5 files changed, 22 insertions, 6 deletions

diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
index 2b816ed4c..0a07fc4a7 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
@@ -246,6 +246,10 @@ public class DOMUtils {
 	    parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false);
 	    parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
 	    parser.setFeature(EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
+	    
+	    //fix XXE problem
+	    parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+	    
 	
 	    if (validating) {
 	      if (externalSchemaLocations != null) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java
index 8add03da7..712ebb731 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/FinalizeAuthenticationTask.java
@@ -59,6 +59,12 @@ public class FinalizeAuthenticationTask extends AbstractAuthServletTask {
 			IRequest pendingReq = RequestStorage.getPendingRequest(
 					(String) executionContext.get("pendingRequestID"));	
 		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + executionContext.get("pendingRequestID") + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{executionContext.get("pendingRequestID")});
+				
+			}
+			
 			//get Session from context
 			String moasessionid = (String) executionContext.get(PARAM_SESSIONID);
 			AuthenticationSession session = null;				
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index ee5685e5f..c0ec086ed 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -296,6 +296,8 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {
 			}
 			
 		} catch (PVP2Exception e) {
+			String samlRequest = request.getParameter("SAMLRequest");			
+			Logger.warn("Receive INVALID protocol request: " + samlRequest, e);
 			throw e;
 		
 		} catch (SecurityPolicyException e) {
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
index 342d54f7f..abd5d15f3 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties
@@ -181,7 +181,11 @@ stork.21=1205
 
 pvp2.01=6100
 pvp2.06=6100
+pvp2.10=6100
+pvp2.11=6100
+pvp2.12=6100
 pvp2.13=9199
+pvp2.15=6105
 pvp2.16=6101
 pvp2.17=6102 
 pvp2.20=6103
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 421d00cbe..5312d779c 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -107,7 +107,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 					samlArtifact, ex.toString() });
 		}
 		Throwable error = null;
-		synchronized (authenticationDataStore) {
+		//synchronized (authenticationDataStore) {
 			try {
 				error = authenticationDataStore
 						.get(samlArtifact, Throwable.class);
@@ -119,7 +119,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 				throw new AuthenticationException("1206", new Object[] { samlArtifact });
 			}
 			
-		}
+		//}
 		
 		return error;
 	}
@@ -178,7 +178,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 					samlArtifact, ex.toString() });
 		}
 		String authData = null;
-		synchronized (authenticationDataStore) {
+		//synchronized (authenticationDataStore) {
 			// System.out.println("assertionHandle: " + assertionHandle);
 						
 			try {
@@ -189,7 +189,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 				Logger.error("Assertion not found for SAML Artifact: " + samlArtifact);
 				throw new AuthenticationException("1206", new Object[] { samlArtifact });
 			}		
-		}
+		//}
 				
 		authenticationDataStore.remove(samlArtifact);
 				
@@ -616,11 +616,11 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 						new Object[] { samlArtifact });
 			parser.parseAssertionHandle();
 			
-			synchronized (authenticationDataStore) {
+			//synchronized (authenticationDataStore) {
 				Logger.debug("Assertion stored for SAML Artifact: "
 						+ samlArtifact);
 				authenticationDataStore.put(samlArtifact, samlAssertion);
-			}
+			//}
 			
 		} catch (AuthenticationException ex) {
 			throw ex;