aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-elga_mandate_service
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/modules/moa-id-module-elga_mandate_service')
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/.gitignore1
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/pom.xml47
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java116
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthModuleImpl.java86
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesSpringResourceProvider.java64
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java313
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java303
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java97
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateSignalController.java67
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/exceptions/ELGAMetadataException.java49
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/EvaluateMandateServiceTask.java126
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java306
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java196
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java95
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java223
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateUtils.java59
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandatesCredentialProvider.java123
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider1
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml71
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml46
-rw-r--r--id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/templates/mandate-service-selection.html76
21 files changed, 2465 insertions, 0 deletions
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/.gitignore b/id/server/modules/moa-id-module-elga_mandate_service/.gitignore
new file mode 100644
index 000000000..b83d22266
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/.gitignore
@@ -0,0 +1 @@
+/target/
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/pom.xml b/id/server/modules/moa-id-module-elga_mandate_service/pom.xml
new file mode 100644
index 000000000..3b5d1ba66
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/pom.xml
@@ -0,0 +1,47 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>MOA.id.server.modules</groupId>
+ <artifactId>moa-id-modules</artifactId>
+ <version>${moa-id-version}</version>
+ </parent>
+ <artifactId>moa-id-module-elga_mandate_service</artifactId>
+ <version>${moa-id-module-elga_mandate_client}</version>
+ <name>ELGA mandate-service client</name>
+ <description>This authentication module implements a
+ client to integrate ELGA mandates in the MOA-ID identification and authentication process.
+ </description>
+ <organization>
+ <name>EGIZ</name>
+ <url>https://www.egiz.gv.at</url>
+ </organization>
+ <developers>
+ <developer>
+ <name>Thomas Lenz</name>
+ <organization>EGIZ</organization>
+ <email>thomas.lenz@egiz.gv.at</email>
+ </developer>
+ </developers>
+
+ <properties>
+ <repositoryPath>${basedir}/../../../../repository</repositoryPath>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>MOA.id.server</groupId>
+ <artifactId>moa-id-lib</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>MOA.id.server.modules</groupId>
+ <artifactId>moa-id-modul-citizencard_authentication</artifactId>
+ <exclusions>
+ <exclusion>
+ <groupId>*</groupId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ </dependencies>
+
+</project> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
new file mode 100644
index 000000000..7ca4590bb
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java
@@ -0,0 +1,116 @@
+package at.gv.egovernment.moa.id.auth.modules.elgamandates;
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ELGAMandatesAuthConstants {
+
+ public static final String MODULE_NAME_FOR_LOGGING = "ELGA Mandate-Service";
+
+ public static final int METADATA_VALIDUNTIL_IN_HOURS = 24;
+
+ //Service endpoint definitions
+ public static final String ENDPOINT_POST = "/sp/elga_mandate/post";
+ public static final String ENDPOINT_REDIRECT = "/sp/elga_mandate/redirect";
+ public static final String ENDPOINT_METADATA = "/sp/elga_mandate/metadata";
+
+ public static final String TEMPLATE_MANDATE_SERVICE_SELECTION = "/mandate-service-selection.html";
+
+ //configuration properties
+ public static final String CONFIG_PROPS_PREFIX = "modules.elga_mandate.";
+
+ public static final String CONFIG_PROPS_SUBJECTNAMEID_TARGET = CONFIG_PROPS_PREFIX + "nameID.target";
+
+ public static final String CONFIG_PROPS_ENTITYID = CONFIG_PROPS_PREFIX + "service.entityID";
+ public static final String CONFIG_PROPS_METADATAURL = CONFIG_PROPS_PREFIX + "service.metadataurl";
+ public static final String CONFIG_PROPS_METADATA_TRUSTPROFILE = CONFIG_PROPS_PREFIX + "service.metadata.trustprofileID";
+ public static final String CONFIG_PROPS_ALLOWED_MANDATE_TYPES = CONFIG_PROPS_PREFIX + "service.mandateprofiles";
+
+ public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path";
+ public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password";
+ public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password";
+ public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.alias";
+ public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.password";
+ public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias";
+ public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password";
+ public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias";
+
+
+ /**
+ *
+ * Get required PVP attributes
+ * First : PVP attribute name (OID)
+ * Second: FriendlyName
+ *
+ */
+ public static final List<Pair<String, String>> REQUIRED_PVP_ATTRIBUTES =
+ Collections.unmodifiableList(new ArrayList<Pair<String, String>>() {
+ private static final long serialVersionUID = 1L;
+ {
+ //add PVP Version attribute
+ add(Pair.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME));
+
+ //request mandate type
+ add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME));
+
+ //request attributes for natural mandators
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BPK_NAME, PVPConstants.MANDATE_NAT_PER_BPK_FRIENDLY_NAME));
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME, PVPConstants.MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME));
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME, PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME));
+ add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME, PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME));
+
+ //request reference_value
+ add(Pair.newInstance(PVPConstants.MANDATE_REFERENCE_VALUE_NAME, PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME));
+ }
+ });
+
+
+ public static final String CONFIG_DEFAULT_QAA_STORK_LEVEL = "http://www.stork.gov.eu/1.0/citizenQAALevel/4";
+ public static final String CONFIG_DEFAULT_QAA_SECCLASS_LEVEL = "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3";
+
+ public static final String SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE = "rc";
+ public static final String SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE_URI = "http://egiz.gv.at/namespace/subjectconformationdate/elga";
+ public static final String SUBJECTCONFORMATIONDATE_ELEMENT_ROOT = SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE + ":Representative";
+ public static final String SUBJECTCONFORMATIONDATE_ELEMENT_FAMILYNAME = SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE + ":FamilyName";
+ public static final String SUBJECTCONFORMATIONDATE_ELEMENT_GIVENNAME = SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE + ":GivenName";
+ public static final String SUBJECTCONFORMATIONDATE_ELEMENT_DATEOFBIRTH = SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE + ":DateOfBirth";
+
+ public static List<String> getRequiredAttributeNames() {
+ List<String> list = new ArrayList<String>();
+ for (Pair<String, String> el : REQUIRED_PVP_ATTRIBUTES)
+ list.add(el.getFirst());
+ return list;
+ }
+
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthModuleImpl.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthModuleImpl.java
new file mode 100644
index 000000000..c2efe5bfc
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthModuleImpl.java
@@ -0,0 +1,86 @@
+package at.gv.egovernment.moa.id.auth.modules.elgamandates;
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+import org.springframework.beans.factory.annotation.Autowired;
+
+import at.gv.egovernment.moa.id.auth.modules.internal.DefaultCitizenCardAuthModuleImpl;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * This authentication module extens the default citizen
+ *
+ * @author tlenz
+ *
+ */
+public class ELGAMandatesAuthModuleImpl extends DefaultCitizenCardAuthModuleImpl {
+
+ @Autowired private AuthConfiguration authConfig;
+
+ private int priority = 0;
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority()
+ */
+ @Override
+ public int getPriority() {
+ return priority;
+ }
+
+ @Override
+ public String selectProcess(ExecutionContext context) {
+ String selectedProcessID = super.selectProcess(context);
+
+ //check if BKU authentication is selected and ELGA-MandateService is configurated
+ if (MiscUtil.isNotEmpty(selectedProcessID)) {
+ if (MiscUtil.isNotEmpty(authConfig.getBasicMOAIDConfiguration(
+ ELGAMandatesAuthConstants.CONFIG_PROPS_ENTITYID)))
+ return "DefaultAuthenticationWithELGAMandates";
+
+ }
+
+ return selectedProcessID;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions()
+ */
+ @Override
+ public String[] getProcessDefinitions() {
