4 files changed, 83 insertions, 48 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/AbstractAuthProtocolModulController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/AbstractAuthProtocolModulController.java
index e6f08abd9..bf00cadaf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/AbstractAuthProtocolModulController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/AbstractAuthProtocolModulController.java
@@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.servlet.AbstractController;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
@@ -99,9 +100,32 @@ public abstract class AbstractAuthProtocolModulController extends AbstractContro
 		} catch (Exception e) {
 			buildProtocolSpecificErrorResponse(e, req, resp, pendingReq);
 			
+			removeUserSession(pendingReq, req, resp);
+						
 		}		
 	}
 	
+	
+	protected String createNewSSOSessionCookie(HttpServletRequest req, HttpServletResponse resp, 
+			IRequest pendingReq, AuthenticationSession moaSession) {
+		Logger.debug("Add SSO information to MOASession.");
+		
+		//Store SSO information into database
+		String newSSOSessionId = ssomanager.createSSOSessionInformations(moaSession.getSessionID(), 
+				pendingReq.getOAURL());
+
+		//set SSO cookie to response
+		if (MiscUtil.isNotEmpty(newSSOSessionId)) {
+			ssomanager.setSSOSessionID(req, resp, newSSOSessionId);
+	
+		} else {
+			ssomanager.deleteSSOSessionID(req, resp);
+		
+		}
+		
+		return newSSOSessionId;
+	}
+	
 	/**
 	 * Finalize the requested protocol operation
 	 * 
@@ -118,21 +142,7 @@ public abstract class AbstractAuthProtocolModulController extends AbstractContro
 		
 		//if Single Sign-On functionality is enabled for this request
 		if (pendingReq.needSingleSignOnFunctionality()) {
-			
-			Logger.debug("Add SSO information to MOASession.");
-			
-			//Store SSO information into database
-			newSSOSessionId = ssomanager.createSSOSessionInformations(moaSession.getSessionID(), 
-					pendingReq.getOAURL());
-	
-			//set SSO cookie to response
-			if (MiscUtil.isNotEmpty(newSSOSessionId)) {
-				ssomanager.setSSOSessionID(req, resp, newSSOSessionId);
-		
-			} else {
-				ssomanager.deleteSSOSessionID(req, resp);
-			
-			}
+			newSSOSessionId = createNewSSOSessionCookie(req, resp, pendingReq, moaSession);
 			
 		}
 		
@@ -202,6 +212,23 @@ public abstract class AbstractAuthProtocolModulController extends AbstractContro
 		
 	}
 	
+	protected void removeUserSession(IRequest pendingReq, HttpServletRequest req, 
+			HttpServletResponse resp) {		
+		try {
+			AuthenticationSession moaSession = authenticatedSessionStorage.getSession(
+					pendingReq.getMOASessionIdentifier());
+			
+			if (moaSession != null)
+				authmanager.performOnlyIDPLogOut(req, resp, moaSession.getSessionID());
+
+		} catch (MOADatabaseException e) {
+			Logger.error("Remove user-session FAILED." , e);
+			
+		}
+		
+		
+	}
+	
 	protected void buildProtocolSpecificErrorResponse(Throwable throwable, HttpServletRequest req, 
 			HttpServletResponse resp, IRequest protocolRequest) throws IOException {
 		try {
@@ -226,12 +253,6 @@ public abstract class AbstractAuthProtocolModulController extends AbstractContro
 				//log Error Message
 				statisticLogger.logErrorOperation(throwable, protocolRequest);
 				
-				//remove MOASession
-				AuthenticationSession moaSession = authenticatedSessionStorage.getSession(
-						protocolRequest.getMOASessionIdentifier());
-				if (moaSession != null)
-					authmanager.performOnlyIDPLogOut(req, resp, moaSession.getSessionID());
-				
 				return;
 				
 			} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
index 8c3f2c946..a9fc994ec 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
@@ -33,6 +33,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -74,18 +75,9 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
 	
 						//build protocol-specific error message if possible
 						buildProtocolSpecificErrorResponse(throwable, req, resp, pendingReq);
-						
-						//log Error Message
-						statisticLogger.logErrorOperation(throwable, pendingReq);
-						
-						//get MOASession for this pendingRequest
-						AuthenticationSession moaSession = 
-								authenticatedSessionStorage.getSession(
-										pendingReq.getMOASessionIdentifier());
-						
-						//remove MOASession if someone is found
-						if (moaSession != null)
-							authmanager.performOnlyIDPLogOut(req, resp, moaSession.getSessionID());
+																
+						//remove active user-session
+						removeUserSession(pendingReq, req, resp);
 	
 						return;
 	
@@ -132,31 +124,48 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
 				if (moaSession == null) {
 					Logger.error("No MOASession with ID " + sessionID + " found.!");		
 					handleErrorNoRedirect(new MOAIDException("auth.02", new Object[]{sessionID}), req, resp, true);							
-					return;
 					
