1 files changed, 18 insertions, 4 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
index 371cfb1d7..42e9bf25d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AttributeCollector.java
@@ -50,7 +50,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * the AttributeCollector Action tries to get all requested attributes from a set of {@link AttributeProvider} Plugins.
+ * The AttributeCollector Action tries to get all requested attributes from a set of {@link AttributeProvider} Plugins.
  * The class is called whenever the {@link AuthenticationRequest} Action is invoked and checks for missing attributes.
  * Furthermore, the class can handle direct posts. That is when the class triggers an attribute query which needs user
  * interaction, redirect to another portal, etc. The redirect will hit here and the class can continue to fetch attributes.
@@ -80,8 +80,6 @@ public class AttributeCollector implements IAction {
 		}
 
 
-        //   TODO extract attribute response and check if it corresponds to the container
-
         if (httpReq.getParameter("SAMLResponse") != null) {
             Logger.info("Got SAML response from external attribute provider.");
 
@@ -106,7 +104,7 @@ public class AttributeCollector implements IAction {
             STORKAuthnResponse authnResponse = null;
 
 
-            // check if valid authn request is contained
+            // check if valid authn response is contained
             try {
                 authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, httpReq.getRemoteAddr());
             } catch (STORKSAMLEngineException ex) {
@@ -115,6 +113,22 @@ public class AttributeCollector implements IAction {
 
             STORK2Response.setSTORKAuthnResponseToken(decSamlToken);
 
+            // check if the attributes are provided for the same person from request
+            // requires presence of eIdentifier for unambigious correlation
+            Logger.debug("Checking if the attribute relates to the correct person..");
+            try {
+                String remoteEIdentifier= authnResponse.getPersonalAttributeList().get("eIdentifier").getValue().get(0);
+                String localEidentifier= container.getResponse().getStorkAuthnResponse().getPersonalAttributeList().get("eIdentifier").getValue().get(0);
+                    if (!remoteEIdentifier.equals(localEidentifier)) {
+                        Logger.error("The attribute is not provided for the same person!");
+                        throw new MOAIDException("stork.25", null);
+                    }
+            } catch (NullPointerException ex) {
+                Logger.warn("Could not check the correlation of attributes from external provider. Ignoring the check.");
+                //Logger.debug(ex);
+                //throw new MOAIDException("stork.04", null); // TODO revise message, raise exception when ehvd checked
+            }
+
             if (authnResponse.getPersonalAttributeList().size() > 0) {
                 Logger.info("Response from external attribute provider contains " + authnResponse.getPersonalAttributeList().size() + " attributes.");
                 container.getResponse().setPersonalAttributeList(addOrUpdateAll(container.getResponse().getPersonalAttributeList(), authnResponse.getPersonalAttributeList()));