+ return new String[] { "classpath:at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml" };
+ }
+
+ /**
+ * @param priority the priority to set
+ */
+ public void setPriority(int priority) {
+ this.priority = priority;
+
+ }
+
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesSpringResourceProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesSpringResourceProvider.java
new file mode 100644
index 000000000..649e8e5f5
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesSpringResourceProvider.java
@@ -0,0 +1,64 @@
+package at.gv.egovernment.moa.id.auth.modules.elgamandates;
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ELGAMandatesSpringResourceProvider implements SpringResourceProvider {
+
+ /* (non-Javadoc)
+ * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad()
+ */
+ @Override
+ public Resource[] getResourcesToLoad() {
+ ClassPathResource elgaAuthConfig = new ClassPathResource("/moaid_elga_mandate_client_auth.beans.xml", ELGAMandatesSpringResourceProvider.class);
+
+ return new Resource[] {elgaAuthConfig};
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan()
+ */
+ @Override
+ public String[] getPackagesToScan() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName()
+ */
+ @Override
+ public String getName() {
+ return "MOA-ID Auth-module 'ELGA Mandate-Client'";
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java
new file mode 100644
index 000000000..5743590f9
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java
@@ -0,0 +1,313 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.config;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.NameIDType;
+import org.opensaml.saml2.metadata.ContactPerson;
+import org.opensaml.saml2.metadata.Organization;
+import org.opensaml.saml2.metadata.RequestedAttribute;
+import org.opensaml.xml.security.credential.Credential;
+
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ELGAMandatesMetadataConfiguration implements IPVPMetadataBuilderConfiguration {
+
+ private String authURL;
+ private ELGAMandatesCredentialProvider credentialProvider;
+
+ public ELGAMandatesMetadataConfiguration(String authURL, ELGAMandatesCredentialProvider credentialProvider) {
+ this.authURL = authURL;
+ this.credentialProvider = credentialProvider;
+
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil()
+ */
+ @Override
+ public int getMetadataValidUntil() {
+ return ELGAMandatesAuthConstants.METADATA_VALIDUNTIL_IN_HOURS;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement()
+ */
+ @Override
+ public boolean buildEntitiesDescriptorAsRootElement() {
+ return false;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor()
+ */
+ @Override
+ public boolean buildIDPSSODescriptor() {
+ return false;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor()
+ */
+ @Override
+ public boolean buildSPSSODescriptor() {
+ return true;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityIDPostfix()
+ */
+ @Override
+ public String getEntityID() {
+ return authURL + ELGAMandatesAuthConstants.ENDPOINT_METADATA;
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName()
+ */
+ @Override
+ public String getEntityFriendlyName() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation()
+ */
+ @Override
+ public List<ContactPerson> getContactPersonInformation() {
+ try {
+ return PVPConfiguration.getInstance().getIDPContacts();
+
+ } catch (ConfigurationException e) {
+ Logger.warn("Can not load Metadata entry: Contect Person", e);
+ return null;
+
+ }
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation()
+ */
+ @Override
+ public Organization getOrgansiationInformation() {
+ try {
+ return PVPConfiguration.getInstance().getIDPOrganisation();
+
+ } catch (ConfigurationException e) {
+ Logger.warn("Can not load Metadata entry: Organisation", e);
+ return null;
+
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials()
+ */
+ @Override
+ public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPMetaDataSigningCredential();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials()
+ */
+ @Override
+ public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPAssertionSigningCredential();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials()
+ */
+ @Override
+ public Credential getEncryptionCredentials() throws CredentialsNotAvailableException {
+ return credentialProvider.getIDPAssertionEncryptionCredential();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL()
+ */
+ @Override
+ public String getIDPWebSSOPostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL()
+ */
+ @Override
+ public String getIDPWebSSORedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL()
+ */
+ @Override
+ public String getIDPSLOPostBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL()
+ */
+ @Override
+ public String getIDPSLORedirectBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL()
+ */
+ @Override
+ public String getSPAssertionConsumerServicePostBindingURL() {
+ return authURL + ELGAMandatesAuthConstants.ENDPOINT_POST;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL()
+ */
+ @Override
+ public String getSPAssertionConsumerServiceRedirectBindingURL() {
+ return authURL + ELGAMandatesAuthConstants.ENDPOINT_REDIRECT;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL()
+ */
+ @Override
+ public String getSPSLOPostBindingURL() {
+ //return authURL + ELGAMandatesAuthConstants.ENDPOINT_POST;
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL()
+ */
+ @Override
+ public String getSPSLORedirectBindingURL() {
+ //return authURL + ELGAMandatesAuthConstants.ENDPOINT_REDIRECT;
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL()
+ */
+ @Override
+ public String getSPSLOSOAPBindingURL() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes()
+ */
+ @Override
+ public List<Attribute> getIDPPossibleAttributes() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes()
+ */
+ @Override
+ public List<String> getIDPPossibleNameITTypes() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes()
+ */
+ @Override
+ public List<RequestedAttribute> getSPRequiredAttributes() {
+ List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>();
+
+ for (Pair<String, String> el : ELGAMandatesAuthConstants.REQUIRED_PVP_ATTRIBUTES)
+ requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), true));
+
+ return requestedAttributes;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes()
+ */
+ @Override
+ public List<String> getSPAllowedNameITTypes() {
+ return Arrays.asList(NameIDType.PERSISTENT);
+
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAssertionSigned()
+ */
+ @Override
+ public boolean wantAssertionSigned() {
+ return true;
+
+ }
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned()
+ */
+ @Override
+ public boolean wantAuthnRequestSigned() {
+ return true;
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
new file mode 100644
index 000000000..b67d263fc
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java
@@ -0,0 +1,303 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.config;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.opensaml.Configuration;
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.NameID;
+import org.opensaml.saml2.core.SubjectConfirmation;
+import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.credential.Credential;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequestBuilderConfiguruation {
+
+ private boolean isPassive = false;
+ private String SPEntityID = null;
+ private String QAA_Level = null;
+ private EntityDescriptor idpEntity = null;
+ private Credential signCred = null;
+ private String subjectNameID = null;
+ private String subjectNameIDQualifier = null;
+ private String requestID = null;
+ private Element subjectConformationDate = null;
+
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#isPassivRequest()
+ */
+ @Override
+ public Boolean isPassivRequest() {
+ return this.isPassive;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId()
+ */
+ @Override
+ public Integer getAssertionConsumerServiceId() {
+ return 0;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getEntityID()
+ */
+ @Override
+ public String getSPEntityID() {
+ return this.SPEntityID;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+ */
+ @Override
+ public String getNameIDPolicyFormat() {
+ return NameID.PERSISTENT;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy()
+ */
+ @Override
+ public boolean getNameIDPolicyAllowCreation() {
+ return false;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef()
+ */
+ @Override
+ public String getAuthnContextClassRef() {
+ return this.QAA_Level;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison()
+ */
+ @Override
+ public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() {
+ return AuthnContextComparisonTypeEnumeration.MINIMUM;
+ }
+
+ /**
+ * @param isPassive the isPassive to set
+ */
+ public void setPassive(boolean isPassive) {
+ this.isPassive = isPassive;
+ }
+
+ /**
+ * @param sPEntityID the sPEntityID to set
+ */
+ public void setSPEntityID(String sPEntityID) {
+ SPEntityID = sPEntityID;
+ }
+
+ /**
+ * @param qAA_Level the qAA_Level to set
+ */
+ public void setQAA_Level(String qAA_Level) {
+ QAA_Level = qAA_Level;
+ }
+
+ /**
+ * @param idpEntity the idpEntity to set
+ */
+ public void setIdpEntity(EntityDescriptor idpEntity) {
+ this.idpEntity = idpEntity;
+ }
+
+ /**
+ * @param signCred the signCred to set
+ */
+ public void setSignCred(Credential signCred) {
+ this.signCred = signCred;
+ }
+
+
+ /**
+ * @param subjectNameID the subjectNameID to set
+ */
