataProvider;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
+import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
+import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+import eu.eidas.auth.engine.AbstractSAMLEngine;
+
+public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider {
+
+	private static MOAeIDASChainingMetadataProvider instance = null;
+	private static Object mutex = new Object();
+	
+	private MetadataProvider internalProvider;
+	
+	
+	public static MOAeIDASChainingMetadataProvider getInstance() {
+		if (instance == null) {
+			synchronized (mutex) {
+				if (instance == null) {
+					instance = new MOAeIDASChainingMetadataProvider();
+				}
+			}
+		}
+		return instance;
+	}
+	
+	
+	private MOAeIDASChainingMetadataProvider() {
+		internalProvider = new ChainingMetadataProvider();
+		
+	}
+	    
+	private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL) {
+		HTTPMetadataProvider httpProvider = null;
+		Timer timer= null;
+		MOAHttpClient httpClient = null;
+		try {
+			AuthConfiguration authConfig = AuthConfigurationProviderFactory.getInstance();
+			
+			httpClient = new MOAHttpClient();
+			
+			HttpClientParams httpClientParams = new HttpClientParams();
+			httpClientParams.setSoTimeout(Constants.CONFIG_PROPS_METADATA_SOCKED_TIMEOUT);
+			httpClient.setParams(httpClientParams);
+			
+			if (metadataURL.startsWith("https:")) {
+				try {
+					MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory(
+							Constants.SSLSOCKETFACTORYNAME, 
+							authConfig.getCertstoreDirectory(), 
+							authConfig.getTrustedCACertificates(),
+							null,
+							AuthConfiguration.DEFAULT_X509_CHAININGMODE, 
+							authConfig.isTrustmanagerrevoationchecking());
+					
+					httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory);
+
+				} catch (MOAHttpProtocolSocketFactoryException e) {
+					Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore.");
+					
+				}
+			}
+			
+			timer = new Timer();
+			httpProvider = new HTTPMetadataProvider(timer, httpClient, 
+					metadataURL);
+			httpProvider.setParserPool(AbstractSAMLEngine.getNewBasicSecuredParserPool());
+			httpProvider.setRequireValidMetadata(true);
+			httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes
+			httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours
+			//httpProvider.setRefreshDelayFactor(0.1F);
+			
+			//add Metadata filters
+			MetadataFilterChain filter = new MetadataFilterChain();
+			filter.addFilter(new MOAeIDASMetadataSignatureFilter(
+					authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE)));
+			httpProvider.setMetadataFilter(filter);
+			
+			httpProvider.initialize();
+									
+			return httpProvider;
+						
+		} catch (Throwable e) {			
+			if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) {
+				Logger.warn("SSL-Server certificate for metadata " 
+						+ metadataURL + " not trusted.", e);
+				
+			} if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) {				
+				Logger.warn("Signature verification for metadata" 
+						+ metadataURL + " FAILED.", e);
+			
+			} if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) {
+				Logger.warn("Schema validation for metadata " 
+						+ metadataURL + " FAILED.", e);								
+			}
+			
+			Logger.error(
+					"Failed to add Metadata file for "
+							+ metadataURL + "[ "
+							+ e.getMessage() + " ]", e);
+						
+			if (httpProvider != null) {
+				Logger.debug("Destroy failed Metadata provider");
+				httpProvider.destroy();
+			}
+			
+			if (timer != null) {
+				Logger.debug("Destroy Timer.");
+				timer.cancel();
+			}
+
+			
+		}
+		
+		return null;	
+	}
+
+	private Map<String, HTTPMetadataProvider> getAllActuallyLoadedProviders() {
+		Map<String, HTTPMetadataProvider> loadedproviders = new HashMap<String, HTTPMetadataProvider>();
+		ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;
+		
+		//make a Map of all actually loaded HTTPMetadataProvider
+		List<MetadataProvider> providers = chainProvider.getProviders();
+		for (MetadataProvider provider : providers) {
+			if (provider instanceof HTTPMetadataProvider) {
+				HTTPMetadataProvider httpprovider = (HTTPMetadataProvider) provider;
+				loadedproviders.put(httpprovider.getMetadataURI(), httpprovider);
+
