* Ausbau MOASecurityManager (nicht anwendbar da SecurityManager nur systemweit gesetzt werden kann)

* Update ExternalURIResolver mit ExternalURIVerifier der gegen Blackliste checkt

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1238 d688527b-c9ab-4aba-bd8d-4036d912da1d

13 files changed, 127 insertions, 335 deletions

diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java
deleted file mode 100644
index 42ee621e6..000000000
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java
+++ /dev/null
@@ -1,111 +0,0 @@
-package at.gv.egovernment.moa.spss.server;

-

-import java.net.InetAddress;

-import java.net.UnknownHostException;

-import java.util.Iterator;

-import java.util.List;

-

-import at.gv.egovernment.moa.logging.Logger;

-

-

-public class MOASecurityManagerExtended extends SecurityManager {

-

-	private List blacklist;

-	private boolean allowExternalUris;

-

-	public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) {

-		this.blacklist = blacklist;

-		this.allowExternalUris = allowExternalUris;

-	}

-

-	

-	/**

-	 * Overwrite checkConnect methods with blacklist check 

-	 */

-	

-	public void checkConnect(String host, int port, Object context) {

-		// System.out.println("checkConnect: " + host + ":" + port);

-		if (!checkURI(host, port))

-			throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");

-		else {

-			// System.out.println("Perform checkConnect of given SecurityManager");

-			super.checkConnect(host, port, context);

-		}

-	}

-	

-	public void checkConnect(String host, int port) {

-		// System.out.println("checkConnect: " + host + ":" + port);

-		if (!checkURI(host, port))

-			throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");

-		else {

-			// System.out.println("Perform checkConnect of given SecurityManager");

-			super.checkConnect(host, port);

-		}	

-	}

-

-	private boolean checkURI(String host, int port) {

-		if (allowExternalUris) {

-			Iterator it = blacklist.iterator();

-			while (it.hasNext()) {

-				String[] array = (String[])it.next();

-				String bhost = array[0];

-				String bport = array[1];

-				if (bport == null) {

-					// check only host

-					if (bhost.equalsIgnoreCase(host)) {

-						// System.out.println("Security check: " + host + " blacklisted");

-						return false;

-					}

-				}

-				else {

-					// check host and port

-					int iport = new Integer(bport).intValue();

-					if (bhost.equalsIgnoreCase(host) && (iport == port)) {

-						// System.out.println("Security check: " + host + ":" + port + " blacklisted");

-						return false;

-					}

-						

-				}

-			}

-			

-			// System.out.println("Security check: " + host + ":" + port + " allowed");

-			return true;

-		}

-		else {			

-			String localhost = getLocalhostName();

-			if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {

-				// System.out.println("Security check: localhost name allowed");

-				return true;

-			}

-						

-			// System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");

-			return false;

-		}

-	}

-	private String getLocalhostName() {

-		try {

-			// save current SecurityManager

-			SecurityManager sm = System.getSecurityManager();

-			// set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)

-			System.setSecurityManager(null);

-

-			InetAddress localhostaddress = InetAddress.getLocalHost();

-			String localhost = localhostaddress.getHostName();

-			

-			// set previously saved SecurityManager

-			System.setSecurityManager(sm);

-			

-			return localhost;

-		

-		}

-		catch (UnknownHostException e) {

-			// System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost");

-			return "localhost";

-		}

-	}

-

-	

-	/**

-	 * Don't overwrite other methods 

-	 */

-}

diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java
deleted file mode 100644
index 530a27a48..000000000
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java
+++ /dev/null
@@ -1,163 +0,0 @@
-package at.gv.egovernment.moa.spss.server;

-

-

-import java.io.FileDescriptor;

-import java.net.InetAddress;

-import java.net.UnknownHostException;

-import java.security.Permission;

-import java.util.Iterator;

-import java.util.List;

-

-public class MOASecurityManagerSimple extends SecurityManager {

-

-	private List blacklist;

-	private boolean allowExternalUris;

-	

-	

-	public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) {

-		this.blacklist = blacklist;

-		this.allowExternalUris = allowExternalUris;

-	}

-

-	/**

-	 * Overwrite checkConnect methods with blacklist check 

-	 */

-	

-	public void checkConnect(String host, int port, Object context) {

-		if (!checkURI(host, port))

-			throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");

-	}

-

-	public void checkConnect(String host, int port) {

-		// System.out.println("checkConnect: " + host + ":" + port);

-		if (!checkURI(host, port))

-			throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");