+ public void setSubjectNameID(String subjectNameID) {
+ this.subjectNameID = subjectNameID;
+ }
+
+
+
+ /**
+ * @param requestID the requestID to set
+ */
+ public void setRequestID(String requestID) {
+ this.requestID = requestID;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential()
+ */
+ @Override
+ public Credential getAuthnRequestSigningCredential() {
+ return this.signCred;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor()
+ */
+ @Override
+ public EntityDescriptor getIDPEntityDescriptor() {
+ return this.idpEntity;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID()
+ */
+ @Override
+ public String getSubjectNameID() {
+ return this.subjectNameID;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging()
+ */
+ @Override
+ public String getSPNameForLogging() {
+ return ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat()
+ */
+ @Override
+ public String getSubjectNameIDFormat() {
+ return NameID.PERSISTENT;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+ */
+ @Override
+ public String getRequestID() {
+ return this.requestID;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+ */
+ @Override
+ public String getSubjectNameIDQualifier() {
+ return this.subjectNameIDQualifier;
+ }
+
+ /**
+ * @param subjectNameIDQualifier the subjectNameIDQualifier to set
+ */
+ public void setSubjectNameIDQualifier(String subjectNameIDQualifier) {
+ this.subjectNameIDQualifier = subjectNameIDQualifier;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode()
+ */
+ @Override
+ public String getSubjectConformationMethode() {
+ return SubjectConfirmation.METHOD_BEARER;
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate()
+ */
+ @Override
+ public Element getSubjectConformationDate() {
+ return subjectConformationDate;
+ }
+
+ /**
+ * @param subjectConformationDate the subjectConformationDate to set
+ */
+ public void setSubjectConformationDate(String givenName, String familyName, String dateOfBirth) {
+ try {
+ Logger.trace("Build 'SubjectConfirmationData' for ELGA Mandate-Service request ...");
+ //build empty 'SubjectConfirmationData' element
+ SubjectConfirmationData subjectConformDate = SAML2Utils.createSAMLObject(SubjectConfirmationData.class);
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setNamespaceAware(true);
+ DocumentBuilder builder = dbf.newDocumentBuilder();
+ Document doc = builder.newDocument();
+
+ Marshaller out = Configuration.getMarshallerFactory()
+ .getMarshaller(subjectConformDate);
+ out.marshall(subjectConformDate, doc);
+
+ //build root element for personal information
+ Element rootDom = doc.createElementNS(
+ ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE_URI,
+ ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_ROOT);
+ rootDom.setPrefix(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE);
+ rootDom.setAttributeNS("http://www.w3.org/2000/xmlns/",
+ "xmlns:" + ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE,
+ ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE_URI);
+
+ //build personal information
+ Element familyNameDom = doc.createElement(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_FAMILYNAME);
+ Element givenNameDom = doc.createElement(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_GIVENNAME);
+ Element dateOfBirthDom = doc.createElement(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_DATEOFBIRTH);
+ familyNameDom.setTextContent(familyName);
+ givenNameDom.setTextContent(givenName);
+ dateOfBirthDom.setTextContent(dateOfBirth);
+
+ //add personal information to 'SubjectConfirmationData' element
+ doc.getFirstChild().appendChild(rootDom);
+ rootDom.appendChild(givenNameDom);
+ rootDom.appendChild(familyNameDom);
+ rootDom.appendChild(dateOfBirthDom);
+
+ this.subjectConformationDate = doc.getDocumentElement();
+ Logger.trace("'SubjectConfirmationData' for ELGA Mandate-Service is complete");
+
+ } catch (ParserConfigurationException | MarshallingException e) {
+ Logger.error("Can not generate 'SubjectConformationDate' for "
+ + ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING);
+
+ }
+
+
+ }
+
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java
new file mode 100644
index 000000000..29bc5ee12
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.controller;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.config.ELGAMandatesMetadataConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider;
+import at.gv.egovernment.moa.id.auth.servlet.AbstractController;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPMetadataBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class ELGAMandateMetadataController extends AbstractController {
+
+ @Autowired PVPMetadataBuilder metadatabuilder;
+ @Autowired AuthConfiguration authConfig;
+ @Autowired ELGAMandatesCredentialProvider credentialProvider;
+
+ public ELGAMandateMetadataController() {
+ super();
+ Logger.debug("Registering servlet " + getClass().getName()
+ + " with mappings '" + ELGAMandatesAuthConstants.ENDPOINT_METADATA
+ + "'.");
+
+ }
+
+ @RequestMapping(value = "/sp/elga_mandate/metadata",
+ method = {RequestMethod.GET})
+ public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ //check PublicURL prefix
+ try {
+ String authURL = HTTPUtils.extractAuthURLFromRequest(req);
+ if (!authConfig.getPublicURLPrefix().contains(authURL)) {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid request URL");
+ return;
+
+ } else {
+ //initialize metadata builder configuration
+ IPVPMetadataBuilderConfiguration metadataConfig =
+ new ELGAMandatesMetadataConfiguration(authURL, credentialProvider);
+
+ //build metadata
+ String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig);
+
+ //write response
+ resp.setContentType("text/xml");
+ resp.getOutputStream().write(xmlMetadata.getBytes("UTF-8"));
+ resp.getOutputStream().close();
+
+ }
+
+ } catch (Exception e) {
+ Logger.warn("Build federated-authentication PVP metadata FAILED.", e);
+ handleErrorNoRedirect(e, req, resp, false);
+
+ }
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateSignalController.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateSignalController.java
new file mode 100644
index 000000000..585e72c2f
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateSignalController.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.controller;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.auth.servlet.AbstractProcessEngineSignalController;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class ELGAMandateSignalController extends AbstractProcessEngineSignalController {
+
+ public ELGAMandateSignalController() {
+ super();
+ Logger.debug("Registering servlet " + getClass().getName()
+ + " with mappings '" + ELGAMandatesAuthConstants.ENDPOINT_POST
+ + "' and '" + ELGAMandatesAuthConstants.ENDPOINT_REDIRECT + "'.");
+
+ }
+
+ @RequestMapping(value = { "/sp/elga_mandate/post",
+ "/sp/elga_mandate/redirect"
+ },
+ method = {RequestMethod.POST, RequestMethod.GET})
+ public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ signalProcessManagement(req, resp);
+
+ }
+
+ public String getPendingRequestId(HttpServletRequest request) {
+ return StringEscapeUtils.escapeHtml4(request.getParameter("RelayState"));
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/exceptions/ELGAMetadataException.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/exceptions/ELGAMetadataException.java
new file mode 100644
index 000000000..d27353809
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/exceptions/ELGAMetadataException.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.exceptions;
+
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ELGAMetadataException extends MOAIDException {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * @param messageId
+ * @param parameters
+ */
+ public ELGAMetadataException(String messageId, Object[] parameters) {
+ super(messageId, parameters);
+ }
+
+ public ELGAMetadataException(String messageId, Object[] parameters, Throwable e) {
+ super(messageId, parameters, e);
+ }
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/EvaluateMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/EvaluateMandateServiceTask.java
new file mode 100644
index 000000000..f05446771
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/EvaluateMandateServiceTask.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateUtils;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("EvaluateMandateServiceTask")
+public class EvaluateMandateServiceTask extends AbstractAuthServletTask {
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ try {
+ boolean useMIS = getUserConfermationFromRequest(request, MOAIDAuthConstants.PARAM_USEMISMANDATE);
+ boolean useELGA = getUserConfermationFromRequest(request, MOAIDAuthConstants.PARAM_USEELGAMANDATE);
+
+ //check if both mandate Services are requested
+ if ( useMIS && useELGA ) {
+ Logger.error("Can not use MIS-MandateService and ELGA-MandateService twince");
+ throw new MOAIDException("validator.73", null);
+
+ }
+
+ //select next process step
+ if (useELGA) {
+ //validate service-provider again
+ if (!ELGAMandateUtils.checkServiceProviderAgainstELGAModulConfigration(authConfig, pendingReq)) {
+ Logger.info("Service-Provider: " + pendingReq.getOnlineApplicationConfiguration().getPublicURLPrefix()
+ + " does not fulfill requirements to use ELGA-MandateService.");
+ throw new MOAIDException("service.10", new Object[]{
+ ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
+ "No valid mandate-profile defined"});
+
+ }
+