+			}
+		}
+		
+		return loadedproviders;		
+	}
+	
+	public boolean refreshMetadataProvider(String metadataURL) {
+		try {
+			if (MiscUtil.isNotEmpty(metadataURL)) {
+				Map<String, HTTPMetadataProvider> actuallyLoadedProviders = getAllActuallyLoadedProviders();
+
+				// check if MetadataProvider is actually loaded
+				if (actuallyLoadedProviders.containsKey(metadataURL)) {
+					actuallyLoadedProviders.get(metadataURL).refresh();						
+					Logger.info("eIDAS metadata for " 
+							+ metadataURL + " is refreshed.");
+					return true;
+					
+				} else {
+					//load new Metadata Provider				
+					ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider;						
+					HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL);					
+					chainProvider.addMetadataProvider(newMetadataProvider);
+					
+					emitChangeEvent();
+					Logger.info("eIDAS metadata for " 
+							+ metadataURL + " is added.");
+					return true;
+										
+				}
+														
+			} else
+				Logger.debug("Can not refresh eIDAS metadata: NO eIDAS metadata URL.");
+																								
+		} catch (MetadataProviderException e) {
+			Logger.warn("Refresh eIDAS metadata for " 
+					+ metadataURL + " FAILED.", e);
+			
+		}
+		
+		return false;
+		
+	}
+	
+
+	public boolean requireValidMetadata() {
+		return internalProvider.requireValidMetadata();
+	}
+
+	public void setRequireValidMetadata(boolean requireValidMetadata) {
+		internalProvider.setRequireValidMetadata(requireValidMetadata);
+	}
+
+	public MetadataFilter getMetadataFilter() {
+		return internalProvider.getMetadataFilter();
+	}
+
+	public void setMetadataFilter(MetadataFilter newFilter)
+			throws MetadataProviderException {
+		internalProvider.setMetadataFilter(newFilter);
+	}
+
+	public XMLObject getMetadata() throws MetadataProviderException {
+		return internalProvider.getMetadata();
+	}
+
+	public EntitiesDescriptor getEntitiesDescriptor(String entitiesID)
+			throws MetadataProviderException {
+		Logger.warn("eIDAS metadata not support 'EntitiesDescriptor' elements!");		
+		return null;
+		
+	}
+
+	public EntityDescriptor getEntityDescriptor(String entityID)
+			throws MetadataProviderException {
+		EntityDescriptor entityDesc = null;
+		try {
+			entityDesc = internalProvider.getEntityDescriptor(entityID);
+			if (entityDesc == null) {
+				Logger.debug("Can not find eIDAS metadata for entityID: " + entityID 
+						+ " Start refreshing process ...");
+				if (refreshMetadataProvider(entityID))
+					return internalProvider.getEntityDescriptor(entityID);
+									
+			} else {
+				if (!entityDesc.isValid())
+					if (refreshMetadataProvider(entityID))
+						return internalProvider.getEntityDescriptor(entityID);
+									
+			}
+			
+			
+		} catch (MetadataProviderException e) {
+			Logger.debug("Can not find eIDAS metadata for entityID: " + entityID 
+					+ " Start refreshing process ...");
+			if (refreshMetadataProvider(entityID))
+				return internalProvider.getEntityDescriptor(entityID);
+			
+		}
+		
+		return entityDesc;
+	}
+
+	public List<RoleDescriptor> getRole(String entityID, QName roleName)
+			throws MetadataProviderException {
+		return internalProvider.getRole(entityID, roleName);
+	}
+
+	public RoleDescriptor getRole(String entityID, QName roleName,
+			String supportedProtocol) throws MetadataProviderException {
+		return internalProvider.getRole(entityID, roleName, supportedProtocol);
+	}
+
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.ObservableMetadataProvider#getObservers()
+	 */
+	@Override
+	public List<Observer> getObservers() {
+		return ((ChainingMetadataProvider) internalProvider).getObservers();
+	}
+
+	protected void emitChangeEvent() {
+		if ((getObservers() == null) || (getObservers().size() == 0)) {
+			return;
+		}
+
+		List<Observer> tempObserverList = new ArrayList<Observer>(getObservers());
+		for (ObservableMetadataProvider.Observer observer : tempObserverList)
+			if (observer != null)
+				observer.onEvent(this);
+	}
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java
new file mode 100644
index 000000000..e3ae5c046
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataProviderDecorator.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.security.KeyStore;
+