-	}

-

-	private boolean checkURI(String host, int port) {

-		if (allowExternalUris) {

-			Iterator it = blacklist.iterator();

-			while (it.hasNext()) {

-				String[] array = (String[])it.next();

-				String bhost = array[0];

-				String bport = array[1];

-				if (bport == null) {

-					// check only host

-					if (bhost.equalsIgnoreCase(host)) {

-						// System.out.println("Security check: " + host + " blacklisted");

-						return false;

-					}

-				}

-				else {

-					// check host and port

-					int iport = new Integer(bport).intValue();

-					if (bhost.equalsIgnoreCase(host) && (iport == port)) {

-						// System.out.println("Security check: " + host + ":" + port + " blacklisted");

-						return false;

-					}

-						

-				}

-			}

-			

-			// System.out.println("Security check: " + host + ":" + port + " allowed");

-			return true;

-		}

-		else {			

-			String localhost = getLocalhostName();

-			if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {

-				// System.out.println("Security check: localhost name allowed");

-				return true;

-			}

-						

-			// System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");

-			return false;

-		}

-	}

-	

-	private String getLocalhostName() {

-		try {

-			// save current SecurityManager

-			SecurityManager sm = System.getSecurityManager();

-			// set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)

-			System.setSecurityManager(null);

-

-			InetAddress localhostaddress = InetAddress.getLocalHost();

-			String localhost = localhostaddress.getHostName();

-			

-			// set previously saved SecurityManager

-			System.setSecurityManager(sm);

-			

-			return localhost;

-		

-		}

-		catch (UnknownHostException e) {

-			// System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost");

-			return "localhost";

-		}

-	}

-	

-

-	/**

-	 * Overwrite all other methods by doing nothing (as no SecurityManager is set initially) 

-	 */

-	

-	public void checkAccept(String host, int port) {

-	}

-	public void checkAccess(Thread t) {

-	}

-	public void checkAccess(ThreadGroup g) {

-	}

-	public void checkAwtEventQueueAccess() {

-	}

-	public void checkCreateClassLoader() {

-	}

-	public void checkDelete(String file) {

-	}

-	public void checkExec(String cmd) {

-	}

-	public void checkExit(int status) {

-	}

-	public void checkLink(String lib) {

-	}

-	public void checkListen(int port) {

-	}

-	public void checkMemberAccess(Class arg0, int arg1) {

-	}

-	public void checkMulticast(InetAddress maddr, byte ttl) {

-	}

-	public void checkMulticast(InetAddress maddr) {

-	}

-	public void checkPackageAccess(String pkg) {

-	}

-	public void checkPackageDefinition(String pkg) {

-	}

-	public void checkPermission(Permission perm, Object context) {

-	}

-	public void checkPermission(Permission perm) {

-	}

-	public void checkPrintJobAccess() {

-	}

-	public void checkPropertiesAccess() {

-	}

-	public void checkPropertyAccess(String key) {

-	}

-	public void checkRead(FileDescriptor fd) {

-	}

-	public void checkRead(String file, Object context) {

-	}

-	public void checkRead(String file) {

-	}

-	public void checkSecurityAccess(String target) {

-	}

-	public void checkSetFactory() {

-	}

-	public void checkSystemClipboardAccess() {

-	}

-	public void checkWrite(FileDescriptor fd) {

-	}

-	public void checkWrite(String file) {

-	}

-

-

-

-}

diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index abc781303..1211b5e94 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -385,8 +385,8 @@ public class ConfigurationPartsBuilder {
 	  Element permitExtUris = (Element)XPathUtils.selectSingleNode(getConfigElem(), PERMIT_EXTERNAL_URIS_XPATH);
 	  
 	  // if PermitExternalUris element does not exist - don't allow external uris
-	  if (permitExtUris == null)
-		  return false;
+	  if (permitExtUris == null) 		  
+		  return false;	    
 	  else
 		  return true;
 	  
@@ -397,8 +397,8 @@ public class ConfigurationPartsBuilder {
    * @return
    */
   public List buildPermitExternalUris() {
-	  if (!allowExternalUris())
-		  return null;
+	    
+	  info("config.33", null);
 	  
 	  List blacklist = new ArrayList();
 	  
@@ -411,7 +411,11 @@ public class ConfigurationPartsBuilder {
 	      String host = getElementValue(permitExtElem, CONF + "Host", null);
 	      String port = getElementValue(permitExtElem, CONF + "Port", null);
 	      
-	      //System.out.println("Host:Port =  " + host + ":" + port);
+	      
+	      if (port == null)	    	  
+	    	  info("config.34", new Object[]{host});
+	      else
+	    	  info("config.34", new Object[]{host + ":" + port});
 	      
