From ad40ae9233c5f2a32c983962d655e686af546677 Mon Sep 17 00:00:00 2001
From: Thomas Knall <t.knall@datentechnik-innovation.com>
Date: Thu, 22 Jan 2015 12:13:07 +0100
Subject: Add mandate process support (MOAID-60).

- Refactor moa-id auth web.xml
-- Group the servlets with their corresponding mappings.
-- Replace servlets for mappings "/GetMISSessionID", "/VerifyAuthBlock", "/VerifyCertificate" and "/VerifyIdentityLink".
-- Remove disabled declarations.
- Replace link http://jigsaw.w3.org/css-validator/images/vcss-blue with https://... within the internal templates (loginFormFull.html, sendAssertionFormFull.html, ...).
- Set classes deprecated: GetMISSessionIDServlet, VerifyCertificateServlet
- ProcessEngineSignalServlet: make GET delegate to PUT
- Replace some "implements MOAIDAuthConstants" with "import static MOAIDAuthConstants.*".
- Add detailed Javadoc to *Task.java.
- Update DefaultAuthentication.process.xml for mandate
- Add GetMISSessionIDTask and VerifyCertificateTask.
- Add adapter class for iaik.IAIKRuntimeException in order to satisfy some library's bogus dependendies.
---
 id/server/auth/src/main/webapp/WEB-INF/web.xml     | 272 +++++-------------
 .../htmlTemplates/loginFormFull.html               |   2 +-
 .../htmlTemplates/sendAssertionFormFull.html       |   2 +-
 .../conf/moa-id/htmlTemplates/loginFormFull.html   |   2 +-
 .../htmlTemplates/sendAssertionFormFull.html       |   2 +-
 .../conf/moa-id/htmlTemplates/slo_template.html    |   2 +-
 id/server/doc/htmlTemplates/BKU-selection.html     |   2 +-
 id/server/doc/htmlTemplates/sendAssertion.html     |   2 +-
 .../id/auth/servlet/GetMISSessionIDServlet.java    |   7 +-
 .../auth/servlet/ProcessEngineSignalServlet.java   |  39 ++-
 .../id/auth/servlet/VerifyCertificateServlet.java  |   9 +-
 .../moa/id/auth/tasks/AbstractAuthServletTask.java |  68 ++---
 .../id/auth/tasks/CreateIdentityLinkFormTask.java  |  36 +++
 .../moa/id/auth/tasks/GetMISSessionIDTask.java     | 182 ++++++++++++
 .../auth/tasks/VerifyAuthenticationBlockTask.java  |  56 ++--
 .../moa/id/auth/tasks/VerifyCertificateTask.java   | 166 +++++++++++
 .../moa/id/auth/tasks/VerifyIdentityLinkTask.java  | 319 +++++++++++----------
 .../protocols/pvp2x/exceptions/loginFormFull.html  |   2 +-
 .../src/main/java/iaik/IAIKRuntimeException.java   |  18 ++
 .../processes/DefaultAuthentication.process.xml    |  23 +-
 .../resources/templates/loginFormFull.html         |   2 +-
 .../resources/templates/sendAssertionFormFull.html |   2 +-
 .../resources/templates/slo_template.html          |   2 +-
 23 files changed, 769 insertions(+), 448 deletions(-)
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetMISSessionIDTask.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java
 create mode 100644 id/server/idserverlib/src/main/java/iaik/IAIKRuntimeException.java

diff --git a/id/server/auth/src/main/webapp/WEB-INF/web.xml b/id/server/auth/src/main/webapp/WEB-INF/web.xml
index 477cce57b..1dd3b7a40 100644
--- a/id/server/auth/src/main/webapp/WEB-INF/web.xml
+++ b/id/server/auth/src/main/webapp/WEB-INF/web.xml
@@ -36,41 +36,67 @@
 		<filter-name>requestContextFilter</filter-name>
 		<url-pattern>/*</url-pattern>
 	</filter-mapping>
+	
+	<filter>
+		<filter-name>UrlRewriteFilter</filter-name>
+		<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
+	</filter>
+	<filter-mapping>
+		<filter-name>UrlRewriteFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
 
-
-<!-- 	<servlet>
-		<servlet-name>SelectBKU</servlet-name>
-		<display-name>SelectBKU</display-name>
-		<description>Select Bürgerkartenartenumgebung</description>
-		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.SelectBKUServlet</servlet-class>
-	</servlet> -->
 	<servlet>
 		<description>Generate BKU Request template</description>
 		<display-name>GenerateIframeTemplate</display-name>
 		<servlet-name>GenerateIframeTemplate</servlet-name>
 		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.GenerateIFrameTemplateServlet</servlet-class>
 	</servlet>
+	<servlet-mapping>
+		<servlet-name>GenerateIframeTemplate</servlet-name>
+		<url-pattern>/GenerateIframeTemplate</url-pattern>
+	</servlet-mapping>
+	
 	<servlet>
 		<display-name>RedirectServlet</display-name>
 		<servlet-name>RedirectServlet</servlet-name>
 		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.RedirectServlet</servlet-class>
 	</servlet>
+	<servlet-mapping>
+		<servlet-name>RedirectServlet</servlet-name>
+		<url-pattern>/RedirectServlet</url-pattern>
+	</servlet-mapping>
+	
 	<servlet>
 		<display-name>MonitoringServlet</display-name>
 		<servlet-name>MonitoringServlet</servlet-name>
 		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.MonitoringServlet</servlet-class>
 	</servlet>
+	<servlet-mapping>
+		<servlet-name>MonitoringServlet</servlet-name>
+		<url-pattern>/MonitoringServlet</url-pattern>
+	</servlet-mapping>
+	
 	<servlet>
 		<display-name>SSOSendAssertionServlet</display-name>
 		<servlet-name>SSOSendAssertionServlet</servlet-name>
 		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.SSOSendAssertionServlet</servlet-class>
-	</servlet>	
+	</servlet>
+	<servlet-mapping>
+		<servlet-name>SSOSendAssertionServlet</servlet-name>
+		<url-pattern>/SSOSendAssertionServlet</url-pattern>
+	</servlet-mapping>
+	
 	<servlet>
 		<description>SSO LogOut</description>
 		<display-name>LogOut</display-name>
 		<servlet-name>LogOut</servlet-name>
 		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.LogOutServlet</servlet-class>
 	</servlet>
+	<servlet-mapping>
+		<servlet-name>LogOut</servlet-name>
+		<url-pattern>/LogOut</url-pattern>
+	</servlet-mapping>
 	
 	<servlet>
 		<description>IDP Single LogOut Service</description>
@@ -78,25 +104,10 @@
 		<servlet-name>IDPSLO</servlet-name>
 		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.IDPSingleLogOutServlet</servlet-class>
 	</servlet>
-	
-	<servlet>
-		<description>Verify identity link coming from security layer</description>
-		<display-name>VerifyIdentityLink</display-name>
-		<servlet-name>VerifyIdentityLink</servlet-name>
-		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet</servlet-class>
-	</servlet>
-	<servlet>
-		<description>Verify the certificate coming from security layer</description>
-		<display-name>VerifyCertificate</display-name>
-		<servlet-name>VerifyCertificate</servlet-name>
-		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet</servlet-class>
-	</servlet>
-	<servlet>
-		<description>Get the MIS session ID coming from security layer</description>
-		<display-name>GetMISSessionID</display-name>
-		<servlet-name>GetMISSessionID</servlet-name>
-		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.GetMISSessionIDServlet</servlet-class>
-	</servlet>
+	<servlet-mapping>
+		<servlet-name>IDPSLO</servlet-name>
+		<url-pattern>/idpSingleLogout</url-pattern>
+	</servlet-mapping>
 
