From ac9a6c52e96f4c737de3392a7ba16b8fa8958b85 Mon Sep 17 00:00:00 2001
From: kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>
Date: Wed, 6 Apr 2011 15:29:11 +0000
Subject: =?UTF-8?q?-=20IAIK=20Libraries=20(repository)=20aktualisiert:=20?=
 =?UTF-8?q?=09iaik-moa:=20=20=20=20=20=20=20=20=20=20=20Version=201.29=20?=
 =?UTF-8?q?=09iaik=5Fjce=5Ffull:=09=09Version=204.0=5FMOA=20=09iaik=5Fcms:?=
 =?UTF-8?q?=09=09=09Version=204.1=5FMOA=20-=20Einbindung=20von=20Online-Vo?=
 =?UTF-8?q?llmachten=20-=20Update=20MOA-Template=20zur=20B=C3=BCrgerkarten?=
 =?UTF-8?q?auswahl=20-=20Update=20Doku=20-=20Update=20Transformationen=20(?=
 =?UTF-8?q?f=C3=BCr=20Online-Vollmachten)=20-=20=C3=84nderung=20der=20Konf?=
 =?UTF-8?q?iguration=20f=C3=BCr:=20=09-=20Online-Vollmachten?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1199 d688527b-c9ab-4aba-bd8d-4036d912da1d
---
 .../moa/id/auth/AuthenticationServer.java          | 240 ++++++++++++++++++-
 .../moa/id/auth/MOAIDAuthConstants.java            |   2 +
 .../auth/builder/GetIdentityLinkFormBuilder.java   |  67 ++++++
 .../builder/VerifyXMLSignatureRequestBuilder.java  |  79 +++++++
 .../moa/id/auth/data/AuthenticationSession.java    |  45 ++++
 .../moa/id/auth/servlet/GetForeignIDServlet.java   |   9 +-
 .../id/auth/servlet/GetMISSessionIDServlet.java    | 174 ++++++++++++++
 .../auth/servlet/ProcessValidatorInputServlet.java |   4 +-
 .../auth/servlet/StartAuthenticationServlet.java   |  18 +-
 .../servlet/VerifyAuthenticationBlockServlet.java  |   2 +
 .../id/auth/servlet/VerifyCertificateServlet.java  | 214 +++++++++++------
 .../id/auth/servlet/VerifyIdentityLinkServlet.java |  37 ++-
 .../moa/id/auth/validator/parep/ParepUtils.java    |   9 +-
 .../id/auth/validator/parep/ParepValidator.java    |   6 +-
 .../moa/id/config/ConfigurationBuilder.java        |  32 ++-
 .../id/config/auth/AuthConfigurationProvider.java  |  15 ++
 .../moa/id/config/auth/OAAuthParameter.java        |  21 ++
 .../moa/id/proxy/servlet/ProxyServlet.java         |  12 +-
 .../moa/id/util/ParamValidatorUtils.java           |   3 +
 .../gv/egovernment/moa/id/util/ServletUtils.java   |   3 +-
 .../moa/id/util/client/mis/simple/MISMandate.java  |  48 ++++
 .../id/util/client/mis/simple/MISSessionId.java    |  22 ++
 .../id/util/client/mis/simple/MISSimpleClient.java | 261 +++++++++++++++++++++
 .../mis/simple/MISSimpleClientException.java       |  22 ++
 24 files changed, 1246 insertions(+), 99 deletions(-)
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSessionId.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClientException.java

(limited to 'id/server/idserverlib/src/main/java/at/gv')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 64eaf30cd..a772e0457 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -15,14 +15,11 @@
 */
 package at.gv.egovernment.moa.id.auth;
 
-import iaik.ixsil.exceptions.UtilsException;
-import iaik.ixsil.util.Utils;
 import iaik.pki.PKIException;
 import iaik.x509.X509Certificate;
 
+import java.io.ByteArrayInputStream;
 import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.Principal;
@@ -39,10 +36,11 @@ import java.util.Vector;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
 