+ executionContext.put(MOAIDAuthConstants.PARAM_USEELGAMANDATE, useELGA);
+ Logger.debug("ELGA Mandate-Service is selected. Initialize service communication ... ");
+
+ } else if(useMIS) {
+ executionContext.put(MOAIDAuthConstants.PARAM_USEMISMANDATE, useMIS);
+ Logger.debug("MIS Mandate-Service is selected. Initialize service communication ... ");
+
+
+ } else {
+ //mark pending-request as aborted
+ Logger.info("No Mandate-Service is selected. Abort authentication process ... ");
+ pendingReq.setAbortedByUser(true);
+ pendingReq.setAuthenticated(false);
+
+ //store pending-request
+ requestStoreage.storePendingRequest(pendingReq);
+
+ //redirect to protocol finalization
+ performRedirectToProtocolFinialization(pendingReq, response);
+
+ }
+
+ } catch (MOAIDException e) {
+ Logger.info("Evaluation of Mandate-Service selection FAILED. Reason:" + e.getMessage());
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } catch (Exception e) {
+ Logger.info("Mandate-Service selection evaluation: General Exception. Msg:" + e.getMessage());
+ throw new TaskExecutionException(pendingReq, "ELGA mandate-service: General Exception.", e);
+
+ }
+
+ }
+
+ private boolean getUserConfermationFromRequest(HttpServletRequest httpReq, String paramName) throws WrongParametersException {
+ String paramString = httpReq.getParameter(paramName);
+ paramString = StringEscapeUtils.escapeHtml(paramString);
+ if (!ParamValidatorUtils.isValidUseMandate(paramString))
+ throw new WrongParametersException("Mandate-Service selection-evaluation", paramName, null);
+
+ if (MiscUtil.isNotEmpty(paramString))
+ return Boolean.parseBoolean(paramString);
+
+ else
+ return false;
+
+ }
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
new file mode 100644
index 000000000..5604b7640
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
@@ -0,0 +1,306 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks;
+
+import java.io.IOException;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
+
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.ws.message.decoder.MessageDecodingException;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServiceMetadataProvider;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
+import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
+import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("ReceiveElgaMandateResponseTask")
+public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
+
+ @Autowired SAMLVerificationEngineSP samlVerificationEngine;
+ @Autowired ELGAMandatesCredentialProvider credentialProvider;
+ @Autowired ELGAMandateServiceMetadataProvider metadataProvider;
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ InboundMessage msg = null;
+
+ try {
+ IDecoder decoder = null;
+ MOAURICompare comperator = null;
+ //select Response Binding
+ if (request.getMethod().equalsIgnoreCase("POST")) {
+ decoder = new PostBinding();
+ comperator = new MOAURICompare(pendingReq.getAuthURL()
+ + ELGAMandatesAuthConstants.ENDPOINT_POST);
+ Logger.debug("Receive PVP Response from ELGA mandate-service, by using POST-Binding.");
+
+ } else if (request.getMethod().equalsIgnoreCase("GET")) {
+ decoder = new RedirectBinding();
+ comperator = new MOAURICompare(pendingReq.getAuthURL()
+ + ELGAMandatesAuthConstants.ENDPOINT_REDIRECT);
+ Logger.debug("Receive PVP Response from ELGA mandate-service, by using Redirect-Binding.");
+
+ } else {
+ Logger.warn("Receive PVP Response, but Binding ("
+ + request.getMethod() + ") is not supported.");
+ throw new AuthnResponseValidationException("sp.pvp2.03",
+ new Object[] {ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+ //decode PVP response object
+ msg = (InboundMessage) decoder.decode(request, response, metadataProvider, true,
+ comperator);
+
+ if (MiscUtil.isEmpty(msg.getEntityID())) {
+ throw new InvalidProtocolRequestException("sp.pvp2.04",
+ new Object[] {ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+ //validate response signature
+ if(!msg.isVerified()) {
+ samlVerificationEngine.verify(msg,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+ msg.setVerified(true);
+
+ }
+
+ Logger.debug("PVP Response from ELGA mandate-service is cryptographically valid.");
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_RECEIVED_IP, request.getRemoteAddr());
+
+
+ //validate assertion
+ MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg);
+
+ //write ELGA mandate information into MOASession
+ AssertionAttributeExtractor extractor =
+ new AssertionAttributeExtractor(processedMsg.getResponse());
+
+ //check if all attributes are include
+ if (!extractor.containsAllRequiredAttributes(
+ ELGAMandatesAuthConstants.getRequiredAttributeNames())) {
+ Logger.warn("PVP Response from ELGA mandate-service contains not all requested attributes.");
+ throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING});
+
+ }
+
+
+
+ //load MOASession object
+ defaultTaskInitialization(request, executionContext);
+
+ //validate receive mandate reference-value
+ //TODO: update if ReferenceValue Discussion is finished
+ String responseRefValue = extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME);
+ if (!moasession.getMandateReferenceValue().equals(responseRefValue)) {
+ Logger.warn("PVP Response from ELGA mandate-service contains a not valid MandateReferenceValue.");
+ throw new AssertionValidationExeption("sp.pvp2.07",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
+ PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME});
+
+ }
+
+ Logger.debug("Validation of PVP Response from ELGA mandate-service is complete.");
+
+ Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
+ for (String el : includedAttrNames) {
+ moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
+ Logger.debug("Add PVP-attribute " + el + " into MOASession");
+
+ }
+
+ //store MOASession
+ authenticatedSessionStorage.storeSession(moasession);
+
+ //write revisions log entry
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_RECEIVED,
+ extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME));
+
+ //write mandate info's to revisions log
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.PERSONAL_INFORMATION_MANDATE_TYPE,
+ extractor.getSingleAttributeValue(PVPConstants.MANDATE_TYPE_NAME));
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.PERSONAL_INFORMATION_MANDATE_MANDATOR_TYPE,
+ MOAReversionLogger.NAT_PERSON);
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.PERSONAL_INFORMATION_MANDATE_MANDATOR_HASH,
+ revisionsLogger.buildPersonInformationHash(
+ extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME),
+ extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME),
+ extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME)));
+
+ Logger.info("Receive a valid assertion from ELGA mandate-service " + msg.getEntityID());
+
+ } catch (MessageDecodingException | SecurityException e) {
+ String samlRequest = request.getParameter("SAMLRequest");
+ Logger.warn("Receive INVALID PVP Response from ELGA mandate-service: " + samlRequest, e);
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
+ throw new TaskExecutionException(pendingReq,
+ "Receive INVALID PVP Response from ELGA mandate-service",
+ new AuthnResponseValidationException("sp.pvp2.12",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, e.getMessage()},
+ e));
+
+ } catch (IOException | MarshallingException | TransformerException e) {
+ Logger.warn("Processing PVP response from ELGA mandate-service FAILED.", e);
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
+ throw new TaskExecutionException(pendingReq,
+ "Processing PVP response from ELGA mandate-service FAILED.",
+ new AuthnResponseValidationException("sp.pvp2.12",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, e.getMessage()},
+ e));
+
+ } catch (CredentialsNotAvailableException e) {
+ Logger.error("ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e);
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
+ throw new TaskExecutionException(pendingReq, "ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e);
+
+ } catch (AssertionValidationExeption | AuthnResponseValidationException e) {
+ Logger.info("ELGA mandate-service: PVP response validation FAILED. Msg:" + e.getMessage());
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED, e.getMessageId());
+ throw new TaskExecutionException(pendingReq, "ELGA mandate-service: PVP response validation FAILED.", e);
+
+ } catch (Exception e) {
+ Logger.info("ELGA mandate-service: General Exception. Msg:" + e.getMessage());
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED);
+ throw new TaskExecutionException(pendingReq, "ELGA mandate-service: General Exception.", e);
+
+ }
+
+ }
+
+ /**
+ * PreProcess AuthResponse and Assertion
+ * @param msg
+ * @throws TransformerException
+ * @throws MarshallingException
+ * @throws IOException
+ * @throws CredentialsNotAvailableException
+ * @throws AssertionValidationExeption
+ * @throws AuthnResponseValidationException
+ */
+ private MOAResponse preProcessAuthResponse(MOAResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException {
+ Logger.debug("Start PVP-2.1 assertion processing... ");
+ Response samlResp = (Response) msg.getResponse();
+
+ //validate 'inResponseTo' attribute
+ String authnReqID = pendingReq.getGenericData(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_REQUESTID, String.class);
+ String inResponseTo = samlResp.getInResponseTo();
+
+ if (MiscUtil.isEmpty(authnReqID) || MiscUtil.isEmpty(inResponseTo) ||
+ !authnReqID.equals(inResponseTo)) {
+ Logger.info("Validation of request/response IDs FAILED."