 	      String array[] = new String[2];
 	      array[0] = host;
@@ -420,6 +424,10 @@ public class ConfigurationPartsBuilder {
 	      
 	    }
 	  
+	  if(blacklist.isEmpty()) // no blacklisted uris given
+		  info("config.36", null);
+		  
+	  
 	  return blacklist;
   }
 
@@ -1205,7 +1213,7 @@ public class ConfigurationPartsBuilder {
     MessageProvider msg = MessageProvider.getInstance();
     String txt = msg.getMessage(messageId, args);
 
-    Logger.warn(new LogMsg(txt), t);
+    Logger.warn(new LogMsg(txt), t);    
     warnings.add(txt);
   }
 
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index bcd9416b8..a5f861c52 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -33,9 +33,7 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.math.BigInteger;
-import java.net.InetAddress;
 import java.net.URL;
-import java.net.UnknownHostException;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -48,8 +46,6 @@ import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.logging.LogMsg;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended;
-import at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple;
 import at.gv.egovernment.moa.spss.util.MessageProvider;
 import at.gv.egovernment.moa.util.DOMUtils;
 
@@ -373,8 +369,11 @@ public class ConfigurationProvider
       
       if (allowExternalUris_)
     	  blackListedUris_ = builder.buildPermitExternalUris();
-      else
+      else {
+    	  info("config.35", null);
     	  blackListedUris_ = null;
+      }
+    	
       
 //      Set set = crlRetentionIntervals.entrySet();
 //      Iterator i = set.iterator();
@@ -383,37 +382,7 @@ public class ConfigurationProvider
 //        System.out.println("Key: " + me.getKey() + " - Value: " + me.getValue() );
 //      }
       
-      
-      // set SecurityManager for permitting/disallowing external URIs
-      SecurityManager sm = System.getSecurityManager();      
-      
-      if (sm == null) {
-    	  // no security manager exists - create a new one
-    	  Logger.debug(new LogMsg("Create new MOASecurityManagerSimple"));
-    	  sm = new MOASecurityManagerSimple(allowExternalUris_, blackListedUris_);
-    	  
-    	  
-    	  Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple"));
-          System.setSecurityManager(sm);
-        
-      }      
-      else {    	
-    	  String classname = sm.getClass().getName();
-    	  if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple") &&
-    		  !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended")) {
-    		  // if SecurityManager is not already a MOASecurityManager
-    		  
-    		  Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)"));
-    		  sm = new MOASecurityManagerExtended(allowExternalUris_, blackListedUris_);
-    		  
-    		  Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple"));
-    		  System.setSecurityManager(sm);
-    	  }
-    	  Logger.debug(new LogMsg("No new MOASecurityManager instantiated"));
-      }
-
-      
-      
+            
     } catch (Throwable t) {
       throw new ConfigurationException("config.11", null, t);
     } finally {
@@ -446,7 +415,15 @@ public class ConfigurationProvider
   public String getDigestMethodAlgorithmName() {
     return digestMethodAlgorithmName;
   }
-
+  
+  public boolean getAllowExternalUris() {
+	  return this.allowExternalUris_;
+  }
+  
+  public List getBlackListedUris() {
+	  return this.blackListedUris_;
+  }
+  
   /**
    * Return the name of the canonicalization algorithm used during signature
    * creation.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
index 02d282387..ba2513d2f 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
@@ -24,12 +24,6 @@
 
 package at.gv.egovernment.moa.spss.server.invoke;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.List;
-
 import iaik.IAIKException;
 import iaik.IAIKRuntimeException;
 import iaik.server.modules.cmsverify.CMSSignatureVerificationModule;
@@ -37,9 +31,14 @@ import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory;
 import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile;
 import iaik.server.modules.cmsverify.CMSSignatureVerificationResult;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.List;
+
 import at.gv.egovernment.moa.logging.LoggingContext;
 import at.gv.egovernment.moa.logging.LoggingContextManager;
-
 import at.gv.egovernment.moa.spss.MOAApplicationException;
 import at.gv.egovernment.moa.spss.MOAException;
 import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent;
@@ -102,6 +101,7 @@ public class CMSSignatureVerificationInvoker {
    */
   public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest request)
     throws MOAException {
+	  
     CMSSignatureVerificationProfileFactory profileFactory =
       new CMSSignatureVerificationProfileFactory(request);
     VerifyCMSSignatureResponseBuilder responseBuilder =
@@ -127,7 +127,6 @@ public class CMSSignatureVerificationInvoker {
     TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId());
     
     try {
-       
       // get the signed content
       signedContent = getSignedContent(request);
 