 	<servlet>
 		<description>Gets the foreign eID from security layer</description>
@@ -104,223 +115,84 @@
 		<servlet-name>GetForeignID</servlet-name>
 		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.GetForeignIDServlet</servlet-class>
 	</servlet>
-<!-- 	<servlet>
-		<servlet-name>ProcessInput</servlet-name>
-		<display-name>ProcessInput</display-name>
-		<description>Process user input needed by infobox validators</description>
-		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.ProcessValidatorInputServlet</servlet-class>
-	</servlet> -->
-	<servlet>
-		<description>Verify AUTH block coming from security layer</description>
-		<display-name>VerifyAuthBlock</display-name>
-		<servlet-name>VerifyAuthBlock</servlet-name>
-		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.VerifyAuthenticationBlockServlet</servlet-class>
-	</servlet>
-<!-- 	<servlet>
-		<servlet-name>ConfigurationUpdate</servlet-name>
-		<display-name>ConfigurationUpdate</display-name>
-		<description>Update MOA-ID Auth configuration from the configuration
-			file</description>
-		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.ConfigurationServlet</servlet-class>
-	</servlet> -->
+	<servlet-mapping>
+		<servlet-name>GetForeignID</servlet-name>
+		<url-pattern>/GetForeignID</url-pattern>
+	</servlet-mapping>
+	
 	<servlet>
 		<display-name>Apache-Axis Servlet</display-name>
 		<servlet-name>AxisServlet</servlet-name>
 		<servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class>
 	</servlet>
+	<servlet-mapping>
+		<servlet-name>AxisServlet</servlet-name>
+		<url-pattern>/services/*</url-pattern>
+	</servlet-mapping>
 
- 	<!-- JSP servlet -->
-<!--	<servlet>
-		<servlet-name>jspservlet</servlet-name>
-		<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
-	</servlet> -->
 	<servlet>
-		<description>Servlet receiving STORK SAML Response Messages from
-			different C-PEPS</description>
+		<description>Servlet receiving STORK SAML Response Messages from different C-PEPS</description>
 		<display-name>PEPSConnectorServlet</display-name>
 		<servlet-name>PEPSConnectorServlet</servlet-name>
-		<servlet-class>
-			at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet</servlet-class>
+		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet</servlet-class>
 	</servlet>
+	<servlet-mapping>
+		<servlet-name>PEPSConnectorServlet</servlet-name>
+		<url-pattern>/PEPSConnector</url-pattern>
+	</servlet-mapping>
+
 	<servlet>
-		<description>Servlet receiving STORK SAML Response Messages from
-			different C-PEPS</description>
+		<description>Servlet receiving STORK SAML Response Messages from different C-PEPS</description>
 		<display-name>PEPSConnectorWithLocalSigningServlet</display-name>
 		<servlet-name>PEPSConnectorWithLocalSigningServlet</servlet-name>
-		<servlet-class>
-			at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet</servlet-class>
+		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet</servlet-class>
 	</servlet>
-
-	<!-- Dispatcher servlets 
-	<servlet>
-		<servlet-name>AuthDispatcherServlet</servlet-name>
-		<display-name>AuthDispatcher Servlet</display-name>
-		<servlet-class>at.gv.egovernment.moa.id.entrypoints.AuthDispatcherServlet</servlet-class>
-		<load-on-startup>1</load-on-startup>
-	</servlet>-->
+	<servlet-mapping>
+		<servlet-name>PEPSConnectorWithLocalSigningServlet</servlet-name>
+		<url-pattern>/PEPSConnectorWithLocalSigning</url-pattern>
+	</servlet-mapping>
+	
 	<servlet>
 		<display-name>Dispatcher Servlet</display-name>
 		<servlet-name>DispatcherServlet</servlet-name>
 		<servlet-class>at.gv.egovernment.moa.id.entrypoints.DispatcherServlet</servlet-class>
 		<load-on-startup>1</load-on-startup>
 	</servlet>
-
-	<!-- Servlet Registration -->
-	<servlet>
-		<servlet-name>at.gv.egovernment.moa.id.protocols.saml1.GetArtifactServlet</servlet-name>
-		<servlet-class>at.gv.egovernment.moa.id.protocols.saml1.GetArtifactServlet</servlet-class>
-	</servlet>
+	<servlet-mapping>
+		<servlet-name>DispatcherServlet</servlet-name>
+		<url-pattern>/dispatcher</url-pattern>
+	</servlet-mapping>
 