+ + " ReqID:" + authnReqID + " InRespTo:" + inResponseTo);
+ throw new AuthnResponseValidationException("sp.pvp2.07",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
+ "'InResponseTo'"});
+
+ }
+
+ // check SAML2 response status-code
+ if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+ //validate PVP 2.1 assertion
+ samlVerificationEngine.validateAssertion(samlResp, true,
+ credentialProvider.getIDPAssertionEncryptionCredential(),
+ pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_METADATA,
+ ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING);
+
+ msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement());
+ return msg;
+
+ } else {
+ String errorMsg = "No error message";
+ StatusCode firstCode = samlResp.getStatus().getStatusCode();
+
+ //get errormessage from response
+ if (samlResp.getStatus().getStatusMessage() != null &&
+ MiscUtil.isNotEmpty(samlResp.getStatus().getStatusMessage().getMessage()))
+ errorMsg = samlResp.getStatus().getStatusMessage().getMessage();
+
+ //extract response status-codes
+ if (firstCode.getStatusCode() == null) {
+ Logger.info("Receive StatusCode:" + firstCode.getValue() + " | Msg:" + errorMsg
+ + " from federated IDP.");
+ throw new AuthnResponseValidationException("sp.pvp2.05",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
+ samlResp.getIssuer().getValue(),
+ firstCode.getValue(),
+ samlResp.getStatus().getStatusMessage().getMessage()});
+
+ } else {
+ StatusCode secondCode = firstCode.getStatusCode();
+ Logger.info("Receive StatusCode:" + firstCode.getValue() + " -> StatusCode:" + secondCode.getValue()
+ + " | Msg:" + errorMsg + " from federated IDP.");
+ throw new AuthnResponseValidationException("sp.pvp2.09",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
+ samlResp.getIssuer().getValue(),
+ firstCode.getValue(),
+ secondCode.getValue(),
+ samlResp.getStatus().getStatusMessage().getMessage()});
+
+ }
+
+ }
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
new file mode 100644
index 000000000..6a7858575
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
@@ -0,0 +1,196 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks;
+
+import java.security.NoSuchAlgorithmException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.security.SecurityException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.config.ELGAMandatesRequestBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.exceptions.ELGAMetadataException;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServiceMetadataProvider;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("RequestELGAMandateTask")
+public class RequestELGAMandateTask extends AbstractAuthServletTask {
+
+ @Autowired PVPAuthnRequestBuilder authnReqBuilder;
+ @Autowired ELGAMandatesCredentialProvider credential;
+ @Autowired AuthConfiguration authConfig;
+ @Autowired ELGAMandateServiceMetadataProvider metadataService;
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ try{
+ // get IDP entityID
+ String elgaMandateServiceEntityID = authConfig.getBasicMOAIDConfiguration(ELGAMandatesAuthConstants.CONFIG_PROPS_ENTITYID);
+
+ if (MiscUtil.isEmpty(elgaMandateServiceEntityID)) {
+ Logger.info("Connect ELGA Mandate-Service FAILED -> not EntityID found!");
+ throw new TaskExecutionException(pendingReq, "Connect ELGA Mandate-Service FAILED",
+ new MOAIDException("service.10",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, "Not EntityID found"}));
+
+ }
+
+ //load metadata with metadataURL, as backup
+ String metadataURL = authConfig.getBasicMOAIDConfiguration(ELGAMandatesAuthConstants.CONFIG_PROPS_METADATAURL);
+ if (MiscUtil.isNotEmpty(metadataURL)) {
+ Logger.warn("Use not recommended metadata-provider initialization!"
+ + " SAML2 'Well-Known-Location' is the preferred methode.");
+ Logger.info("Initialize ELGA Mandate-Service metadata-provider with URL:" + metadataURL);
+ metadataService.initialize(metadataURL);
+
+ }
+
+ //load IDP SAML2 entitydescriptor
+ EntityDescriptor entityDesc = metadataService.getEntityDescriptor(elgaMandateServiceEntityID);
+
+ //load MOASession from database
+ defaultTaskInitialization(request, executionContext);
+
+ //setup AuthnRequestBuilder configuration
+ ELGAMandatesRequestBuilderConfiguration authnReqConfig = new ELGAMandatesRequestBuilderConfiguration();
+ authnReqConfig.setIdpEntity(entityDesc);
+ authnReqConfig.setPassive(false);
+ authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential());
+ authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_METADATA);
+
+ //set bPK of representative
+ String representativeBPK = null;
+
+ String configTarget = authConfig.getBasicMOAIDConfiguration(ELGAMandatesAuthConstants.CONFIG_PROPS_SUBJECTNAMEID_TARGET);
+ if (MiscUtil.isEmpty(configTarget)) {
+ Logger.warn("Connect ELGA Mandate-Service FAILED -> No bPK-Type for SubjectNameID found.");
+ throw new MOAIDException("service.10",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, "No bPK-Type for SubjectNameID found in configuration."});
+
+ } else {
+ if (!configTarget.startsWith(Constants.URN_PREFIX_CDID)) {
+ Logger.warn("Connect ELGA Mandate-Service FAILED -> bPK-Type for SubjectNameID has wrong format.");
+ throw new MOAIDException("service.10",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, "bPK-Type for SubjectNameID has wrong format."});
+
+ }
+ }
+
+ //check if identityLink exists in moaSession DAO
+ if (moasession.getIdentityLink() == null) {
+ Logger.error("Connect ELGA Mandate-Service FAILED -> NO identityLink in moaSession DAO");
+ throw new MOAIDException("service.10",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, "NO identityLink in moaSession DAO."});
+
+ }
+
+ String sourcePinType = moasession.getIdentityLink().getIdentificationType();
+ String sourcePinValue = moasession.getIdentityLink().getIdentificationValue();
+ if (sourcePinType.startsWith(Constants.URN_PREFIX_BASEID)) {
+ representativeBPK = new BPKBuilder().buildBPK(sourcePinValue, configTarget);
+
+ } else {
+ Logger.debug("No 'SourcePin' found for representative. "
+ + "Check sourcePinType against target from configuration.");
+ if (!configTarget.equals(sourcePinType)) {
+ Logger.warn("Connect ELGA Mandate-Service FAILED -> Generate bPK for configurated bPK-Type is not possible.");
+ throw new MOAIDException("service.10",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, "Generate bPK for configurated bPK-Type is not possible."});
+
+ } else {
+ representativeBPK = sourcePinValue;
+
+ }
+ }
+
+ //set bPK of representative as SAML2 subjectNameID
+ authnReqConfig.setSubjectNameID(representativeBPK );
+ authnReqConfig.setSubjectNameIDQualifier(configTarget);
+
+ //set MandateReferenceValue as RequestID
+ authnReqConfig.setRequestID(moasession.getMandateReferenceValue());
+ pendingReq.setGenericDataToSession(
+ PVPTargetConfiguration.DATAID_INTERFEDERATION_REQUESTID,
+ authnReqConfig.getRequestID());
+
+ //set SubjectConformationDate
+ authnReqConfig.setSubjectConformationDate(
+ moasession.getIdentityLink().getGivenName(),
+ moasession.getIdentityLink().getFamilyName(),
+ moasession.getIdentityLink().getDateOfBirth());
+