@@ -142,7 +141,7 @@ public class CMSSignatureVerificationInvoker {
         CMSSignatureVerificationModuleFactory.getInstance();
 
       module.setLog(new IaikLog(loggingCtx.getNodeID()));
-
+      
       module.init(
         signature,
         signedContent,
@@ -152,6 +151,7 @@ public class CMSSignatureVerificationInvoker {
 
       while (input.read(buf) > 0);
       results = module.verifySignature(signingTime);
+      
     } catch (IAIKException e) {
       MOAException moaException = IaikExceptionMapper.getInstance().map(e);
       throw moaException;
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java
index 96c20d4a4..e09ade231 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java
@@ -37,6 +37,7 @@ import java.net.URLConnection;
 import at.gv.egovernment.moa.spss.MOAApplicationException;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
+import at.gv.egovernment.moa.spss.util.ExternalURIVerifier;
 
 /**
  * Resolve external URIs and provide them as a stream.
@@ -100,6 +101,9 @@ public class ExternalURIResolver {
     try {
       // create the URL
       url = new URL(uriStr);
+      System.out.println("ExternalURIResolver: " + url);
+      ExternalURIVerifier.verify(url.getHost(), url.getPort());
+      
     } catch (MalformedURLException e) {
       throw new MOAApplicationException("2214", new Object[] { uriStr });
     }
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java
index 993c8f7a9..b746333e6 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java
@@ -57,9 +57,11 @@ public class SignatureCreationServiceImpl extends SignatureCreationService {
     CreateXMLSignatureResponse response;
 
     try {
+    	
       Configurator.getInstance().init();
       ServiceContextUtils.setUpContexts();
       response = invoker.createXMLSignature(request, Collections.EMPTY_SET);
+      
       return response;
     } finally {
       ServiceContextUtils.tearDownContexts();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java
index 67bc446b0..5b6033ce1 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java
@@ -62,6 +62,7 @@ public class SignatureVerificationServiceImpl
       Configurator.getInstance().init();
       ServiceContextUtils.setUpContexts();
       response = invoker.verifyCMSSignature(request);
+      
       return response;
     } finally {
       ServiceContextUtils.tearDownContexts();
@@ -84,9 +85,12 @@ public class SignatureVerificationServiceImpl
     VerifyXMLSignatureResponse response;
 
     try {
+    	
+
       Configurator.getInstance().init();
       ServiceContextUtils.setUpContexts();
       response = invoker.verifyXMLSignature(request);
+            
       return response;
     } finally {
       ServiceContextUtils.tearDownContexts();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
index a123dd4fc..adaf0d376 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
@@ -212,10 +212,6 @@ public class XMLSignatureVerificationInvoker {
 
       module.setLog(new IaikLog(loggingCtx.getNodeID()));
 
-      //@TODO
-      SecurityManager sm = System.getSecurityManager();
-      System.setSecurityManager(null);
-      
       result =
         module.verifySignature(
           xmlSignature,
@@ -224,8 +220,6 @@ public class XMLSignatureVerificationInvoker {
           signingTime,
           new TransactionId(context.getTransactionID()));
       
-      //@TODO
-      System.setSecurityManager(sm);
     } catch (IAIKException e) {
       MOAException moaException = IaikExceptionMapper.getInstance().map(e);
       throw moaException;
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
index 75f0b1868..3304e262f 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
@@ -82,6 +82,7 @@ public class SignatureCreationService {
 
     // handle the request
     try {
+        
       // create a parser and builder for binding API objects to/from XML
       CreateXMLSignatureRequestParser requestParser =
         new CreateXMLSignatureRequestParser();
@@ -114,6 +115,7 @@ public class SignatureCreationService {
       // save response in transaction
       context.setResponse(response[0]);
 	  Logger.trace("---- Leaving SignatureCreationService");
+	  
 
     } catch (MOAException e) {
       AxisFault fault = AxisFault.makeFault(e);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java
index 38310f53b..a1caac6a7 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java
@@ -66,8 +66,9 @@ public class SignatureVerificationService {
     CMSSignatureVerificationInvoker invoker =
       CMSSignatureVerificationInvoker.getInstance();
     Element[] response = new Element[1];
-
+    
     try {
+             
       // create a parser and builder for binding API objects to/from XML
       VerifyCMSSignatureRequestParser requestParser =
         new VerifyCMSSignatureRequestParser();
@@ -93,7 +94,8 @@ public class SignatureVerificationService {
 
