7 files changed, 47 insertions, 8 deletions

diff --git a/id/ConfigWebTool/pom.xml b/id/ConfigWebTool/pom.xml
index 9800fad7e..51bb941a4 100644
--- a/id/ConfigWebTool/pom.xml
+++ b/id/ConfigWebTool/pom.xml
@@ -97,6 +97,12 @@
 			<artifactId>moa-id-module-stork</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-collections4</artifactId>
+			<version>${org.apache.commons.collections4.version}</version>	
+		</dependency>
+
 
         <dependency>
             <groupId>at.gv.util</groupId>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java
index 38135b028..9812f346d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java
@@ -65,7 +65,7 @@ public class AuthConfigurationProviderFactory {
 	    	instance = new PropertyBasedAuthConfigurationProvider(fileURI);
 	    	
 	    } catch (URISyntaxException e){
-	    	Logger.error("MOA-ID-Auth configuration file does not starts with file:/ as prefix.");
+	    	Logger.error("MOA-ID-Auth configuration file does not starts with file:/ as prefix.", e);
 	    	throw new ConfigurationException("config24", new Object[]{MOAIDAuthConstants.FILE_URI_PREFIX, fileName});
 	    	
 	    }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
index 6ed3f0eb5..ee5685e5f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java
@@ -623,10 +623,25 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {
 		AssertionConsumerService consumerService = null;
 		if (MiscUtil.isNotEmpty(authnRequest.getAssertionConsumerServiceURL()) && 
 				MiscUtil.isNotEmpty(authnRequest.getProtocolBinding())) {
-			//use AssertionConsumerServiceURL from request 
-			consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class);
-			consumerService.setBinding(authnRequest.getProtocolBinding());
-			consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL());
+			//use AssertionConsumerServiceURL from request
+
+			//check requested AssertionConsumingService URL against metadata
+			List<AssertionConsumerService> metadataAssertionServiceList = spSSODescriptor.getAssertionConsumerServices();
+			for (AssertionConsumerService service : metadataAssertionServiceList) {
+				if (authnRequest.getProtocolBinding().equals(service.getBinding())
+						&& authnRequest.getAssertionConsumerServiceURL().equals(service.getLocation())) {
+					consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class);
+					consumerService.setBinding(authnRequest.getProtocolBinding());
+					consumerService.setLocation(authnRequest.getAssertionConsumerServiceURL());					
+					Logger.debug("Requested AssertionConsumerServiceURL is valid.");
+				}				
+			}
+			
+			if (consumerService == null) {				
+				throw new InvalidAssertionConsumerServiceException(authnRequest.getAssertionConsumerServiceURL());
+				
+			}
+
 
 		} else {
 			//use AssertionConsumerServiceIndex and select consumerService from metadata
@@ -645,9 +660,10 @@ public class PVP2XProtocol extends MOAIDAuthConstants implements IModulInfo  {
 			if (consumerService == null) {			
 				throw new InvalidAssertionConsumerServiceException(aIdx);
 				
-			}
+			}			
 		}
 		
+		
 		//select AttributeConsumingService from request
 		AttributeConsumingService attributeConsumer = null;		
 		Integer aIdx = authnRequest.getAttributeConsumingServiceIndex();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java
index 94a4e8226..392569366 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/InvalidAssertionConsumerServiceException.java
@@ -34,6 +34,15 @@ public class InvalidAssertionConsumerServiceException extends PVP2Exception {
 	/**
 	 * 
 	 */
+	public InvalidAssertionConsumerServiceException(String wrongURL) {
+		super("pvp2.23", new Object[]{wrongURL});
+		this.statusCodeValue = StatusCode.REQUESTER_URI;
+		
+	}
+
+	/**
+	 * 
+	 */
 	private static final long serialVersionUID = 7861790149343943091L;
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java
index 31e960d59..f62410656 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java
@@ -92,7 +92,7 @@ public abstract class AbstractRequestSignedSecurityPolicyRule implements Securit
 				throw e;
 			
 			}			
-			Logger.debug("PVP2X message validation FAILED. Relead metadata for entityID: " + context.getInboundMessageIssuer());
+			Logger.debug("PVP2X message validation FAILED. Reload metadata for entityID: " + context.getInboundMessageIssuer());
 			if (!refreshMetadataProvider(context.getInboundMessageIssuer()))
 				throw e;
 			
@@ -139,8 +139,10 @@ public abstract class AbstractRequestSignedSecurityPolicyRule implements Securit
 					throw new SecurityPolicyException("Signature validation FAILED.");
 					
 				}
+				Logger.debug("PVP AuthnRequest signature valid.");
+				
 			} catch (org.opensaml.xml.security.SecurityException e) {
-				Logger.warn("PVP2x message signature validation FAILED.", e);
+				Logger.info("PVP2x message signature validation FAILED. Message:" + e.getMessage());
 				throw new SecurityPolicyException("Signature validation FAILED.");
 				
 			}
@@ -149,6 +151,7 @@ public abstract class AbstractRequestSignedSecurityPolicyRule implements Securit
 			throw new SecurityPolicyException("Request is not signed.");
 			
 		}
+				
 	}
 	
 	private void performSchemaValidation(Element source) throws SchemaValidationException {
diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
index ceb701814..cabf1557e 100644
--- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
+++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties
@@ -266,6 +266,7 @@ pvp2.19=Der Single LogOut Vorgang musste wegen eines unkorregierbaren Fehler abg
 pvp2.20=F\u00FCr die im Request angegebene EntityID konnten keine g\u00FCltigen Metadaten gefunden werden.

 pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden.  

 pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler\={0}).

+pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht den Metadaten.

 

 oauth20.01=Fehlerhafte redirect url

 oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}"

diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml
index 244ea1412..d242147f1 100644
--- a/id/server/moa-id-commons/pom.xml
+++ b/id/server/moa-id-commons/pom.xml
@@ -219,6 +219,10 @@
 			<version>1.4</version>
 		</dependency>
 
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-collections4</artifactId>	
+		</dependency>
 
 		
     </dependencies>