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+
+import eu.eidas.auth.engine.EIDASSAMLEngine;
+import eu.eidas.auth.engine.metadata.MetadataProcessorI;
+import eu.eidas.engine.exceptions.SAMLEngineException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAeIDASMetadataProviderDecorator implements MetadataProcessorI {
+
+	private MetadataProvider metadataprovider = null;
+	
+	/**
+	 * 
+	 */
+	public MOAeIDASMetadataProviderDecorator(MetadataProvider metadataprovider) {
+		this.metadataprovider = metadataprovider;
+		
+	}
+	
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getEntityDescriptor(java.lang.String)
+	 */
+	@Override
+	public EntityDescriptor getEntityDescriptor(String url)
+			throws SAMLEngineException {		
+		try {
+			return this.metadataprovider.getEntityDescriptor(url);
+			
+		} catch (MetadataProviderException e) {
+			throw new SAMLEngineException("eIDAS Metadata processing FAILED.", e);
+			
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getSPSSODescriptor(java.lang.String)
+	 */
+	@Override
+	public SPSSODescriptor getSPSSODescriptor(String url)
+			throws SAMLEngineException {
+		return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class);
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#getIDPSSODescriptor(java.lang.String)
+	 */
+	@Override
+	public IDPSSODescriptor getIDPSSODescriptor(String url)
+			throws SAMLEngineException {
+		return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class);
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, eu.eidas.auth.engine.EIDASSAMLEngine)
+	 */
+	@Override
+	public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine)
+			throws SAMLEngineException {
+		//Do nothing, because metadata signature is already validated during 
+		//metadata provider initialization 
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see eu.eidas.auth.engine.metadata.MetadataProcessorI#checkValidMetadataSignature(java.lang.String, java.security.KeyStore)
+	 */
+	@Override
+	public void checkValidMetadataSignature(String url, KeyStore trustStore)
+			throws SAMLEngineException {
+		//Do nothing, because metadata signature is already validated during 
+		//metadata provider initialization 
+		
+	}
+
+    protected <T extends RoleDescriptor> T getFirstRoleDescriptor(EntityDescriptor entityDescriptor, final Class<T> clazz){
+        for(RoleDescriptor rd:entityDescriptor.getRoleDescriptors()){
+            if(clazz.isInstance(rd)){
+                return (T)rd;
+            }
+        }
+        return null;
+    }
+
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
new file mode 100644
index 000000000..c9f3e5bcd
--- /dev/null
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java
@@ -0,0 +1,132 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
+
+import java.io.IOException;
+import java.io.StringWriter;
+
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.FilterException;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.xml.XMLObject;
+
+import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
+import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOAeIDASMetadataSignatureFilter implements MetadataFilter {
+
+	private String trustProfileID = null;
+	
+	/**
+	 * 
+	 */
+	public MOAeIDASMetadataSignatureFilter(String trustProfileID) {
+		this.trustProfileID = trustProfileID;
+		
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject)
+	 */
+	@Override
+	public void doFilter(XMLObject metadata) throws FilterException {
+		if (metadata instanceof EntityDescriptor) {
+			if (((EntityDescriptor) metadata).isSigned()) {				
+				EntityDescriptor entityDes = (EntityDescriptor) metadata;
+				//check signature;
+				try {
+					Transformer transformer = TransformerFactory.newInstance()
+							.newTransformer();	
+					StringWriter sw = new StringWriter();
+					StreamResult sr = new StreamResult(sw);
+					DOMSource source = new DOMSource(metadata.getDOM());
+					transformer.transform(source, sr);
+					sw.close();
+					String metadataXML = sw.toString();
+					
+					SignatureVerificationUtils sigVerify = 
+							new SignatureVerificationUtils();
+					VerifyXMLSignatureResponse result = sigVerify.verify(
+							metadataXML.getBytes(), trustProfileID);
+					
+					//check signature-verification result