       // save response in transaction
       context.setResponse(response[0]);
-
+      
+     
     } catch (MOAException e) {
       AxisFault fault = AxisFault.makeFault(e);
       fault.setFaultDetail(new Element[] { e.toErrorResponse()});
@@ -128,7 +130,8 @@ public class SignatureVerificationService {
     Element[] response = new Element[1];
 
     try {
-      // create a parser and builder for binding API objects to/from XML
+
+        // create a parser and builder for binding API objects to/from XML
       VerifyXMLSignatureRequestParser requestParser =
         new VerifyXMLSignatureRequestParser();
       VerifyXMLSignatureResponseBuilder responseBuilder =
@@ -153,6 +156,7 @@ public class SignatureVerificationService {
       
       // save response in transaction
       context.setResponse(response[0]);
+      
 
     } catch (MOAException e) {
       AxisFault fault = AxisFault.makeFault(e);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
new file mode 100644
index 000000000..9901212db
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
@@ -0,0 +1,63 @@
+package at.gv.egovernment.moa.spss.util;

+

+import java.util.Iterator;

+import java.util.List;

+

+import at.gv.egovernment.moa.spss.MOAApplicationException;

+import at.gv.egovernment.moa.spss.server.config.ConfigurationException;

+import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;

+

+public class ExternalURIVerifier {

+	

+	public static void verify(String host, int port) throws MOAApplicationException {

+			try {

+				ConfigurationProvider config = ConfigurationProvider.reload();

+//				

+				boolean allowExternalUris = config.getAllowExternalUris();

+				List blacklist = config.getBlackListedUris();

+				

+			  	  

+				if (allowExternalUris) {

+					Iterator it = blacklist.iterator();

+					while (it.hasNext()) {

+						String[] array = (String[])it.next();

+						String bhost = array[0];

+						String bport = array[1];

+						if (bport == null) {

+							// check only host

+							if (bhost.equalsIgnoreCase(host)) {

+								System.out.println("Blacklist check: " + host + " blacklisted");

+								throw new MOAApplicationException("4002", new Object[]{host});

+							}

+						}

+						else {

+							// check host and port

+							int iport = new Integer(bport).intValue();

+							if (bhost.equalsIgnoreCase(host) && (iport == port)) {

+								System.out.println("Blacklist check: " + host + ":" + port + " blacklisted");

+								throw new MOAApplicationException("4002", new Object[]{host + ":" + port});							

+							}

+								

+						}

+					}

+				}

+				else {

+					if (port == -1) {

+						System.out.println("No external URI allowed (" + host + ")");

+						throw new MOAApplicationException("4001", new Object[]{host});

+					}

+					else {

+						System.out.println("No external URI allowed (" + host + ":" + port +  ")");

+						throw new MOAApplicationException("4001", new Object[]{host + ":" + port});

+					}

+				}

+			  	  

+			} catch (ConfigurationException e) {

+				throw new MOAApplicationException("config.10", null);

+			}

+			

+			

+		

+	}

+

+}

diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
index 3920da4d9..61ad9444e 100644
--- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
+++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
@@ -88,6 +88,10 @@
 3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")

 3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")

 

+4001=Externe URI ({0}) darf nicht geladen werden (externe URIs generell verboten)

+4002=Externe URI ({0}) befindet sich auf der Blackliste und darf nicht geladen werden

+ 

+

 9900=Nicht klassifizierter Fehler in Subsystem

 9901=Nicht klassifizierter Laufzeitfehler in Subsystem

 9999=Nicht klassifizierter Fehler

@@ -134,6 +138,10 @@ config.28=Einen detaillierten Fehlerbericht entnehmen Sie bitte der Log-Datei.
 config.29=Es sind folgende leichte Fehler aufgetreten: 

 config.31=Fehler in der Konfiguration der KeyGroup mit id={0}: Der Schlüssel im KeyModule id={1} mit IssuerName={2} und SerialNumber={3} konnte nicht geladen werden

 config.32=Fehler in der Konfiguration: Verzeichnisangabe für den Zertifikatsspeicher ist ungültig ({0}).

+config.33=External URIs are allowed. Maybe a URI blacklist exists.

+config.34=Blacklisted URI: {0}.

+config.35=External URIs not allowed.

+config.36=No blacklisted URIs given.

 

 handler.00=Starte neue Transaktion: TID={0}, Service={1}

 handler.01=Aufruf von Adresse={0}