+import org.apache.xpath.XPathAPI;
+import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
-import HTTPClient.Util;
 import at.gv.egovernment.moa.id.AuthenticationException;
 import at.gv.egovernment.moa.id.BuildException;
 import at.gv.egovernment.moa.id.ParseException;
@@ -63,6 +61,7 @@ import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
 import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
+import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.data.InfoboxValidationResult;
 import at.gv.egovernment.moa.id.auth.data.InfoboxValidatorParams;
@@ -81,6 +80,7 @@ import at.gv.egovernment.moa.id.auth.validator.ValidateException;
 import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator;
 import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
 import at.gv.egovernment.moa.id.auth.validator.parep.ParepValidator;
+import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants;
 import at.gv.egovernment.moa.id.auth.validator.parep.config.ParepConfiguration;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.ConfigurationProvider;
@@ -94,6 +94,7 @@ import at.gv.egovernment.moa.id.util.HTTPUtils;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.id.util.SSLUtils;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
 import at.gv.egovernment.moa.logging.LogMsg;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Base64Utils;
@@ -288,6 +289,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
    * @param oaURL online application URL requested
    * @param bkuURL URL of the "B&uuml;rgerkartenumgebung" to be used; 
    *                may be <code>null</code>; in this case, the default location will be used
+   * @param useMandate Indicates if mandate is used or not               
    * @param templateURL URL providing an HTML template for the HTML form generated
    * @param scheme determines the protocol used 
    * @return HTML form
@@ -301,6 +303,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     String oaURL,
     String templateURL,
     String bkuURL,
+    String useMandate,
     String sessionID,
     String scheme)
     throws WrongParametersException, AuthenticationException, ConfigurationException, BuildException {
@@ -343,7 +346,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
       session.setPublicOAURLPrefix(oaParam.getPublicURLPrefix());
       session.setAuthURL(authURL);
       session.setTemplateURL(templateURL);
-      session.setBusinessService(oaParam.getBusinessService());
+      session.setBusinessService(oaParam.getBusinessService());      
     }
     // BKU URL has not been set yet, even if session already exists
     if (bkuURL == null) {
@@ -357,8 +360,15 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     session.setDomainIdentifier(oaParam.getIdentityLinkDomainIdentifier());
     String infoboxReadRequest = 
       new InfoboxReadRequestBuilder().build(oaParam.getSlVersion12(), 
-                                            oaParam.getBusinessService(), 
+                                            oaParam.getBusinessService(),     
                                             oaParam.getIdentityLinkDomainIdentifier());
+    
+    if ((useMandate != null) && (useMandate.compareTo("") != 0)) {
+    	session.setUseMandate(useMandate);
+    }
+    else {
+    	session.setUseMandate("false");
+    }
     String dataURL =
       new DataURLBuilder().buildDataURL(
         session.getAuthURL(),
@@ -529,6 +539,78 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam);
   }
   
+  
+  /**
+   * Processes an <code>Mandate</code> sent by the 
+   * MIS.<br>
+   * <ul>
+   * <li>Validates given <code>Mandate</code></li>
+   * <li>Verifies Mandate by calling the MOA SP component</li>
+   * <li>Creates an authentication block to be signed by the user</li>
+   * <li>Creates and returns a <code>&lt;CreateXMLSignatureRequest&gt;</code> 
+   *      containg the authentication block, meant to be returned to the 
+   *      security layer implementation</li>
+   * </ul>
+   * 
+   * @param sessionID ID of associated authentication session data
+   * @param infoboxReadResponseParameters The parameters from the response returned from
+   *        the BKU including the <code>&lt;InfoboxReadResponse&gt;</code>
+   * @return String representation of the <code>&lt;CreateXMLSignatureRequest&gt;</code>
+   */
+  public String verifyMandate(String sessionID, MISMandate mandate)
+    throws
+      AuthenticationException,
+      BuildException,
+      ParseException,
+      ConfigurationException,
+      ValidateException,
+      ServiceException {
+
+    if (isEmpty(sessionID))
+      throw new AuthenticationException("auth.10", new Object[] { GET_MIS_SESSIONID, PARAM_SESSIONID});
+       
+    String sMandate = new String(mandate.getMandate());
+    if (sMandate == null | sMandate.compareToIgnoreCase("") == 0) {
+    	Logger.error("Mandate is empty.");
+    	throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID});
+    }
+    
+    
+    AuthenticationSession session = getSession(sessionID);
+    AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
+
+      
+    OAAuthParameter oaParam =
+      AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+        session.getPublicOAURLPrefix());
+    
+    try {
+    	// set extended SAML attributes
+		setExtendedSAMLAttributeForMandates(session, mandate, oaParam.getBusinessService());
+	} catch (SAXException e) {
+		throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
+	} catch (IOException e) {
+		throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
+	} catch (ParserConfigurationException e) {
+		throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
+	} catch (TransformerException e) {
+		throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID}, e);
+	}
+
+    
+    return getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam);
+  }
+  
+  /**
+   * 
+   * @param session
+   * @param authConf
+   * @param oaParam
+   * @return
+   * @throws ConfigurationException
+   * @throws BuildException
+   * @throws ValidateException
+   */
   public String getCreateXMLSignatureRequestAuthBlockOrRedirect(AuthenticationSession session, AuthConfigurationProvider authConf, OAAuthParameter oaParam)
     throws 
       ConfigurationException, 
@@ -571,6 +653,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     return createXMLSignatureRequest;
   }
   