+					if (result.getSignatureCheckCode() != 0) {
+						Logger.warn("eIDAS Metadata signature-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getSignatureCheckCode());
+						throw new FilterException("eIDAS Metadata signature-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getSignatureCheckCode());
+						
+					}
+					
+					if (result.getCertificateCheckCode() != 0) {
+						Logger.warn("eIDAS Metadata certificate-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getCertificateCheckCode());
+						throw new FilterException("eIDAS Metadata certificate-verification FAILED!"
+								+ " Metadata: " + entityDes.getEntityID()
+								+ " StatusCode:" + result.getCertificateCheckCode());
+						
+					}
+					
+				
+				} catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) {
+					Logger.error("eIDAS Metadata verification has an interal error.", e);
+					throw new FilterException("eIDAS Metadata verification has an interal error."
+							+ " Message:" + e.getMessage());
+					
+				}
+				
+				
+			} else {
+				Logger.warn("eIDAS Metadata root-element MUST be signed.");
+				throw new FilterException("eIDAS Metadata root-element MUST be signed.'");
+				
+			}
+						
+		} else {
+			Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
+			throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'");
+			
+		}
+		
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
deleted file mode 100644
index 2aec81db5..000000000
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASSimpleMetadataProvider.java
+++ /dev/null
@@ -1,50 +0,0 @@
-package at.gv.egovernment.moa.id.auth.modules.eidas.engine;
-
-import java.security.KeyStore;
-
-import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
-
-import at.gv.egovernment.moa.logging.Logger;
-import eu.eidas.auth.engine.EIDASSAMLEngine;
-import eu.eidas.auth.engine.metadata.SimpleMetadataProcessor;
-import eu.eidas.engine.exceptions.SAMLEngineException;
-
-public class MOAeIDASSimpleMetadataProvider extends SimpleMetadataProcessor {
-
-	@Override
-	public EntityDescriptor getEntityDescriptor(String url) {
-        EntityDescriptor entityDescriptor=getEntityDescriptorHelper(url);
-        
-        if(Logger.isDebugEnabled()){
-            Logger.debug("got entityDescriptor: " + entityDescriptor);
-        }
-        return entityDescriptor;
-	}
-
-	@Override
-	public SPSSODescriptor getSPSSODescriptor(String url) throws SAMLEngineException {
-		return getFirstRoleDescriptor(getEntityDescriptor(url), SPSSODescriptor.class);
-		
-	}
-
-	@Override
-	public IDPSSODescriptor getIDPSSODescriptor(String url) throws SAMLEngineException {
-		return getFirstRoleDescriptor(getEntityDescriptor(url), IDPSSODescriptor.class);
-		
-	}
-
-    @Override
-    public void checkValidMetadataSignature(String url, EIDASSAMLEngine engine) throws SAMLEngineException {
-        //TODO: implement Metadata signature validation
-        Logger.warn("MetadataProcessor in demo SP does not actually check the signature of metadata");
-   
-    }
-    @Override
-    public void checkValidMetadataSignature(String url, KeyStore store) throws SAMLEngineException {
-        //not implemented
-    	
-    }
-	
-}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 57588287d..963fe70c1 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -142,7 +142,11 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 			EIDASAuthnRequest authnRequest = new EIDASAuthnRequest();
 			authnRequest.setProviderName(moaconfig.getPublicURLPrefix());
 			authnRequest.setPersonalAttributeList(pAttList);
+			
 			authnRequest.setIssuer(moaconfig.getPublicURLPrefix() + "/eidas/metadata");
+			//TODO: only for development and reverse proxy 
+			authnRequest.setIssuer("http://localhost:12343/moa-id-auth/eidas/metadata");
+			
 			authnRequest.setDestination(destination); 
 			authnRequest.setEidasNameidFormat(EIDASAuthnRequest.NAMEID_FORMAT_UNSPECIFIED);
 			authnRequest.setEidasLoA(EidasLoaLevels.LOW.stringValue());
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java
index 6a573d0f2..d1bc02766 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/EidasMetaDataServlet.java
@@ -29,7 +29,10 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.slf4j.Logger;
 