+ //store pending-request
+ requestStoreage.storePendingRequest(pendingReq);
+
+ //build and transmit AuthnRequest
+ authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response);
+
+ //write revisions log entry
+ revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_SERVICE_REQUESTED, moasession.getMandateReferenceValue());
+
+ } catch (MetadataProviderException e) {
+ throw new TaskExecutionException(pendingReq, "ELGA Mandate-Service metadata problem", new ELGAMetadataException("service.10",
+ new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, e.getMessage()}, e));
+
+ } catch (MOAIDException e) {
+ throw new TaskExecutionException(pendingReq, "Build PVP2.1 AuthnRequest for ELGA Mandate-Service FAILED.", e);
+
+ } catch (MessageEncodingException | NoSuchAlgorithmException | SecurityException e) {
+ Logger.error("Build PVP2.1 AuthnRequest for ELGA Mandate-Service FAILED", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ } catch (Exception e) {
+ Logger.error("Build PVP2.1 AuthnRequest for ELGA Mandate-Service FAILED", e);
+ throw new TaskExecutionException(pendingReq, e.getMessage(), e);
+
+ }
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
new file mode 100644
index 000000000..8d6ac1762
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/SelectMandateServiceTask.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder;
+import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration;
+import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateUtils;
+import at.gv.egovernment.moa.id.auth.servlet.GeneralProcessEngineSignalController;
+import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * @author tlenz
+ *
+ */
+@Component("SelectMandateServiceTask")
+public class SelectMandateServiceTask extends AbstractAuthServletTask {
+
+ @Autowired IGUIFormBuilder guiBuilder;
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+ */
+ @Override
+ public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+ throws TaskExecutionException {
+ try {
+ //check if Service-Provider allows ELGA-mandates
+ if (ELGAMandateUtils.checkServiceProviderAgainstELGAModulConfigration(authConfig, pendingReq)) {
+ Logger.trace("Build GUI for mandate-service selection ...");
+
+ IGUIBuilderConfiguration config = new ServiceProviderSpecificGUIFormBuilderConfiguration(
+ pendingReq,
+ ELGAMandatesAuthConstants.TEMPLATE_MANDATE_SERVICE_SELECTION,
+ GeneralProcessEngineSignalController.ENDPOINT_GENERIC);
+
+ guiBuilder.build(response, config, "Mandate-Service selection");
+
+ Logger.debug("GUI for mandate-service selection is generated. Wait for user interaction ... ");
+
+ } else {
+ //service-provider does not allow ELGA-mandates --> switch to MIS mandate-service
+ Logger.debug("Service-Provider does not allow ELGA Mandate-Service. --> Select MIS Mandate-Service as Default.");
+ executionContext.put(MOAIDAuthConstants.PARAM_USEMISMANDATE, true);
+
+ }
+
+ } catch (GUIBuildException e) {
+ Logger.warn("Can not build GUI:'Mandate-Service selection'. Msg:" + e.getMessage());
+ throw new TaskExecutionException(pendingReq,
+ "Can not build GUI. Msg:" + e.getMessage(),
+ new MOAIDException("builder.09", new Object[]{e.getMessage()}, e));
+
+ } catch (Exception e) {
+ Logger.info("Mandate-Service selection: General Exception. Msg:" + e.getMessage());
+ throw new TaskExecutionException(pendingReq, "ELGA mandate-service: General Exception.", e);
+
+ }
+
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
new file mode 100644
index 000000000..c9485104b
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
@@ -0,0 +1,223 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.utils;
+
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.opensaml.saml2.metadata.EntitiesDescriptor;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataFilter;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.xml.XMLObject;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.SimpleMOAMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter;
+import at.gv.egovernment.moa.id.saml2.MetadataFilterChain;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+/**
+ * @author tlenz
+ *
+ */
+
+@Service("ELGAMandate_MetadataProvider")
+public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvider {
+
+ @Autowired AuthConfiguration authConfig;
+
+ private HTTPMetadataProvider metadataProvider = null;
+
+
+ public void initialize(String metadataURL) throws MetadataProviderException {
+ if (metadataProvider == null) {
+ internalInitialize(metadataURL);
+
+ } else {
+ Logger.info("ELGA Mandate-Service metadata-provider is already initialized.");
+
+ }
+
+ }
+
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#requireValidMetadata()
+ */
+ @Override
+ public boolean requireValidMetadata() {
+ if (metadataProvider == null) {
+ Logger.fatal("ELGA Mandate-Service metadata-provider is not initialized");
+ return false;
+
+ } else
+ return metadataProvider.requireValidMetadata();
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setRequireValidMetadata(boolean)
+ */
+ @Override
+ public void setRequireValidMetadata(boolean requireValidMetadata) {
+ if (metadataProvider == null) {
+ Logger.fatal("ELGA Mandate-Service metadata-provider is not initialized");
+
+ } else
+ metadataProvider.setRequireValidMetadata(requireValidMetadata);;
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadataFilter()
+ */
+ @Override
+ public MetadataFilter getMetadataFilter() {
+ if (metadataProvider == null) {
+ Logger.fatal("ELGA Mandate-Service metadata-provider is not initialized");
+ return null;
+
+ } else
+ return metadataProvider.getMetadataFilter();
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#setMetadataFilter(org.opensaml.saml2.metadata.provider.MetadataFilter)
+ */
+ @Override
+ public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException {
+ Logger.fatal("Set Metadata Filter is not implemented her!");
+
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getMetadata()
+ */
+ @Override
+ public XMLObject getMetadata() throws MetadataProviderException {
+ if (metadataProvider == null) {
+ Logger.error("ELGA Mandate-Service metadata-provider is not initialized");
+ throw new MetadataProviderException("ELGA Mandate-Service metadata-provider is not initialized");
+
+ }
+
+ return metadataProvider.getMetadata();
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntitiesDescriptor(java.lang.String)
+ */
+ @Override
+ public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException {
+ if (metadataProvider == null) {
+ Logger.fatal("ELGA Mandate-Service metadata-provider is not initialized");
+ throw new MetadataProviderException("ELGA Mandate-Service metadata-provider is not initialized");
+
+ } else
+ return metadataProvider.getEntitiesDescriptor(name);
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getEntityDescriptor(java.lang.String)
+ */
+ @Override
+ public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException {
+ if (metadataProvider == null)
+ internalInitialize(entityID);
+
+ try {
+ EntityDescriptor entityDesc = metadataProvider.getEntityDescriptor(entityID);
+ if (entityDesc == null) {