+  
+  
   /**
    * Returns an CreateXMLSignatureRequest for signing the ERnP statement.<br>
    * <ul>
@@ -926,6 +1010,32 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     }
   }
   
+  /**
+   * Verifies the infoboxes (except of the  identity link infobox) returned by the BKU by 
+   * calling appropriate validator classes.
+   * 
+   * @param session The actual authentication session.
+   * @param mandate   The Mandate from the MIS
+   * 
+   * @throws AuthenticationException 
+   * @throws ConfigurationException  
+ * @throws TransformerException 
+ * @throws ParserConfigurationException 
+ * @throws IOException 
+ * @throws SAXException 
+   */
+  private void setExtendedSAMLAttributeForMandates(
+    AuthenticationSession session, MISMandate mandate, boolean business) 
+  throws ValidateException, ConfigurationException, SAXException, IOException, ParserConfigurationException, TransformerException
+  {
+    
+	  ExtendedSAMLAttribute[] extendedSamlAttributes = addExtendedSamlAttributes(mandate, business);
+	  
+	  
+	  AddAdditionalSAMLAttributes(session, extendedSamlAttributes, "MISService", "MISService");
+    
+  }
+  
   /**
    * Intermediate processing of the infoboxes. The first pending infobox 
    * validator may validate the provided input
@@ -985,7 +1095,9 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     int length = extendedSAMLAttributes.length; 
     for (int i=0; i<length; i++) {
       ExtendedSAMLAttribute samlAttribute = extendedSAMLAttributes[i];
+      
       Object value = verifySAMLAttribute(samlAttribute, i, identifier, friendlyName);
+      
       if ((value instanceof String) || (value instanceof Element)) {
         switch (samlAttribute.getAddToAUTHBlock()) {
           case ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY:
@@ -1017,6 +1129,115 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     session.setExtendedSAMLAttributesOA(oaAttributes);
   }
 
