1 files changed, 56 insertions, 23 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
index 22f4a00ad..e995a1c2e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java
@@ -32,6 +32,7 @@ import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.storage.ExceptionStoreImpl;
 import at.gv.egovernment.moa.id.util.HTTPSessionUtils;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+import at.gv.egovernment.moa.id.util.legacy.LegacyHelper;
 import at.gv.egovernment.moa.logging.Logger;
 
 public class DispatcherServlet extends AuthServlet{
@@ -80,6 +81,10 @@ public class DispatcherServlet extends AuthServlet{
 
 					IRequest errorRequest = RequestStorage
 							.getPendingRequest(req.getSession());
+					
+					//remove the 
+					RequestStorage.removePendingRequest(req.getSession());
+					
 					if (errorRequest != null) {
 						try {
 							IModulInfo handlingModule = ModulStorage
@@ -204,7 +209,7 @@ public class DispatcherServlet extends AuthServlet{
 						.getOnlineApplicationParameter(protocolRequest.getOAURL());	
 				if (oaParam == null) {
 					//TODO: Find a better place for this!!
-					req.getSession().invalidate();
+					//req.getSession().invalidate();
 					throw new AuthenticationException("auth.00", new Object[] { protocolRequest.getOAURL() });
 				}
 				
@@ -235,31 +240,32 @@ public class DispatcherServlet extends AuthServlet{
 					isValidSSOSession = ssomanager.isValidSSOSession(ssoId, req);
 					useSSOOA = oaParam.useSSO();
 					
+					//if a legacy request is used SSO should not be allowed, actually
+					boolean isUseMandateRequested = LegacyHelper.isUseMandateRequested(req);
+					
 					if (protocolRequest.isPassiv()
 							&& protocolRequest.forceAuth()) {
 						// conflict!
 						throw new NoPassivAuthenticationException();
 					}
-
-					if (protocolRequest.forceAuth()) {
-						if (!authmanager.tryPerformAuthentication(
-								req, resp)) {
+					
+					boolean tryperform = authmanager.tryPerformAuthentication(
+							req, resp);
+					
+					if (protocolRequest.forceAuth()) {	
+						if (!tryperform) {
 							authmanager.doAuthentication(req, resp,
 									protocolRequest);
 							return;
 						}
 					} else if (protocolRequest.isPassiv()) {
-						if (authmanager.tryPerformAuthentication(req,
-								resp)
-								|| (isValidSSOSession && useSSOOA) ) {
+						if (tryperform || (isValidSSOSession && useSSOOA && !isUseMandateRequested) ) {
 							// Passive authentication ok!
 						} else {
 							throw new NoPassivAuthenticationException();
 						}
 					} else {
-						if (authmanager.tryPerformAuthentication(req,
-								resp)
-								|| (isValidSSOSession && useSSOOA) ) {
+						if (tryperform || (isValidSSOSession && useSSOOA  && !isUseMandateRequested) ) {
 							// Is authenticated .. proceed
 						} else {
 							// Start authentication!
@@ -268,21 +274,32 @@ public class DispatcherServlet extends AuthServlet{
 							return;
 						}
 					}
+
 				}
-						
-				moduleAction.processRequest(protocolRequest, req, resp);
 
-				RequestStorage.removePendingRequest(httpSession);
+				String moasessionID = null;
+				AuthenticationSession moasession = null;								
 				
-				String moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(),
-						AuthenticationManager.MOA_SESSION, null);
-				
-				AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moasessionID);
-				
-				if ((useSSOOA || isValidSSOSession) 
-						&& moasession.isSsoRequested() 
-						&& !moasession.getUseMandate()) //TODO: SSO with mandates requires an OVS extension  
+				if ((useSSOOA || isValidSSOSession)) //TODO: SSO with mandates requires an OVS extension  
 				{
+				
+					//TODO SSO Question!!!!
+					if (useSSOOA && isValidSSOSession) {
+					
+						moasessionID = ssomanager.getMOASession(ssoId);
+						moasession = AuthenticationSessionStoreage.getSession(moasessionID);
+						
+						//use new OAParameter						
+						if (!oaParam.useSSOWithoutQuestion() && !AuthenticationSessionStoreage.isAuthenticated(moasessionID)) {
+						  authmanager.sendTransmitAssertionQuestion(req, resp, protocolRequest, oaParam);
+						  return; 
+						}						
+					}
+					else {
+						moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(),
+											AuthenticationManager.MOA_SESSION, null);
+						moasession = AuthenticationSessionStoreage.getSession(moasessionID);
+					}
 					
 					//save SSO session usage in Database				
 					String newSSOSessionId = ssomanager.storeSSOSessionInformations(moasessionID, protocolRequest.getOAURL());
@@ -295,7 +312,23 @@ public class DispatcherServlet extends AuthServlet{
 					}
 					
 				} else {
-					authmanager.logout(req, resp);
+					moasessionID = HTTPSessionUtils.getHTTPSessionString(req.getSession(),
+								AuthenticationManager.MOA_SESSION, null);
+					moasession = AuthenticationSessionStoreage.getSession(moasessionID);
+				}
+						
+				moduleAction.processRequest(protocolRequest, req, resp, moasession);
+
+				RequestStorage.removePendingRequest(httpSession);
+				
+				boolean isSSOSession = AuthenticationSessionStoreage.isSSOSession(moasessionID);
+				
+				if ((useSSOOA || isSSOSession) //TODO: SSO with mandates requires an OVS extension 
+						&& !moasession.getUseMandate()) 
+				{
+					
+				} else {
+					authmanager.logout(req, resp, moasessionID);
 				}
 				
 				ConfigurationDBUtils.closeSession();