 	<servlet>
-		<description>Resumes a suspended process engine task.</description>
+		<description>Resumes a suspended process task.</description>
 		<display-name>ProcessEngineSignal</display-name>
 		<servlet-name>ProcessEngineSignal</servlet-name>
 		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet</servlet-class>
 	</servlet>
-
-
-
-	<servlet-mapping>
-		<servlet-name>DispatcherServlet</servlet-name>
-		<url-pattern>/dispatcher</url-pattern>
-	</servlet-mapping>
-	<!-- servlet-mapping>
-		<servlet-name>AuthDispatcherServlet</servlet-name>
-		<url-pattern>/AuthDispatcher</url-pattern>
-	</servlet-mapping -->
-
-
-	<!-- servlet mapping for jsp pages -->
-	<!-- errorpage.jsp (customizeable) -->
-<!-- 	<servlet-mapping>
-		<servlet-name>jspservlet</servlet-name>
-		<url-pattern>/errorpage-auth.jsp</url-pattern>
-	</servlet-mapping>
-	message.jsp (customizeable) used for non error messages (e.g. ConfigurationUpdate)
-	<servlet-mapping>
-		<servlet-name>jspservlet</servlet-name>
-		<url-pattern>/message-auth.jsp</url-pattern>
-	</servlet-mapping> -->
-
-<!-- 	<servlet-mapping>
-		<servlet-name>SelectBKU</servlet-name>
-		<url-pattern>/SelectBKU</url-pattern>
-	</servlet-mapping> -->
-	<servlet-mapping>
-		<servlet-name>GenerateIframeTemplate</servlet-name>
-		<url-pattern>/GenerateIframeTemplate</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-		<servlet-name>RedirectServlet</servlet-name>
-		<url-pattern>/RedirectServlet</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-		<servlet-name>MonitoringServlet</servlet-name>
-		<url-pattern>/MonitoringServlet</url-pattern>
-	</servlet-mapping>
 	<servlet-mapping>
-		<servlet-name>SSOSendAssertionServlet</servlet-name>
-		<url-pattern>/SSOSendAssertionServlet</url-pattern>
-	</servlet-mapping>	
- 	<servlet-mapping>
-		<servlet-name>LogOut</servlet-name>
-		<url-pattern>/LogOut</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-		<servlet-name>IDPSLO</servlet-name>
-		<url-pattern>/idpSingleLogout</url-pattern>
-	</servlet-mapping>	
-	<servlet-mapping>
-		<!--
-		<servlet-name>VerifyIdentityLink</servlet-name>
-		-->
 		<servlet-name>ProcessEngineSignal</servlet-name>
-		<url-pattern>/VerifyIdentityLink</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-		<servlet-name>VerifyCertificate</servlet-name>
-		<url-pattern>/VerifyCertificate</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-		<servlet-name>GetMISSessionID</servlet-name>
 		<url-pattern>/GetMISSessionID</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-		<servlet-name>GetForeignID</servlet-name>
-		<url-pattern>/GetForeignID</url-pattern>
-	</servlet-mapping>
-
-<!-- 	<servlet-mapping>
-		<servlet-name>ProcessInput</servlet-name>
-		<url-pattern>/ProcessInput</url-pattern>
-	</servlet-mapping> -->
-	
-	<servlet-mapping>
-		<!--
-		<servlet-name>VerifyAuthBlock</servlet-name>
-		-->
-		<servlet-name>ProcessEngineSignal</servlet-name>
 		<url-pattern>/VerifyAuthBlock</url-pattern>
+		<url-pattern>/VerifyCertificate</url-pattern>
+		<url-pattern>/VerifyIdentityLink</url-pattern>
 	</servlet-mapping>
-<!-- 	<servlet-mapping>
-		<servlet-name>ConfigurationUpdate</servlet-name>
-		<url-pattern>/ConfigurationUpdate</url-pattern>
-	</servlet-mapping> -->
-	<servlet-mapping>
-		<servlet-name>AxisServlet</servlet-name>
-		<url-pattern>/services/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-		<servlet-name>PEPSConnectorServlet</servlet-name>
-		<url-pattern>/PEPSConnector</url-pattern>
-	</servlet-mapping>
-<servlet-mapping>
-		<servlet-name>PEPSConnectorWithLocalSigningServlet</servlet-name>
-		<url-pattern>/PEPSConnectorWithLocalSigning</url-pattern>
-	</servlet-mapping>
-	<!-- Filters -->
-	<!-- <filter> <filter-name>DispatcherDecoratorFilter</filter-name> <filter-class>at.gv.egovernment.moa.id.sso.DispatcherDecoratorFilter</filter-class> 
-		</filter> -->
-
-	<filter>
-		<filter-name>UrlRewriteFilter</filter-name>
-		<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
-	</filter>
-
-	<filter-mapping>
-		<filter-name>UrlRewriteFilter</filter-name>
-		<url-pattern>/*</url-pattern>
-	</filter-mapping>
-	<!-- <filter-mapping> <filter-name>DispatcherDecoratorFilter</filter-name> 
-		<url-pattern>/AuthDispatcher</url-pattern> <dispatcher>REQUEST</dispatcher> 
-		<dispatcher>FORWARD</dispatcher> </filter-mapping> <filter-mapping> <filter-name>DispatcherDecoratorFilter</filter-name> 
-		<url-pattern>/StartAuthentication</url-pattern> <dispatcher>REQUEST</dispatcher> 
-		<dispatcher>FORWARD</dispatcher> </filter-mapping> -->
 
 	<session-config>
 		<session-timeout>5</session-timeout>
 	</session-config>
+	
 	<error-page>
 		<error-code>500</error-code>
 		<location>/errorpage.jsp</location>
 	</error-page>
-<!-- 	<security-constraint>
-		<web-resource-collection>
-			<web-resource-name>ConfigurationUpdate</web-resource-name>
-			<url-pattern>/ConfigurationUpdate</url-pattern>
-		</web-resource-collection>
-		<auth-constraint>
-			<role-name>moa-admin</role-name>
-		</auth-constraint>
-	</security-constraint> -->
+	
 	<login-config>
 		<auth-method>BASIC</auth-method>
 		<realm-name>UserDatabase</realm-name>
 	</login-config>
 	<security-role>
-		<description>
-			The role that is required to log in to the moa Application
-		</description>
+		<description>The role that is required to log in to the moa Application</description>
 		<role-name>moa-admin</role-name>
 	</security-role>
+
 </web-app>
diff --git a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
index ef070b8eb..d0af6401b 100644
--- a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
+++ b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html
@@ -837,7 +837,7 @@
 				src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+				src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
 				alt="CSS ist valide!" />
 			</a>
 		</div>
diff --git a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html
index b80d654cc..1a3e683de 100644
--- a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html
+++ b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html
@@ -608,7 +608,7 @@
         </a>
         <a href="http://jigsaw.w3.org/css-validator/">
           <img   style="border:0;width:88px;height:31px"
-                 src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+                 src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
                  alt="CSS ist valide!" />
         </a>
     </div>
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
index f19cc5320..5b534fca3 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html
@@ -837,7 +837,7 @@
 				src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+				src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
 				alt="CSS ist valide!" />
 			</a>
 		</div>
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html
index b80d654cc..1a3e683de 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html
@@ -608,7 +608,7 @@
         </a>
         <a href="http://jigsaw.w3.org/css-validator/">
           <img   style="border:0;width:88px;height:31px"
-                 src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+                 src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
                  alt="CSS ist valide!" />
         </a>
     </div>
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html
index 6cefe4054..9a621998c 100644
--- a/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html
+++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html
@@ -450,7 +450,7 @@
 				src="$contextpath/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+				src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
 				alt="CSS ist valide!" />
 			</a>
 		</div>
diff --git a/id/server/doc/htmlTemplates/BKU-selection.html b/id/server/doc/htmlTemplates/BKU-selection.html
index ef070b8eb..d0af6401b 100644
--- a/id/server/doc/htmlTemplates/BKU-selection.html
+++ b/id/server/doc/htmlTemplates/BKU-selection.html
@@ -837,7 +837,7 @@
 				src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+				src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
 				alt="CSS ist valide!" />
 			</a>
 		</div>
diff --git a/id/server/doc/htmlTemplates/sendAssertion.html b/id/server/doc/htmlTemplates/sendAssertion.html
index b80d654cc..1a3e683de 100644
--- a/id/server/doc/htmlTemplates/sendAssertion.html
+++ b/id/server/doc/htmlTemplates/sendAssertion.html
@@ -608,7 +608,7 @@
         </a>
         <a href="http://jigsaw.w3.org/css-validator/">
           <img   style="border:0;width:88px;height:31px"
-                 src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+                 src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
                  alt="CSS ist valide!" />
         </a>
     </div>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
index 20c32a3ec..dd5253e77 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
@@ -67,6 +67,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.tasks.GetMISSessionIDTask;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
 import at.gv.egovernment.moa.id.config.ConnectionParameter;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
@@ -83,7 +84,7 @@ import at.gv.egovernment.moa.util.DOMUtils;
 /**
  * Servlet requested for getting the foreign eID provided by the security layer
  * implementation. Utilizes the {@link AuthenticationServer}.
- * 
+ * @deprecated Use {@link GetMISSessionIDTask} instead.
  */
 public class GetMISSessionIDServlet extends AuthServlet {
 
@@ -136,6 +137,10 @@ public class GetMISSessionIDServlet extends AuthServlet {
 
 		Logger.debug("POST GetMISSessionIDServlet");
 