+//  /**
+//   * Adds given SAML Attributes to the current session. They will be appended
+//   * to the final SAML Assertion or the AUTH block. If the attributes are 
+//   * already in the list, they will be replaced.
+//   * 
+//   * @param session The current session
+//   * @param extendedSAMLAttributes The SAML attributes to add
+//   * @param identifier The infobox identifier for debug purposes
+//   * @param friendlyNam The friendly name of the infobox for debug purposes
+//   */
+//  private static void AddAdditionalSAMLAttributes(AuthenticationSession session, MISMandate mandate) throws ValidateException
+//  {
+//	  
+//    List oaAttributes = session.getExtendedSAMLAttributesOA();
+//    if (oaAttributes==null) oaAttributes = new Vector();
+//    List authAttributes = session.getExtendedSAMLAttributesAUTH();
+//    if (authAttributes==null) authAttributes = new Vector();
+//    
+//    
+//    addExtendedSamlAttributes(authAttributes, mandate);
+//    
+//    session.setExtendedSAMLAttributesAUTH(authAttributes);
+//    session.setExtendedSAMLAttributesOA(oaAttributes);
+//  }
+  
+  /**
+   * Adds the AUTH block related SAML attributes to the validation result. 
+   * This is needed always before the AUTH block is to be signed, because the 
+   * name of the mandator has to be set
+ * @throws ParserConfigurationException 
+ * @throws IOException 
+ * @throws SAXException 
+ * @throws TransformerException 
+   */
+  private static ExtendedSAMLAttribute[] addExtendedSamlAttributes(MISMandate mandate, boolean business) throws SAXException, IOException, ParserConfigurationException, TransformerException {
+    
+	  Vector extendedSamlAttributes = new Vector(); 
+	  
+	  extendedSamlAttributes.clear();
+    
+	  //extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_RAW, mandate, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
+	  // RepresentationType
+	  extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_REPRESENTATIONTYPE, ParepValidator.EXT_SAML_MANDATE_REPRESENTATIONTEXT, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
+        
+	  // Name
+	  Element domMandate = mandateToElement(mandate);
+	  Element nameSpaceNode = domMandate.getOwnerDocument().createElement("NameSpaceNode");
+	  nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, Constants.PD_NS_URI);
+	  nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.MANDATE_POSTFIX, SZRGWConstants.MANDATE_NS);
+
+	  Element mandator = (Element) XPathAPI.selectSingleNode(domMandate, "//md:Mandate/md:Mandator", nameSpaceNode);
+    
+	  // first check if physical person
+	  Element name = (Element) XPathAPI.selectSingleNode(mandator, "descendant-or-self::pr:Name/pr:GivenName", nameSpaceNode);
+	  String mandatorname = ParepUtils.extractMandatorName(mandator);
+	  
+	  extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_NAME, mandatorname, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
+	  // Geburtsdatum
+	  String dob = ParepUtils.extractMandatorDateOfBirth(mandator);
+	  if (dob != null && !"".equals(dob)) {
+		  extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_DOB, dob, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));	  
+		  
+	  }
+	  
+	  // Mandate
+	  extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_RAW, domMandate, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.NOT_ADD_TO_AUTHBLOCK));
+	  
+	  // (w)bpk
+	  String wbpk = ParepUtils.extractMandatorWbpk(mandator);
+	  if (!ParepUtils.isEmpty(wbpk)) {
+		  if (!ParepUtils.isPhysicalPerson(mandator)){
+			  String idType = ParepUtils.extractMandatorIdentificationType(mandator);
+			  if (!ParepUtils.isEmpty(idType) && idType.startsWith(Constants.URN_PREFIX_BASEID)) {
+				  extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_CB_BASE_ID, ParepUtils.getRegisterString(idType) + ": " + wbpk, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
+			  }
+		  } else 
+			  if (business) {
+				  extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_WBPK, wbpk, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
+			  }
+	  }
+	  
+	  String oid = mandate.getProfRep();
+	  if (oid != null) {
+		  String oidDescription = mandate.getTextualDescriptionOfOID();
+		  extendedSamlAttributes.add(new ExtendedSAMLAttributeImpl(ParepValidator.EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION, oidDescription, SZRGWConstants.MANDATE_NS, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY));
+	  }
+    	
+	  ExtendedSAMLAttribute[] ret = new ExtendedSAMLAttribute[extendedSamlAttributes.size()];
+	  extendedSamlAttributes.copyInto(ret);
+	  Logger.debug("ExtendedSAML Attributes: " + ret.length);
+	  return ret;
+
+    
+    
+  	}
+  
+  /**
+   * 
+   * @param mandate
+   * @return
+ * @throws ParserConfigurationException 
+ * @throws IOException 
+ * @throws SAXException 
+   */
+  private static Element mandateToElement(MISMandate mandate) throws SAXException, IOException, ParserConfigurationException {