+ Logger.error("ELGA Mandate-Service Client ERROR: No EntityID with "+ entityID);
+ throw new MetadataProviderException("No EntityID with "+ entityID);
+ }
+
+ return entityDesc;
+
+ } catch (MetadataProviderException e) {
+ Logger.error("ELGA Mandate-Service Client ERROR: Metadata extraction FAILED.", e);
+ throw new MetadataProviderException("Metadata extraction FAILED", e);
+
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName)
+ */
+ @Override
+ public List<RoleDescriptor> getRole(String entityID, QName roleName) throws MetadataProviderException {
+ if (metadataProvider == null)
+ internalInitialize(entityID);
+
+ return metadataProvider.getRole(entityID, roleName);
+ }
+
+ /* (non-Javadoc)
+ * @see org.opensaml.saml2.metadata.provider.MetadataProvider#getRole(java.lang.String, javax.xml.namespace.QName, java.lang.String)
+ */
+ @Override
+ public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol)
+ throws MetadataProviderException {
+ if (metadataProvider == null)
+ internalInitialize(entityID);
+
+ return metadataProvider.getRole(entityID, roleName, supportedProtocol);
+ }
+
+ private synchronized void internalInitialize(String metdataURL) throws MetadataProviderException {
+ if (metadataProvider == null) {
+ Logger.info("Initialize PVP MetadataProvider to connect ELGA Mandate-Service");
+
+ String trustProfileID = authConfig.getBasicMOAIDConfiguration(ELGAMandatesAuthConstants.CONFIG_PROPS_METADATA_TRUSTPROFILE);
+ if (MiscUtil.isEmpty(trustProfileID)) {
+ Logger.error("Create ELGA Mandate-Service Client FAILED: No trustProfileID to verify PVP metadata." );
+ throw new MetadataProviderException("No trustProfileID to verify PVP metadata.");
+ }
+
+ //create metadata validation filter chain
+ MetadataFilterChain filter = new MetadataFilterChain();
+ filter.addFilter(new SchemaValidationFilter(true));
+ filter.addFilter(new MOASPMetadataSignatureFilter(trustProfileID));
+
+ metadataProvider = createNewHTTPMetaDataProvider(metdataURL,
+ filter,
+ ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING);
+
+ if (metadataProvider == null) {
+ Logger.error("Create ELGA Mandate-Service Client FAILED.");
+ throw new MetadataProviderException("Can not initialize ELGA Mandate-Service metadaa provider.");
+
+ }
+
+ metadataProvider.setRequireValidMetadata(true);
+ }
+ }
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateUtils.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateUtils.java
new file mode 100644
index 000000000..03f8fa195
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateUtils.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.utils;
+
+import java.util.List;
+
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.commons.api.IRequest;
+import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils;
+
+/**
+ * @author tlenz
+ *
+ */
+public class ELGAMandateUtils {
+ /**
+ * Check Service-Provider mandate-profiles against allowed mandate-profiles for ELGA MandateService.
+ *
+ * @return true, if ELGA mandateservice is allowed, otherwise false
+ */
+ public static boolean checkServiceProviderAgainstELGAModulConfigration(AuthConfiguration authConfig, IRequest pendingReq) {
+ String allowedMandateTypesCSV =
+ authConfig.getBasicMOAIDConfiguration(ELGAMandatesAuthConstants.CONFIG_PROPS_ALLOWED_MANDATE_TYPES);
+ List<String> allowedMandateTypes = KeyValueUtils.getListOfCSVValues(allowedMandateTypesCSV);
+ List<String> spMandateProfiles = pendingReq.getOnlineApplicationConfiguration().getMandateProfiles();
+
+ boolean isELGAMandateServiceAllowed = false;
+ if (spMandateProfiles != null) {
+ for (String el : allowedMandateTypes) {
+ if (spMandateProfiles.contains(el))
+ isELGAMandateServiceAllowed = true;
+
+ }
+ }
+
+ return isELGAMandateServiceAllowed;
+ }
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandatesCredentialProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandatesCredentialProvider.java
new file mode 100644
index 000000000..f5bcdb70b
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandatesCredentialProvider.java
@@ -0,0 +1,123 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.modules.elgamandates.utils;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
+import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider;
+import at.gv.egovernment.moa.util.FileUtils;
+
+/**
+ * @author tlenz
+ *
+ */
+@Service("ELGAMandatesCredentialProvider")
+public class ELGAMandatesCredentialProvider extends AbstractCredentialProvider {
+
+ @Autowired AuthConfiguration authConfig;
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath()
+ */
+ @Override
+ public String getKeyStoreFilePath() {
+ return FileUtils.makeAbsoluteURL(
+ authConfig.getBasicMOAIDConfiguration(ELGAMandatesAuthConstants.CONFIG_PROPS_KEYSTORE),
+ authConfig.getRootConfigFileDir());
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStorePassword()
+ */
+ @Override
+ public String getKeyStorePassword() {
+ return authConfig.getBasicMOAIDConfiguration(ELGAMandatesAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD).trim();
+
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyAlias()
+ */
+ @Override
+ public String getMetadataKeyAlias() {
+ return authConfig.getBasicMOAIDConfiguration(
+ ELGAMandatesAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyPassword()
+ */
+ @Override
+ public String getMetadataKeyPassword() {
+ return authConfig.getBasicMOAIDConfiguration(
+ ELGAMandatesAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyAlias()
+ */
+ @Override
+ public String getSignatureKeyAlias() {
+ return authConfig.getBasicMOAIDConfiguration(
+ ELGAMandatesAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyPassword()
+ */
+ @Override
+ public String getSignatureKeyPassword() {
+ return authConfig.getBasicMOAIDConfiguration(
+ ELGAMandatesAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyAlias()
+ */
+ @Override
+ public String getEncryptionKeyAlias() {
+ return authConfig.getBasicMOAIDConfiguration(
+ ELGAMandatesAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyPassword()
+ */
+ @Override
+ public String getEncryptionKeyPassword() {
+ return authConfig.getBasicMOAIDConfiguration(
+ ELGAMandatesAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD).trim();
+ }
+
+ /* (non-Javadoc)
+ * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getCredentialName()
+ */
+ @Override
+ public String getFriendlyName() {
+ return "FederatedAuth-SP";
+ }
+
+}
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
new file mode 100644
index 000000000..1ebc153ce
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesSpringResourceProvider \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
new file mode 100644
index 000000000..4dee1160e
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<pd:ProcessDefinition id="DefaultAuthenticationWithELGAMandates" xmlns:pd="http://reference.e-government.gv.at/namespace/moa/process/definition/v1">
+
+<!--
+ - National authentication with Austrian Citizen Card and mobile signature with our without mandate.
+ - Legacy authentication for foreign citizens using MOCCA supported signature cards.