+		  if (System.currentTimeMillis() > 0) {
+			  throw new IllegalStateException(getClass().getName() + " should not be called any more.");
+		  }		
+		
 		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,
 				MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
 		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java
index 1ea8631c6..849ccf5db 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java
@@ -17,19 +17,46 @@ import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 
 import com.datentechnik.process_engine.ProcessInstance;
 
+/**
+ * Servlet that resumes a suspended process (in case of asynchronous tasks).
+ * 
+ * @author tknall
+ * 
+ */
 public class ProcessEngineSignalServlet extends AuthServlet {
 
 	private static final long serialVersionUID = 1L;
 
+	/**
+	 * Sets response headers that prevent caching (code taken from {@link AuthServlet}).
+	 * 
+	 * @param resp
+	 *            The HttpServletResponse.
+	 */
+	private void setNoCachingHeaders(HttpServletResponse resp) {
+		resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
+		resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
+		resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);
+	}
+
+	/**
+	 * Processes a GET request, delegating the call to {@link #doPost(HttpServletRequest, HttpServletResponse)}.
+	 */
+	@Override
+	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+		this.doPost(req, resp);
+	}
+
+	/**
+	 * Resumes the current process instance that has been suspended due to an asynchronous task. The process instance is
+	 * retrieved from the MOA session referred to by the request parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}.
+	 */
 	@Override
 	protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
 		String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
 
-		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES, MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
-		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA, MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
-		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
-		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL, MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
-
+		setNoCachingHeaders(resp);
 		try {
 
 			// check parameter
@@ -44,7 +71,7 @@ public class ProcessEngineSignalServlet extends AuthServlet {
 			if (session.getProcessInstanceId() == null) {
 				throw new IllegalStateException("MOA session does not provide process instance id.");
 			}
-			
+
 			// wake up next task
 			ProcessInstance pi = getProcessEngine().getProcessInstance(session.getProcessInstanceId());
 			getProcessEngine().signal(pi);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
index a3397f561..36e219a97 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
@@ -65,6 +65,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.tasks.VerifyCertificateTask;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
@@ -77,6 +78,7 @@ import at.gv.egovernment.moa.spss.util.CertificateUtils;
  * Servlet requested for getting the foreign eID
  * provided by the security layer implementation.
  * Utilizes the {@link AuthenticationServer}.
+ * @deprecated Use {@link VerifyCertificateTask} instead.
  *
  */
 public class VerifyCertificateServlet extends AuthServlet {
@@ -124,6 +126,9 @@ public class VerifyCertificateServlet extends AuthServlet {
   protected void doPost(HttpServletRequest req, HttpServletResponse resp)
     throws ServletException, IOException {
 
+	  if (System.currentTimeMillis() > 0) {
+		  throw new IllegalStateException(getClass().getName() + " should not be called any more.");
+	  }
 		Logger.debug("POST VerifyCertificateServlet");
 		
 		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
@@ -180,7 +185,8 @@ public class VerifyCertificateServlet extends AuthServlet {
 					throw new MOAIDException("session store error", null);
 				}
 	    		
-	    		ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
+		    	ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
+	    		
 	    	}
 	    	else {
 	    			
@@ -210,7 +216,6 @@ public class VerifyCertificateServlet extends AuthServlet {
 		    	
 		    	ServletUtils.writeCreateXMLSignatureRequest(resp, session, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
 		    	
-		    	
 		    	Logger.debug("Send CreateXMLSignatureRequest to BKU");
 	    	}	    		    	 
 	    }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java
index d43e8cf68..d5b869777 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java
@@ -1,5 +1,7 @@
 package at.gv.egovernment.moa.id.auth.tasks;
 
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -9,7 +11,6 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
-import java.util.Set;
 
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletContext;
@@ -25,10 +26,10 @@ import org.apache.commons.fileupload.servlet.ServletFileUpload;
 import org.apache.commons.lang3.ArrayUtils;
 
 import at.gv.egovernment.moa.id.advancedlogging.StatisticLogger;
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.servlet.AuthServlet;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.entrypoints.DispatcherServlet;
 import at.gv.egovernment.moa.id.storage.DBExceptionStoreImpl;
@@ -36,11 +37,17 @@ import at.gv.egovernment.moa.id.storage.IExceptionStore;
 import at.gv.egovernment.moa.id.util.ServletUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
-import at.gv.egovernment.moa.util.URLDecoder;
 
 import com.datentechnik.process_engine.springweb.AbstractSpringWebSupportedTask;
 
-public abstract class AbstractAuthServletTask extends AbstractSpringWebSupportedTask implements MOAIDAuthConstants {
+/**
+ * Task based counterpart to {@link AuthServlet}, providing the same utility methods (error handling, parameter parsing
+ * etc.).</p> The code has been taken from {@link AuthServlet}.
+ * 
+ * @author tknall
+ * 
+ */
+public abstract class AbstractAuthServletTask extends AbstractSpringWebSupportedTask {
 
 	protected static final String ERROR_CODE_PARAM = "errorid";
 
@@ -75,14 +82,10 @@ public abstract class AbstractAuthServletTask extends AbstractSpringWebSupported
 				.getRequestDispatcher("/errorpage-auth.jsp");
 		try {
 
-			resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,
-					MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
-			resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,
-					MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
-			resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
-					MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
-			resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
-					MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+			resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
+			resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
+			resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
+			resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);
 
 			dispatcher.forward(req, resp);
 		} catch (ServletException e) {
@@ -179,15 +182,7 @@ public abstract class AbstractAuthServletTask extends AbstractSpringWebSupported
 		RequestDispatcher dispatcher = context
 				.getRequestDispatcher("/errorpage-auth.jsp");
 		try {
-			resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,
-					MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
-			resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,
-					MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
-			resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
-					MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
-			resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
-					MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
-
+			setNoCachingHeaders(resp);
 			dispatcher.forward(req, resp);
 		} catch (ServletException e) {
 			Logger.error(e);
@@ -324,32 +319,17 @@ public abstract class AbstractAuthServletTask extends AbstractSpringWebSupported
 		return bout.toString();
 	}
 
-
-	
-//	public void contextDestroyed(ServletContextEvent arg0) {
-//		Security.removeProvider((new IAIK()).getName());
-//		Security.removeProvider((new ECCProvider()).getName());
-//	}
-	
 	/**
-	 * Set response headers to avoid caching
+	 * Sets response headers that prevent caching (code taken from {@link AuthServlet}).
 	 * 
-	 * @param request
-	 *            HttpServletRequest
-	 * @param response
-	 *            HttpServletResponse
+	 * @param resp
+	 *            The HttpServletResponse.
 	 */
-	protected void setNoCachingHeadersInHttpRespone(HttpServletRequest request,
-			HttpServletResponse response) {
-		response.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,
-				MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
-		response.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,
-				MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
-		response.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
-				MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
-		response.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,
-				MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
-
+	private void setNoCachingHeaders(HttpServletResponse resp) {
+		resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
+		resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
+		resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);
 	}
 
 	/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CreateIdentityLinkFormTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CreateIdentityLinkFormTask.java
index 4c87bb689..70afd477d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CreateIdentityLinkFormTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CreateIdentityLinkFormTask.java
@@ -1,5 +1,7 @@
 package at.gv.egovernment.moa.id.auth.tasks;
 
