4 files changed, 63 insertions, 32 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/AbstractAuthProtocolModulController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/AbstractAuthProtocolModulController.java
index e6f08abd9..bf00cadaf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/AbstractAuthProtocolModulController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/AbstractAuthProtocolModulController.java
@@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.servlet.AbstractController;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
@@ -99,9 +100,32 @@ public abstract class AbstractAuthProtocolModulController extends AbstractContro
 		} catch (Exception e) {
 			buildProtocolSpecificErrorResponse(e, req, resp, pendingReq);
 			
+			removeUserSession(pendingReq, req, resp);
+						
 		}		
 	}
 	
+	
+	protected String createNewSSOSessionCookie(HttpServletRequest req, HttpServletResponse resp, 
+			IRequest pendingReq, AuthenticationSession moaSession) {
+		Logger.debug("Add SSO information to MOASession.");
+		
+		//Store SSO information into database
+		String newSSOSessionId = ssomanager.createSSOSessionInformations(moaSession.getSessionID(), 
+				pendingReq.getOAURL());
+
+		//set SSO cookie to response
+		if (MiscUtil.isNotEmpty(newSSOSessionId)) {
+			ssomanager.setSSOSessionID(req, resp, newSSOSessionId);
+	
+		} else {
+			ssomanager.deleteSSOSessionID(req, resp);
+		
+		}
+		
+		return newSSOSessionId;
+	}
+	
 	/**
 	 * Finalize the requested protocol operation
 	 * 
@@ -118,21 +142,7 @@ public abstract class AbstractAuthProtocolModulController extends AbstractContro
 		
 		//if Single Sign-On functionality is enabled for this request
 		if (pendingReq.needSingleSignOnFunctionality()) {
-			
-			Logger.debug("Add SSO information to MOASession.");
-			
-			//Store SSO information into database
-			newSSOSessionId = ssomanager.createSSOSessionInformations(moaSession.getSessionID(), 
-					pendingReq.getOAURL());
-	
-			//set SSO cookie to response
-			if (MiscUtil.isNotEmpty(newSSOSessionId)) {
-				ssomanager.setSSOSessionID(req, resp, newSSOSessionId);
-		
-			} else {
-				ssomanager.deleteSSOSessionID(req, resp);
-			
-			}
+			newSSOSessionId = createNewSSOSessionCookie(req, resp, pendingReq, moaSession);
 			
 		}
 		
@@ -202,6 +212,23 @@ public abstract class AbstractAuthProtocolModulController extends AbstractContro
 		
 	}
 	
+	protected void removeUserSession(IRequest pendingReq, HttpServletRequest req, 
+			HttpServletResponse resp) {		
+		try {
+			AuthenticationSession moaSession = authenticatedSessionStorage.getSession(
+					pendingReq.getMOASessionIdentifier());
+			
+			if (moaSession != null)
+				authmanager.performOnlyIDPLogOut(req, resp, moaSession.getSessionID());
+
+		} catch (MOADatabaseException e) {
+			Logger.error("Remove user-session FAILED." , e);
+			
+		}
+		
+		
+	}
+	
 	protected void buildProtocolSpecificErrorResponse(Throwable throwable, HttpServletRequest req, 
 			HttpServletResponse resp, IRequest protocolRequest) throws IOException {
 		try {
@@ -226,12 +253,6 @@ public abstract class AbstractAuthProtocolModulController extends AbstractContro
 				//log Error Message
 				statisticLogger.logErrorOperation(throwable, protocolRequest);
 				
-				//remove MOASession
-				AuthenticationSession moaSession = authenticatedSessionStorage.getSession(
-						protocolRequest.getMOASessionIdentifier());
-				if (moaSession != null)
-					authmanager.performOnlyIDPLogOut(req, resp, moaSession.getSessionID());
-				
 				return;
 				
 			} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
index 009ef4b6d..a9fc994ec 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
@@ -75,15 +75,9 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
 	