+import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
 import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import eu.eidas.auth.engine.EIDASSAMLEngine;
 import eu.eidas.auth.engine.metadata.MetadataConfigParams;
 import eu.eidas.auth.engine.metadata.MetadataGenerator;
@@ -49,13 +52,21 @@ public class EidasMetaDataServlet extends HttpServlet {
      */
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         try {
-            logger.info("EidasMetaDataServlet GET");
+            logger.debug("EidasMetaDataServlet GET");
             
-            String metadata_url = "http://localhost:12344/moa-id-auth/eidas/metadata";
-            String sp_return_url = "http://localhost:12344/moa-id-auth/eidas/metadata";
+            AuthConfiguration config = AuthConfigurationProviderFactory.getInstance();
+            String pubURLPrefix = config.getPublicURLPrefix();
+            
+            
+            String metadata_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_METADATA;
+            
+            //TODO: only for development and reverse proxy 
+            metadata_url = "http://localhost:12343/moa-id-auth/eidas/metadata";
+            
+            String sp_return_url = pubURLPrefix + Constants.eIDAS_HTTP_ENDPOINT_SP_POST;            
             String metaData = generateMetadata(metadata_url, sp_return_url);
 
-            logger.debug(metaData);
+            logger.trace(metaData);
 
             response.setContentType("text/xml");
             response.getWriter().print(metaData);
@@ -69,13 +80,13 @@ public class EidasMetaDataServlet extends HttpServlet {
         String metadata="invalid metadata";
         
 		// FIXME workaround!?
-		Security.removeProvider("IAIK");
-		Security.removeProvider("IAIK_ECC");
+//		Security.removeProvider("IAIK");
+//		Security.removeProvider("IAIK_ECC");
 
 		EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine();
 
-		IAIK.addAsProvider();
-		ECCProvider.addAsProvider(true);
+//		IAIK.addAsProvider();
+//		ECCProvider.addAsProvider(true);
         
         MetadataGenerator generator = new MetadataGenerator();
         MetadataConfigParams mcp=new MetadataConfigParams();
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index 2c2435ff6..8e46f0ef1 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -24,7 +24,8 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.utils;
 
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
 import at.gv.egovernment.moa.id.auth.modules.eidas.config.MOAIDCertificateManagerConfigurationImpl;
-import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASSimpleMetadataProvider;
+import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
+import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator;
 import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
 import at.gv.egovernment.moa.logging.Logger;
 import eu.eidas.auth.engine.EIDASSAMLEngine;
@@ -37,28 +38,34 @@ import eu.eidas.samlengineconfig.CertificateConfigurationManager;
  */
 public class SAMLEngineUtils {
 
-	public static EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{
+	private static EIDASSAMLEngine eIDASEngine = null;
+	
+	public static synchronized EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{
 		
-		try {
-			//get eIDAS SAMLengine configuration from MOA-ID configuration
-			CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl();
-			
-			//initial eIDAS SAMLengine
-			EIDASSAMLEngine engine = EIDASSAMLEngine.createSAMLEngine(Constants.eIDAS_SAML_ENGINE_NAME,
-						configManager);
-
-			//set Metadata managment to eIDAS SAMLengine
-			//TODO: implement final Metadata processor (this is only a first solution!!!)
-			engine.setMetadataProcessor(new MOAeIDASSimpleMetadataProvider());
-			
-			return engine;
-			
-		} catch (EIDASSAMLEngineException e) {
-			Logger.error("eIDAS SAMLengine initialization FAILED!", e);
-			throw new EIDASEngineException("eIDAS SAMLengine initialization FAILED!", e);
-			
+		if (eIDASEngine == null) {
+			try {
+				//get eIDAS SAMLengine configuration from MOA-ID configuration
+				CertificateConfigurationManager configManager = new MOAIDCertificateManagerConfigurationImpl();
+				
+				//initial eIDAS SAMLengine
+				EIDASSAMLEngine engine = EIDASSAMLEngine.createSAMLEngine(Constants.eIDAS_SAML_ENGINE_NAME,
+							configManager);
+	
+				//set Metadata managment to eIDAS SAMLengine
+				engine.setMetadataProcessor(
+						new MOAeIDASMetadataProviderDecorator(
+								MOAeIDASChainingMetadataProvider.getInstance()));
+				
+				eIDASEngine = engine;
+				
+			} catch (EIDASSAMLEngineException e) {
+				Logger.error("eIDAS SAMLengine initialization FAILED!", e);
+				throw new EIDASEngineException("eIDAS SAMLengine initialization FAILED!", e);
+				
+			}
 		}
-								
+		
+		return eIDASEngine;
 	}
 	
 }