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
 import java.io.PrintWriter;
 
 import javax.servlet.http.HttpServletRequest;
@@ -8,6 +10,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang3.ObjectUtils;
 
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -22,6 +25,39 @@ import at.gv.egovernment.moa.util.StringUtils;
 
 import com.datentechnik.process_engine.api.ExecutionContext;
 
+/**
+ * Creates a http form including an embedded {@code InfoBoxReadRequest} for reading the identity link.<p/>
+ * In detail:
+ * <ul>
+ * <li>Renames the moa session id.</li>
+ * <li>Removes ExecutionContext property {@link MOAIDAuthConstants#PARAM_SESSIONID}.</li>
+ * <li>Creates the http form mentioned above.</li>
+ * <li>Returns the http form via HttpServletResponse.</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID} <strong>or</strong></li>
+ * <li>ExecutionContext property {@link MOAIDAuthConstants#PARAM_SESSIONID} (in case of legacy authentication without CCE selection, where the moa session is not provided by request parameter).</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>The identity link form via HttpServletResponse.</li>
+ * </ul>
+ * Possible branches:
+ * <ul>
+ * <li>In case of STORK authentication
+ * <ul>
+ * <li>Creates STORK auth SAML request.</li>
+ * <li>Creates and returns a form for submitting the SAML request to the CPEPS (post binding).</li>
+ * <li>Returns the form via HttpServletResponse.</li>
+ * </ul>
+ * </li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.GenerateIFrameTemplateServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
 public class CreateIdentityLinkFormTask extends AbstractAuthServletTask {
 
 	@Override
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetMISSessionIDTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetMISSessionIDTask.java
new file mode 100644
index 000000000..40e33ae43
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetMISSessionIDTask.java
@@ -0,0 +1,182 @@
+package at.gv.egovernment.moa.id.auth.tasks;
+
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import iaik.pki.PKIException;
+
+import java.security.GeneralSecurityException;
+import java.util.List;
+
+import javax.net.ssl.SSLSocketFactory;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.xml.sax.SAXException;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.moduls.ModulUtils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.SSLUtils;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
+
+import com.datentechnik.process_engine.api.ExecutionContext;
+
+/**
+ * Retrieves a mandate from the online mandate issuing service.<p/>
+ * In detail:
+ * <ul>
+ * <li>Renames the moa session id.</li>
+ * <li>Retrieves the mandate referenced within the moa session from the online (external) mandate issuing service.</li>
+ * <li>Verifies the mandate.</li>
+ * <li>Puts mandate into moa session.</li>
+ * <li>Redirects back to {@code /dispatcher} in order to finalize the authentication.</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Mandate put into moa session.</li>
+ * <li>Redirect to {@code /dispatcher}.</li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.GetMISSessionIDServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
+public class GetMISSessionIDTask extends AbstractAuthServletTask {
+
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
+			throws Exception {
+		
+		Logger.debug("POST GetMISSessionIDServlet");
+
+		String sessionID = req.getParameter(PARAM_SESSIONID);
+
+		// escape parameter strings
+		sessionID = StringEscapeUtils.escapeHtml(sessionID);
+
+		AuthenticationSession session = null;
+		String pendingRequestID = null;
+		try {
+			// check parameter
+			if (!ParamValidatorUtils.isValidSessionID(sessionID))
+				throw new WrongParametersException("VerifyCertificate",
+						PARAM_SESSIONID, "auth.12");
+
+			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+			
+			session = AuthenticationServer.getSession(sessionID);
+
+			//change MOASessionID
+		    sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			
+			String misSessionID = session.getMISSessionID();
+
+			AuthConfigurationProvider authConf = AuthConfigurationProvider
+					.getInstance();
+			ConnectionParameter connectionParameters = authConf
+					.getOnlineMandatesConnectionParameter();
+			SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(
+					AuthConfigurationProvider.getInstance(),
+					connectionParameters);
+
+			List<MISMandate> list = MISSimpleClient.sendGetMandatesRequest(
+					connectionParameters.getUrl(), misSessionID, sslFactory);
+
+			if (list == null || list.size() == 0) {
+				Logger.error("Keine Vollmacht gefunden.");
+				throw new AuthenticationException("auth.15", null);
+			}
+
+			// for now: list contains only one element
+			MISMandate mandate = (MISMandate) list.get(0);
+
+			// TODO[tlenz]: UTF-8 ?
+			String sMandate = new String(mandate.getMandate());
+			if (sMandate == null || sMandate.compareToIgnoreCase("") == 0) {
+				Logger.error("Mandate is empty.");
+				throw new AuthenticationException("auth.15",
+						new Object[] { GET_MIS_SESSIONID });
+			}
+						
+			//check if it is a parsable XML
+			byte[] byteMandate = mandate.getMandate();
+			// TODO[tlenz]: UTF-8 ?
+			String stringMandate = new String(byteMandate);
+			DOMUtils.parseDocument(stringMandate, false,
+					null, null).getDocumentElement();
+			
+			// extract RepresentationType
+			AuthenticationServer.getInstance().verifyMandate(session, mandate);
+			
+			session.setMISMandate(mandate);
+			session.setAuthenticatedUsed(false);
+			session.setAuthenticated(true);
+			
+	    	//set QAA Level four in case of card authentifcation
+	    	session.setQAALevel(PVPConstants.STORK_QAA_1_4);
+			
+			String oldsessionID = session.getSessionID();
+			
+			//Session is implicite stored in changeSessionID!!!
+			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			
+			Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID);
+			Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
+						
+			String redirectURL = new DataURLBuilder().buildDataURL(
+					session.getAuthURL(),
+					ModulUtils.buildAuthURL(session.getModul(),
+							session.getAction(), pendingRequestID), newMOASessionID);
+			redirectURL = resp.encodeRedirectURL(redirectURL);
+			
+			// TODO[branch]: Final step back to /dispatcher
+			
+			resp.setContentType("text/html");
+			resp.setStatus(302);
+			resp.addHeader("Location", redirectURL);
+			Logger.debug("REDIRECT TO: " + redirectURL);
+
+		} catch (MOAIDException ex) {
+			handleError(null, ex, req, resp, pendingRequestID);
+			
+		} catch (GeneralSecurityException ex) {
+			handleError(null, ex, req, resp, pendingRequestID);
+			
+		} catch (PKIException e) {
+			handleError(null, e, req, resp, pendingRequestID);
+			
+		} catch (SAXException e) {
+			handleError(null, e, req, resp, pendingRequestID);
+			
+		} catch (ParserConfigurationException e) {
+			handleError(null, e, req, resp, pendingRequestID);
+			
+	    } catch (Exception e) {
+	    	Logger.error("MISMandateValidation has an interal Error.", e);
+	       
+	    }
+	    finally {
+	    	ConfigurationDBUtils.closeSession();
+	    }
+		
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyAuthenticationBlockTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyAuthenticationBlockTask.java
index ff1bc8cd1..24fea05c9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyAuthenticationBlockTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyAuthenticationBlockTask.java
@@ -38,30 +38,44 @@ import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.DOMUtils;
 
 import com.datentechnik.process_engine.api.ExecutionContext;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
 