 						//build protocol-specific error message if possible
 						buildProtocolSpecificErrorResponse(throwable, req, resp, pendingReq);
-																		
-						//get MOASession for this pendingRequest
-						AuthenticationSession moaSession = 
-								authenticatedSessionStorage.getSession(
-										pendingReq.getMOASessionIdentifier());
-						
-						//remove MOASession if someone is found
-						if (moaSession != null)
-							authmanager.performOnlyIDPLogOut(req, resp, moaSession.getSessionID());
+																
+						//remove active user-session
+						removeUserSession(pendingReq, req, resp);
 	
 						return;
 	
@@ -135,9 +129,18 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
 					
 						//check if pending-request has 'abortedByUser' flag set
 					if (pendingReq.isAbortedByUser()) {
+						//send authentication aborted error to Service Provider
 						buildProtocolSpecificErrorResponse(
 								new AuthenticationException("auth.21", new Object[] {}), 
 								req, resp, pendingReq);
+						
+						//do not remove the full active SSO-Session 
+						// in case of only one Service-Provider authentication request is aborted   
+						if ( !(moaSession.isAuthenticated() 
+								&& pendingReq.needSingleSignOnFunctionality()) ) {
+							removeUserSession(pendingReq, req, resp);
+							
+						}							
 	
 						//check if MOASession and pending-request are authenticated					
 					} else if (moaSession.isAuthenticated() && pendingReq.isAuthenticated()) {				
@@ -155,6 +158,8 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
 				Logger.error("Finalize authentication protocol FAILED." , e);
 				buildProtocolSpecificErrorResponse(e, req, resp, pendingReq);
 				
+				removeUserSession(pendingReq, req, resp);
+				
 			}		
 		}
 		
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
index 21f505bf1..2882f20e1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
@@ -76,6 +76,7 @@ public class AuthenticationAction implements IAction {
 		DateTime date = new DateTime();
 		
 		SLOInformationImpl sloInformation = new SLOInformationImpl();
+
 		
 		//build Assertion
 		Assertion assertion = PVP2AssertionBuilder.buildAssertion(pvpRequest, authnRequest, authData, 
@@ -106,6 +107,7 @@ public class AuthenticationAction implements IAction {
 
 			//set protocol type
 			sloInformation.setProtocolType(req.requestedModule());
+			sloInformation.setSpEntityID(req.getOnlineApplicationConfiguration().getPublicURLPrefix());
 			return sloInformation;
 			
 		} catch (MessageEncodingException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index a7fc8295a..cffc9378a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -439,7 +439,7 @@ public class SingleLogOutBuilder {
 				if (!oa.getOaurlprefix().equals(removeOAID)) {
 					
 					//Actually only PVP 2.1 support Single LogOut
-					if (PVP2XProtocol.PATH.equals(oa.getProtocolType())) {					
+					if (PVP2XProtocol.NAME.equals(oa.getProtocolType())) {					
 						SingleLogoutService sloDesc;
 						try {
 							sloDesc = getRequestSLODescriptor(oa.getOaurlprefix());
@@ -447,7 +447,8 @@ public class SingleLogOutBuilder {
 							if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))										
 								container.getActiveBackChannelOAs().put(oa.getOaurlprefix(), 
 										new SLOInformationImpl(
-											oa.getAuthURL(),	
+											oa.getAuthURL(),
+											oa.getOaurlprefix(),
 											oa.getAssertionSessionID(), 
 											oa.getUserNameID(), 
 											oa.getUserNameIDFormat(), 
@@ -458,6 +459,7 @@ public class SingleLogOutBuilder {
 								container.getActiveFrontChannalOAs().put(oa.getOaurlprefix(), 
 										new SLOInformationImpl(
 											oa.getAuthURL(),
+											oa.getOaurlprefix(),
 											oa.getAssertionSessionID(), 
 											oa.getUserNameID(), 
 											oa.getUserNameIDFormat(), 
@@ -498,6 +500,7 @@ public class SingleLogOutBuilder {
 						container.getActiveFrontChannalOAs().put(el.getIdpurlprefix(), 
 								new SLOInformationImpl(
 										el.getAuthURL(),
+										el.getIdpurlprefix(),
 										el.getSessionIndex(), 
 										el.getUserNameID(), 
 										NameID.TRANSIENT,