-				}
-								
-				//check if MOASession and pending-request are authenticated
-				if (moaSession.isAuthenticated() && pendingReq.isAuthenticated()) {				
-					finalizeAuthenticationProcess(req, resp, pendingReq, moaSession);
-									
 				} else {
-					Logger.error("MOASession oder Pending-Request are not authenticated --> Abort authentication process!");		
-					handleErrorNoRedirect(new MOAIDException("auth.20", null), req, resp, true);							
-					return;
-									
+					
+						//check if pending-request has 'abortedByUser' flag set
+					if (pendingReq.isAbortedByUser()) {
+						//send authentication aborted error to Service Provider
+						buildProtocolSpecificErrorResponse(
+								new AuthenticationException("auth.21", new Object[] {}), 
+								req, resp, pendingReq);
+						
+						//do not remove the full active SSO-Session 
+						// in case of only one Service-Provider authentication request is aborted   
+						if ( !(moaSession.isAuthenticated() 
+								&& pendingReq.needSingleSignOnFunctionality()) ) {
+							removeUserSession(pendingReq, req, resp);
+							
+						}							
+	
+						//check if MOASession and pending-request are authenticated					
+					} else if (moaSession.isAuthenticated() && pendingReq.isAuthenticated()) {				
+						finalizeAuthenticationProcess(req, resp, pendingReq, moaSession);
+	
+					} else {
+						//suspect state: pending-request is not aborted but also are not authenticated 
+						Logger.error("MOASession oder Pending-Request are not authenticated --> Abort authentication process!");		
+						handleErrorNoRedirect(new MOAIDException("auth.20", null), req, resp, true);							
+										
+					}
 				}
 							
 			} catch (Exception e) {
 				Logger.error("Finalize authentication protocol FAILED." , e);
 				buildProtocolSpecificErrorResponse(e, req, resp, pendingReq);
 				
+				removeUserSession(pendingReq, req, resp);
+				
 			}		
 		}
 		
 		//remove pending-request
 		if (pendingReq != null)
-		requestStorage.removePendingRequest(pendingReq.getRequestID());
+			requestStorage.removePendingRequest(pendingReq.getRequestID());
 		
 	}
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
index 21f505bf1..2882f20e1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java
@@ -76,6 +76,7 @@ public class AuthenticationAction implements IAction {
 		DateTime date = new DateTime();
 		
 		SLOInformationImpl sloInformation = new SLOInformationImpl();
+
 		
 		//build Assertion
 		Assertion assertion = PVP2AssertionBuilder.buildAssertion(pvpRequest, authnRequest, authData, 
@@ -106,6 +107,7 @@ public class AuthenticationAction implements IAction {
 
 			//set protocol type
 			sloInformation.setProtocolType(req.requestedModule());
+			sloInformation.setSpEntityID(req.getOnlineApplicationConfiguration().getPublicURLPrefix());
 			return sloInformation;
 			
 		} catch (MessageEncodingException e) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index a7fc8295a..63452bee0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -439,7 +439,7 @@ public class SingleLogOutBuilder {
 				if (!oa.getOaurlprefix().equals(removeOAID)) {
 					
 					//Actually only PVP 2.1 support Single LogOut
-					if (PVP2XProtocol.PATH.equals(oa.getProtocolType())) {					
+					if (PVP2XProtocol.NAME.equals(oa.getProtocolType())) {					
 						SingleLogoutService sloDesc;
 						try {
 							sloDesc = getRequestSLODescriptor(oa.getOaurlprefix());
@@ -447,7 +447,8 @@ public class SingleLogOutBuilder {
 							if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))										
 								container.getActiveBackChannelOAs().put(oa.getOaurlprefix(), 
 										new SLOInformationImpl(
-											oa.getAuthURL(),	
+											oa.getAuthURL(),
+											oa.getOaurlprefix(),
 											oa.getAssertionSessionID(), 
 											oa.getUserNameID(), 
 											oa.getUserNameIDFormat(), 
@@ -458,6 +459,7 @@ public class SingleLogOutBuilder {
 								container.getActiveFrontChannalOAs().put(oa.getOaurlprefix(), 
 										new SLOInformationImpl(
 											oa.getAuthURL(),
+											oa.getOaurlprefix(),
 											oa.getAssertionSessionID(), 
 											oa.getUserNameID(), 
 											oa.getUserNameIDFormat(), 
@@ -498,10 +500,11 @@ public class SingleLogOutBuilder {
 						container.getActiveFrontChannalOAs().put(el.getIdpurlprefix(), 
 								new SLOInformationImpl(
 										el.getAuthURL(),
+										el.getIdpurlprefix(),
 										el.getSessionIndex(), 
 										el.getUserNameID(), 
 										NameID.TRANSIENT, 
-										PVP2XProtocol.PATH,
+										PVP2XProtocol.NAME,
 										sloDesc));
 						
 					} catch (NOSLOServiceDescriptorException e) {