+/**
+ * Verifies the signed authentication block (provided as {@code CreateXMLSignatureResponse}).<p/>
+ * In detail:
+ * <ul>
+ * <li>Renames the moa session id.</li>
+ * <li>Takes the {@code CreateXMLSignatureResponse} from POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}.</li>
+ * <li>Verifies the {@code CreateXMLSignatureResponse}.</li>
+ * <li>Updates moa session.</li>
+ * <li>Redirects back to {@code /dispatcher} in order to finalize the authentication.</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}</li>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE} containing a {@code CreateXMLSignatureResponse}.</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Authentication data put into moa session.</li>
+ * <li>Redirect to {@code /dispatcher}.</li>
+ * </ul>
+ * Possible branches:
+ * <ul>
+ * <li>In case of mandate mode
+ * <ul>
+ * <li>Creates a mandate session at the external mandate issuing service.</li>
+ * <li>Redirects the user's browser to the online mandate issuing service GUI.</li>
+ * </ul>
+ * </li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.VerifyAuthenticationBlockServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
 public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask {
 
-	  /**
-	   * Verifies the signed authentication block and redirects the browser
-	   * to the online application requested, adding a parameter needed for
-	   * retrieving the authentication data.
-	   * <br>
-	   * Request parameters:
-	   * <ul>
-	   * <li>MOASessionID: ID of associated authentication session</li>
-	   * <li>XMLResponse: <code>&lt;CreateXMLSignatureResponse&gt;</code></li>
-	   * </ul>
-	   * Response:
-	   * <ul>
-	   * <li>Status: <code>302</code></li>
-	   * <li>Header <code>"Location"</code>: URL of the online application requested, with
-	   * 						parameters <code>"Target"</code>(only if the online application is
-	   *            a public service) and <code>"SAMLArtifact"</code> added</li>
-	   * <li>Error status: <code>500</code>
-	   * </ul>
-	   * @see AuthenticationServer#verifyAuthenticationBlock
-	   * @see javax.servlet.http.HttpServlet#doPost(HttpServletRequest, HttpServletResponse)
-	   */
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws Exception {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java
new file mode 100644
index 000000000..979e64888
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java
@@ -0,0 +1,166 @@
+package at.gv.egovernment.moa.id.auth.tasks;
+
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import iaik.x509.X509Certificate;
+
+import java.io.IOException;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.ServletUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.util.CertificateUtils;
+
+import com.datentechnik.process_engine.api.ExecutionContext;
+
+/**
+ * Parses the certificate from {@code InfoBoxReadResponse} (via POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}), creates the auth block to be signed and returns a {@code CreateXMLSignatureRequest} for auth block signature.<p/>
+ * In detail:
+ * <ul>
+ * <li>Renames the moa session id.</li>
+ * <li>Retrieves the certificate via {@code InfoBoxReadResponse} from POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}.</li>
+ * <li>Verifies the certificate.</li>
+ * <li>Creates the auth block to be signed using information from the certificate (Organwalter, foreign citizen.</li>
+ * <li>Puts it in a {@code CreateXMLSignatureRequest}.</li>
+ * <li>Updates moa session.</li>
+ * <li>Responds with {@code CreateXMLSignatureRequest}.</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}</li>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE} containing a {@code InfoBoxReadResponse}.</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>{@code CreateXMLSignatureRequest} send as HttpServletResponse (for CCE).</li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
+public class VerifyCertificateTask extends AbstractAuthServletTask {
+
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
+			throws Exception {
+
+		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet
+
+		Logger.debug("POST VerifyCertificateServlet");
+		
+		String pendingRequestID = null;
+		
+		Map<String, String> parameters;
+	    try 
+	    {
+	      parameters = getParameters(req);
+	    } catch (FileUploadException e) 
+	    {
+	      Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
+	      throw new IOException(e.getMessage());
+	     	}
+	    String sessionID = req.getParameter(PARAM_SESSIONID);
+	    
+	    // escape parameter strings
+		sessionID = StringEscapeUtils.escapeHtml(sessionID);
+		
+		pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+		
+	    AuthenticationSession session = null;
+	    try {
+	       // check parameter
+	       if (!ParamValidatorUtils.isValidSessionID(sessionID))
+	          throw new WrongParametersException("VerifyCertificate", PARAM_SESSIONID, "auth.12");
+	       
+	    	session = AuthenticationServer.getSession(sessionID);
+	    	
+	        //change MOASessionID
+	        sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+	    	
+    		X509Certificate cert = AuthenticationServer.getInstance().getCertificate(sessionID, parameters);
+    		if (cert == null) {
+    			Logger.error("Certificate could not be read.");
+    			throw new AuthenticationException("auth.14", null);    		
+    		}
+    		
+	    	boolean useMandate = session.getUseMandate();
+	    	
+	    	
+	    	if (useMandate) {
+
+	    		// verify certificate for OrganWalter
+	    		String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyCertificate(session, cert);
+	    		
+		    	try {
+					AuthenticationSessionStoreage.storeSession(session);
+				} catch (MOADatabaseException e) {
+					throw new MOAIDException("session store error", null);
+				}
+	    		
+		    	// TODO[branch]: Mandate; respond with CXSR for authblock signature, dataURL "/VerifyAuthBlock"
+		    	ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
+	    		
+	    	}
+	    	else {
+	    			
+		    	
+	    		String countrycode = CertificateUtils.getIssuerCountry(cert);
+	    		if (countrycode != null) {
+	    			if (countrycode.compareToIgnoreCase("AT") == 0) {
+	    				Logger.error("Certificate issuer country code is \"AT\". Login not support in foreign identities mode.");
+	    				throw new AuthenticationException("auth.22", null);
+	    			}
+	    		}
+	    		
+	    		// Foreign Identities Modus	
+		    	String createXMLSignatureRequest = AuthenticationServer.getInstance().createXMLSignatureRequestForeignID(session, cert);
+		      // build dataurl (to the GetForeignIDSerlvet)
+		    	String dataurl =
+	             new DataURLBuilder().buildDataURL(
+	               session.getAuthURL(),
+	               REQ_GET_FOREIGN_ID,
+	               session.getSessionID());
+	       
+		    	try {
+					AuthenticationSessionStoreage.storeSession(session);
+				} catch (MOADatabaseException e) {
+					throw new MOAIDException("session store error", null);
+				}
+		    	
+	    		// TODO[branch]: Foreign citizen; respond with CXSR for authblock signature, dataURL "/GetForeignID"
+		    	ServletUtils.writeCreateXMLSignatureRequest(resp, session, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
+		    	
+		    	Logger.debug("Send CreateXMLSignatureRequest to BKU");
+	    	}	    		    	 
+	    }
+	    catch (MOAIDException ex) {
+	      handleError(null, ex, req, resp, pendingRequestID);
+	      
+	    } catch (Exception e) {
+	    	Logger.error("CertificateValidation has an interal Error.", e);
+	    }
+	       
+	    
+	    finally {
+	    	ConfigurationDBUtils.closeSession();
+	    }
+
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
index ec12643ec..c24e42b3a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
@@ -1,5 +1,7 @@
 package at.gv.egovernment.moa.id.auth.tasks;
 
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
 import java.io.IOException;
 import java.util.Map;
 
@@ -28,176 +30,179 @@ import at.gv.egovernment.moa.logging.Logger;
 
 import com.datentechnik.process_engine.api.ExecutionContext;
 