+-->
+ <pd:Task id="initializeBKUAuthentication" class="InitializeBKUAuthenticationTask" />
+ <pd:Task id="createIdentityLinkForm" class="CreateIdentityLinkFormTask" />
+ <pd:Task id="verifyIdentityLink" class="VerifyIdentityLinkTask" async="true" />
+ <pd:Task id="verifyAuthBlock" class="VerifyAuthenticationBlockTask" async="true" />
+ <pd:Task id="verifyCertificate" class="VerifyCertificateTask" async="true" />
+ <pd:Task id="getMISMandate" class="GetMISSessionIDTask" async="true" />
+ <pd:Task id="certificateReadRequest" class="CertificateReadRequestTask" />
+ <pd:Task id="prepareAuthBlockSignature" class="PrepareAuthBlockSignatureTask" />
+ <pd:Task id="prepareGetMISMandate" class="PrepareGetMISMandateTask" />
+ <pd:Task id="finalizeAuthentication" class="FinalizeAuthenticationTask" />
+ <pd:Task id="getForeignID" class="GetForeignIDTask" async="true" />
+
+ <!-- ELGA Mandate-Service Tasks -->
+ <pd:Task id="selectMandateServiceTask" class="SelectMandateServiceTask" />
+ <pd:Task id="evaluateMandateServiceTask" class="EvaluateMandateServiceTask" async="true"/>
+ <pd:Task id="requestELGAMandateTask" class="RequestELGAMandateTask" />
+ <pd:Task id="receiveElgaMandateResponseTask" class="ReceiveElgaMandateResponseTask" async="true"/>
+
+
+ <!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->
+ <pd:StartEvent id="start" />
+
+ <pd:Transition from="start" to="initializeBKUAuthentication" />
+
+ <pd:Transition from="initializeBKUAuthentication" to="createIdentityLinkForm" />
+
+ <pd:Transition from="createIdentityLinkForm" to="verifyIdentityLink" />
+
+ <pd:Transition from="verifyIdentityLink" to="certificateReadRequest" conditionExpression="!ctx['identityLinkAvailable'] || ctx['useMandate']" />
+ <pd:Transition from="verifyIdentityLink" to="prepareAuthBlockSignature" />
+
+ <pd:Transition from="prepareAuthBlockSignature" to="verifyAuthBlock" />
+ <!-- Note: verifyAuthBlock still creates a MIS session and redirects the user to the MIS gui. This should be separated from the auth block verification. -->
+
+ <pd:Transition from="certificateReadRequest" to="verifyCertificate" />
+ <!-- Note: verifyCertificate still creates the auth block to be signed which should be separated from certificat verification. -->
+
+ <pd:Transition from="verifyCertificate" to="verifyAuthBlock" conditionExpression="ctx['useMandate']" />
+ <pd:Transition from="verifyCertificate" to="getForeignID" />
+
+ <pd:Transition from="verifyAuthBlock" to="selectMandateServiceTask" conditionExpression="ctx['useMandate']" />
+ <pd:Transition from="verifyAuthBlock" to="finalizeAuthentication" />
+
+ <pd:Transition from="selectMandateServiceTask" to="prepareGetMISMandate" conditionExpression="ctx['useMISMandate']" />
+ <pd:Transition from="selectMandateServiceTask" to="evaluateMandateServiceTask" />
+
+ <pd:Transition from="evaluateMandateServiceTask" to="prepareGetMISMandate" conditionExpression="ctx['useMISMandate']" />
+ <pd:Transition from="evaluateMandateServiceTask" to="requestELGAMandateTask" conditionExpression="ctx['useELGAMandate']" />
+ <pd:Transition from="evaluateMandateServiceTask" to="end" />
+
+
+ <pd:Transition from="requestELGAMandateTask" to="receiveElgaMandateResponseTask" />
+ <pd:Transition from="receiveElgaMandateResponseTask" to="finalizeAuthentication" />
+
+ <pd:Transition from="prepareGetMISMandate" to="getMISMandate" />
+ <pd:Transition from="getMISMandate" to="finalizeAuthentication" />
+
+ <pd:Transition from="getForeignID" to="finalizeAuthentication" />
+
+ <pd:Transition from="finalizeAuthentication" to="end" />
+
+ <pd:EndEvent id="end" />
+
+</pd:ProcessDefinition>
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
new file mode 100644
index 000000000..cbc4e65c1
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:aop="http://www.springframework.org/schema/aop"
+ xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+
+<!-- ELGA mandate-service client beans -->
+ <bean id="elgaMandatesAuthModule" class="at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthModuleImpl">
+ <property name="priority" value="1" />
+ </bean>
+
+ <bean id="ELGAMandate_MetadataProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServiceMetadataProvider"/>
+
+ <bean id="ELGAMandatesCredentialProvider"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider"/>
+
+ <bean id="ELGAMandateMetadataController"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateMetadataController"/>
+
+ <bean id="ELGAMandateSignalController"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateSignalController"/>
+
+<!-- ELGA-MandateService communication Process Tasks -->
+ <bean id="SelectMandateServiceTask"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.SelectMandateServiceTask"
+ scope="prototype"/>
+
+ <bean id="EvaluateMandateServiceTask"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.EvaluateMandateServiceTask"
+ scope="prototype"/>
+
+ <bean id="RequestELGAMandateTask"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.RequestELGAMandateTask"
+ scope="prototype"/>
+
+ <bean id="ReceiveElgaMandateResponseTask"
+ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks.ReceiveElgaMandateResponseTask"
+ scope="prototype"/>
+
+</beans> \ No newline at end of file
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/templates/mandate-service-selection.html b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/templates/mandate-service-selection.html
new file mode 100644
index 000000000..b0be4a475
--- /dev/null
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/templates/mandate-service-selection.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
+ <!-- MOA-ID 2.x BKUSelection Layout CSS -->
+ <link rel="stylesheet" href="$contextPath/css/buildCSS?pendingid=#ID#" />
+
+ <title>Anmeldung an Online-Applikation</title>
+</head>
+
+
+<body>
+ <div id="page">
+
+ <div id="page1" class="case selected-case" role="main">
+
+<!-- <h2 class="OA_header">Anmeldung an: #OAName#</h2> -->
+
+ <div id="main">
+ <!--div id="leftcontent" class="hell"-->
+ <div id=processContent>
+ <div id="bku_header" class="dunkel">
+ <h2 id="tabheader" class="dunkel" role="heading">
+ Anmeldeinformationen:
+ </h2>
+ </div>
+
+ <div id="selectArea" class="hell" role="application">
+ <h3>Anmeldung an: $OAName</h3>
+
+
+ <div id="processInfoArea">
+ <p>Für die Anmeldung 'in Vertretung' stehen Ihnen zwei Systeme zur Vollmachtenauswahl zur Verfügung. Bitte wählen Sie das gewünschte Service.</p>
+ </div>
+
+ <div id="processSelectionArea">
+ <div id="elgaMandateButton" class="processSelectionButtonArea">
+ <form method="post" id="moaidform_yes" action="$contextPath$submitEndpoint">
+ <input type="hidden" name="useELGAMandate" value="true">
+ <input type="hidden" name="pendingid" value="$pendingReqID">
+ <input type="submit" value="Eltern-Kind Vertretung" class="processSelectionButton" role="button">
+ </form>
+ <div class="buttonDescription">
+ <p>Eltern-Kind Vertretung</p>
+ </div>
+ </div>
+ <div id="misMandateButton" class="processSelectionButtonArea">
+ <form method="post" id="moaidform_no" action="$contextPath$submitEndpoint">
+ <input type="hidden" name="useMISMandate" value="true">
+ <input type="hidden" name="pendingid" value="$pendingReqID">
+ <input type="submit" value="allgemeine Vertretung" class="processSelectionButton" role="button">
+ </form>
+ <div class="buttonDescription">
+ <p>Vollmachtenservice der Österreichischen Datenschutzbehörde <a href="https://mms.stammzahlenregister.gv.at/mms/moaid.do">(MMS Service)</a></p>
+ </div>
+ </div>
+ <div id="abortButton" class="processSelectionButtonArea">
+ <form method="post" id="moaidform_no" action="$contextPath$submitEndpoint">
+ <input type="hidden" name="pendingid" value="$pendingReqID">
+ <input type="submit" value="Abbrechen" class="processSelectionButton" role="button">
+ </form>
+ <div class="buttonDescription">
+ <p>Den Anmeldevorgang abbrechen</p>
+ </div>
+ </div>
+ </div>
+
+ </div>
+ </div>
+
+ <!--/div-->
+ </div>
+ </div>
+ </div>
+</body>
+</html>