+/**
+ * Verifies the identity link and prepares auth block signature if identity link provided, or triggers reading the subject's certificate if not provided.<p/>
+ * In detail:
+ * <ul>
+ * <li>Renames the moa session id.</li>
+ * <li>Parses the identity link retrieves as {@code InfoBoxReadResponse} from POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}.</li>
+ * <li>Verifies the identity link.</li>
+ * <li>Creates the auth block to be signed.</li>
+ * <li>Updates moa session.</li>
+ * <li>Creates and returns a {@code CreateXMLSignatureRequest} via HttpServletResponse.</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}</li>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE} containing a {@code InfoBoxReadResponse}.</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Identity link put into moa session.</li>
+ * <li>Returns {@code CreateXMLSignatureRequest} via HttpServletResponse (for CCE).</li>
+ * </ul>
+ * Possible branches:
+ * <ul>
+ * <li>In case of foreign citizen or in case of mandate
+ * <ul>
+ * <li>Create {@code InfoBoxReadRequest} for reading the subjects certificate.</li>
+ * <li>Set DataURL {@code /VerifyCertificate}.</li>
+ * <li>Respond with {@code InfoBoxReadRequest}.</li>
+ * </ul>
+ * </li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
 public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
 
-	/**
-	 * Verifies the identity link and responds with a new 
-	 * <code>CreateXMLSignatureRequest</code> or a new <code>
-	 * InfoboxReadRequest</code> (in case of a foreign eID card).
-	 * <br>
-	 * Request parameters:
-	 * <ul>
-	 * <li>MOASessionID: ID of associated authentication session</li>
-	 * <li>XMLResponse: <code>&lt;InfoboxReadResponse&gt;</code></li>
-	 * </ul>
-	 * Response:
-	 * <ul>
-	 * <li>Content type: <code>"text/xml"</code></li>
-	 * <li>Content: see return value of {@link AuthenticationServer#verifyIdentityLink}</li>
-	 * <li>Error status: <code>500</code>
-	 * </ul>
-	 * @see javax.servlet.http.HttpServlet#doPost(HttpServletRequest, HttpServletResponse)
-	 */
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws Exception {
-		
+
 		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet
 
-			Logger.debug("POST VerifyIdentityLink");
-			  
-	    Map<String, String> parameters;
-	    String pendingRequestID = null;
-	    
-	    try 
-	    {
-	      parameters = getParameters(req);
-	      
-	    } catch (Exception e) 
-	    {
-	      Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
-	      throw new IOException(e.getMessage());
-	    }
-	    String sessionID = req.getParameter(PARAM_SESSIONID);
-	           
-	    // escape parameter strings
+		Logger.debug("POST VerifyIdentityLink");
+
+		Map<String, String> parameters;
+		String pendingRequestID = null;
+
+		try {
+			parameters = getParameters(req);
+		} catch (Exception e) {
+			Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
+			throw new IOException(e.getMessage());
+		}
+		String sessionID = req.getParameter(PARAM_SESSIONID);
+
+		// escape parameter strings
 		sessionID = StringEscapeUtils.escapeHtml(sessionID);
-	    
+
 		pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
-		
-	    resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
-		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
-		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
-		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
-
-		
-	    try {
-	    // check parameter
-	       if (!ParamValidatorUtils.isValidSessionID(sessionID))
-	          throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
-	       
-	       
-	       AuthenticationSession session = AuthenticationServer.getSession(sessionID);
-	       
-	       //change MOASessionID
-	       sessionID = AuthenticationSessionStoreage.changeSessionID(session);
-	    	  
-	    	String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyIdentityLink(session, parameters);
-
-	    	Logger.debug(createXMLSignatureRequestOrRedirect);
-	    	
-	    	    	
-	    	if (createXMLSignatureRequestOrRedirect == null) {
-	    	   // no identity link found
-
-	    		boolean useMandate = session.getUseMandate();
-	    		if (useMandate) {
-	    			Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
-	    			throw new AuthenticationException("auth.13", null);
-	    		}
-	    		// TODO[branch]: Foreign citizen; respond with IRR for certificates, dataURL = "/VerifyCertificate"
-	    		
-	    		try {
-	    		
-	    		   Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");
-	    		   
-	    		   // create the InfoboxReadRequest to get the certificate
-	    		   String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
-
-	    		   // build dataurl (to the VerifyCertificateSerlvet)
-	          String dataurl =
-	                new DataURLBuilder().buildDataURL(
-	                  session.getAuthURL(),
-	                  REQ_VERIFY_CERTIFICATE,
-	                  session.getSessionID());
-	          
-	          ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-	          
-	    	    	
-	    	    }
-	    	    catch(Exception e) {
-	    	    	handleError(null, e, req, resp, pendingRequestID);
-	    	    }
-	    	    
-	    	}
-	    	else {
-	    		boolean useMandate = session.getUseMandate();
-	    		
-	    		if (useMandate) { // Mandate modus
-	    			
-	    			// TODO[branch]: Mandate; respond with IRR for certificates, dataURL = "/VerifyCertificate"
-	    			
-	    			// read certificate and set dataurl to 
-	    			Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
-	    			
-	    
-	     		   String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
-
-	     		   // build dataurl (to the GetForeignIDSerlvet)
-	     		   String dataurl =
-	                 new DataURLBuilder().buildDataURL(
-	                   session.getAuthURL(),
-	                   REQ_VERIFY_CERTIFICATE,
-	                   session.getSessionID());
-	           
-	     		  //Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
-	     		  //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-	     		   
-	     		  Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
-	     		  ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-	    			
-	    		}	
-	    		else {
-	    			Logger.info("Normal");
-	    			
-	    			// TODO[branch]: Default behaviour; respond with CXSR for authblock signature, dataURL "/VerifyAuthBlock"
-	    			
-	    			OAAuthParameter oaParam = AuthConfigurationProvider.getInstance()
-	    					.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
-	    			AuthConfigurationProvider authConf = AuthConfigurationProvider
-	    					.getInstance();
-	    			
-	    			createXMLSignatureRequestOrRedirect =  AuthenticationServer.getInstance()
-	    					.getCreateXMLSignatureRequestAuthBlockOrRedirect(session,
-	    					authConf, oaParam);
-	    			
-	    			ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
-	    		}
-	    	}
-	    	
+
+		resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
+		resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
+		resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);
+
+		try {
+			// check parameter
+			if (!ParamValidatorUtils.isValidSessionID(sessionID))
+				throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
+
+			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
+
+			// change MOASessionID
+			sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+
+			String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyIdentityLink(session,
+					parameters);
+
+			Logger.debug(createXMLSignatureRequestOrRedirect);
+
+			if (createXMLSignatureRequestOrRedirect == null) {
+				// no identity link found
+
+				boolean useMandate = session.getUseMandate();
+				if (useMandate) {
+					Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
+					throw new AuthenticationException("auth.13", null);
+				}
+				// TODO[branch]: Foreign citizen; respond with IRR for certificates, dataURL = "/VerifyCertificate"
+
+				try {
+
+					Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");
+
+					// create the InfoboxReadRequest to get the certificate
+					String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+					// build dataurl (to the VerifyCertificateSerlvet)
+					String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,
+							session.getSessionID());
+
+					ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest,
+							AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+
+				} catch (Exception e) {
+					handleError(null, e, req, resp, pendingRequestID);
+				}
+
+			} else {
+				boolean useMandate = session.getUseMandate();
+
+				if (useMandate) { // Mandate modus
+
+					// TODO[branch]: Mandate; respond with IRR for certificates, dataURL = "/VerifyCertificate"
+
+					// read certificate and set dataurl to
+					Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
+
+					String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+					// build dataurl (to the GetForeignIDSerlvet)
+					String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,
+							session.getSessionID());
+
+					// Logger.debug("ContentType set to: application/x-www-form-urlencoded (ServletUtils)");
+					// ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest,
+					// AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+
+					Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
+					ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest,
+							AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+
+				} else {
+					Logger.info("Normal");
+
+					// TODO[branch]: Default behaviour; respond with CXSR for authblock signature, dataURL
+					// "/VerifyAuthBlock"
+
+					OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+							session.getPublicOAURLPrefix());
+					AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
+
+					createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance()
+							.getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam);
+
+					ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session,
+							createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT,
+							"VerifyIdentityLink");
+				}
+			}
+
 			try {
 				AuthenticationSessionStoreage.storeSession(session);
-				
+
 			} catch (MOADatabaseException e) {
 				Logger.info("No valid MOA session found. Authentification process is abourted.");
 				throw new AuthenticationException("auth.20", null);
 			}
-	    }
-	    catch (ParseException ex) {
-	    	handleError(null, ex, req, resp, pendingRequestID);
-	    	
-	    } catch (MOAIDException ex) {
-	      handleError(null, ex, req, resp, pendingRequestID);
-	      
-	    } catch (Exception e) {
-	    	Logger.error("IdentityLinkValidation has an interal Error.", e);
-	    }
-	        
-	    finally {
-	    	ConfigurationDBUtils.closeSession();
-	    }
-	  }
-	
-	
-	
+		} catch (ParseException ex) {
+			handleError(null, ex, req, resp, pendingRequestID);
+
+		} catch (MOAIDException ex) {
+			handleError(null, ex, req, resp, pendingRequestID);
+
+		} catch (Exception e) {
+			Logger.error("IdentityLinkValidation has an interal Error.", e);
+		}
+
+		finally {
+			ConfigurationDBUtils.closeSession();
+		}
+	}
+
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html
index 3eff06daf..5ae76ed96 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/loginFormFull.html
@@ -842,7 +842,7 @@ input {
 				src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+				src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
 				alt="CSS ist valide!" />
 			</a>
 		</div>
diff --git a/id/server/idserverlib/src/main/java/iaik/IAIKRuntimeException.java b/id/server/idserverlib/src/main/java/iaik/IAIKRuntimeException.java
new file mode 100644
index 000000000..968d3491d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/iaik/IAIKRuntimeException.java
@@ -0,0 +1,18 @@
+package iaik;
+
+/**
+ * Adapter class providing {@code iaik.RuntimeException} for libraries that have not been updated in order to consider
+ * the fact that the class {@code IAIKRuntimeException} has been moved.
+ * 
+ * @author tknall
+ * 
+ */
+public class IAIKRuntimeException extends iaik.server.modules.IAIKRuntimeException {
+
+	private static final long serialVersionUID = 1L;
+
+	public IAIKRuntimeException(String reason, Throwable wrapped, String uniqueIdentifier) {
+		super(reason, wrapped, uniqueIdentifier);
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml b/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml
index dd27d8a01..8ac58bd4b 100644
--- a/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml
+++ b/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml
@@ -5,16 +5,27 @@
 	- National authentication with Austrian Citizen Card and mobile signature.
 	- Legacy authentication for foreign citizens using MOCCA supported signature cards.
 -->
+	<pd:Task id="createIdentityLinkForm" class="at.gv.egovernment.moa.id.auth.tasks.CreateIdentityLinkFormTask" />
+	<pd:Task id="verifyIdentityLink"     class="at.gv.egovernment.moa.id.auth.tasks.VerifyIdentityLinkTask"        async="true" />
+	<pd:Task id="verifyAuthBlock"        class="at.gv.egovernment.moa.id.auth.tasks.VerifyAuthenticationBlockTask" async="true" />
+	<pd:Task id="verifyCertificate"      class="at.gv.egovernment.moa.id.auth.tasks.VerifyCertificateTask"         async="true" />
+	<pd:Task id="getMISSessionID"        class="at.gv.egovernment.moa.id.auth.tasks.GetMISSessionIDTask"           async="true" />
 
 	<pd:StartEvent id="start" />
 	
-	<pd:Transition from="start" to="createIdentityLinkForm" />
-	<pd:Task id="createIdentityLinkForm" class="at.gv.egovernment.moa.id.auth.tasks.CreateIdentityLinkFormTask" />
+	<pd:Transition from="start"                  to="createIdentityLinkForm" />
+	
 	<pd:Transition from="createIdentityLinkForm" to="verifyIdentityLink" />
-	<pd:Task id="verifyIdentityLink" class="at.gv.egovernment.moa.id.auth.tasks.VerifyIdentityLinkTask" async="true" />
-	<pd:Transition from="verifyIdentityLink" to="verifyAuthBlock" />
-	<pd:Task id="verifyAuthBlock" class="at.gv.egovernment.moa.id.auth.tasks.VerifyAuthenticationBlockTask" async="true" />
-	<pd:Transition from="verifyAuthBlock" to="end" />
+	
+	<pd:Transition from="verifyIdentityLink"     to="verifyCertificate" conditionExpression="ctx['useMandate']" />
+	<pd:Transition from="verifyIdentityLink"     to="verifyAuthBlock" />
+	
+	<pd:Transition from="verifyCertificate"      to="verifyAuthBlock" />
+	
+	<pd:Transition from="verifyAuthBlock"        to="getMISSessionID" conditionExpression="ctx['useMandate']" />
+	<pd:Transition from="verifyAuthBlock"        to="end" />
+	
+	<pd:Transition from="getMISSessionID"        to="end" />
 	
 	<pd:EndEvent id="end" />
 
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html
index 7e2ddc491..e293d8456 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html
+++ b/id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html
@@ -837,7 +837,7 @@
 				src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+				src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
 				alt="CSS ist valide!" />
 			</a>
 		</div>
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html
index e75bef70c..033a574b9 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html
+++ b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html
@@ -545,7 +545,7 @@ button:hover,button:focus,button:active,.sendButton:hover,.sendButton:focus,.sen
 				src="#CONTEXTPATH#/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+				src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
 				alt="CSS ist valide!" />
 			</a>
 		</div>
diff --git a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html b/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html
index b241e85cf..8976b2bd6 100644
--- a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html
+++ b/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html
@@ -436,7 +436,7 @@
 				src="$contextpath/img/valid-html5-blue.png" alt="HTML5 ist valide!" />
 			</a> <a href="http://jigsaw.w3.org/css-validator/"> <img
 				style="border: 0; width: 88px; height: 31px"
-				src="http://jigsaw.w3.org/css-validator/images/vcss-blue"
+				src="https://jigsaw.w3.org/css-validator/images/vcss-blue"
 				alt="CSS ist valide!" />
 			</a>
 		</div>
-- 
cgit v1.2.3