+	  ByteArrayInputStream bais = new ByteArrayInputStream(mandate.getMandate());
+	  Document doc = DOMUtils.parseDocumentSimple(bais);
+	  return doc.getDocumentElement();
+  }
   private static void replaceExtendedSAMLAttribute(List attributes, ExtendedSAMLAttribute samlAttribute) {
     if (null==attributes) {
       attributes = new Vector();
@@ -1651,6 +1872,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
   private static Object verifySAMLAttribute(ExtendedSAMLAttribute samlAttribute, int i, String identifier, String friendlyName) 
     throws ValidateException{
     String name = samlAttribute.getName();
+    
+    
     if (name == null) {
       Logger.info("The name of SAML-Attribute number " + (i+1) + " returned from " + 
         identifier + "-infobox validator is null.");
@@ -1676,6 +1899,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
       throw new ValidateException(
         "validator.45", new Object[] {friendlyName ,"Wert", String.valueOf((i+1)), "null"});
     }
-    return value;
+    
+        return value;
   }
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 259b21db7..35dddb476 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -60,6 +60,8 @@ public interface MOAIDAuthConstants {
   public static final String REQ_GET_FOREIGN_ID = "GetForeignID";
   /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet} is mapped to */
   public static final String REQ_VERIFY_CERTIFICATE = "VerifyCertificate";
+  /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.GetMISSessionIDServlet} is mapped to */
+  public static final String GET_MIS_SESSIONID = "GetMISSessionID";
   /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.ProcessValidatorInputServlet} is mapped to */
   public static final String REQ_PROCESS_VALIDATOR_INPUT = "ProcessInput";
   /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.VerifyAuthenticationBlockServlet} is mapped to */
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
index 2e1132d32..9bab8643f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
@@ -82,6 +82,50 @@ public class GetIdentityLinkFormBuilder extends Builder {
     "</form>" + nl +
     "</body>" + nl +
     "</html>";
+  
+  /** default HTML template */
+  private static final String DEFAULT_HTML_TEMPLATE_FOR_MANDATES = 
+    "<html>" + nl +
+    "<head>" + nl +
+    "<meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\">" + nl +    
+    "<title>Vollmachten-Anmeldung</title>" + nl +
+    "<script type=\"text/javascript\">" + nl +
+	"window.onload=function() {" + nl +
+	"document.VollmachtenForm.submit();"  + nl +
+	"document.VollmachtenForm.Senden.disabled=true;" + nl +
+	"return;" + nl +
+	"}" + nl +
+	"</script>" + nl +
+    "</head>" + nl +
+    "<body>" + nl +
+    "<form name=\"VollmachtenForm\"" + nl +
+    "      action=\"" + BKU_TAG + "\"" + nl +
+    "      method=\"post\">" + nl +
+    "  <input type=\"hidden\" " + nl +
+    "         name=\"XMLRequest\"" + nl +
+    "         value=\"" + XMLREQUEST_TAG + "\"/>" + nl +
+    "  <input type=\"hidden\" " + nl +
+    "         name=\"DataURL\"" + nl +
+    "         value=\"" + DATAURL_TAG + "\"/>" + nl +
+    "  <input type=\"hidden\" " + nl +
+    "         name=\"PushInfobox\"" + nl +
+    "         value=\"" + PUSHINFOBOX_TAG + "\"/>" + nl +
+    "  <input type=\"submit\" value=\"Starte Signatur\" name=\"Senden\"/>" + nl +
+    "</form>" + nl +
+    "<form name=\"CertificateInfoForm\"" + nl +
+    "      action=\"" + BKU_TAG + "\"" + nl +
+    "      method=\"post\">" + nl +
+    "  <input type=\"hidden\" " + nl +
+    "         name=\"XMLRequest\"" + nl +
+    "         value=\"" + CERTINFO_XMLREQUEST_TAG + "\"/>" + nl +
+    "  <input type=\"hidden\" " + nl +
+    "         name=\"DataURL\"" + nl +
+    "         value=\"" + CERTINFO_DATAURL_TAG + "\"/>" + nl +
+//	"  <input type=\"submit\" value=\"Information zu Wurzelzertifikaten\"/>" + nl +    
+    "  <input type=\"hidden\" value=\"Information zu Wurzelzertifikaten\"/>" + nl +
+    "</form>" + nl +
+    "</body>" + nl +
+    "</html>";
 
   /**
    * Constructor for GetIdentityLinkFormBuilder.
@@ -119,6 +163,29 @@ public class GetIdentityLinkFormBuilder extends Builder {
     htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, true, ALL);
   	return htmlForm;
   }
+  
+  /**
+   * Builds the HTML form, including XML Request and data URL as parameters.
+   * 
+   * @param htmlTemplate template to be used for the HTML form;
+   *         may be <code>null</code>, in this case a default layout will be produced
+   * @param xmlRequest XML Request to be sent as a parameter in the form
+   * @param bkuURL URL of the "B&uuml;rgerkartenumgebung" the form will be submitted to;
+   *         may be <code>null</code>, in this case the default URL will be used
+   * @param dataURL DataURL to be sent as a parameter in the form
+   */
+  public String buildCreateSignature(
+    String bkuURL, 
+    String xmlRequest, 
+    String dataURL)
+  throws BuildException 
+  {      
+  	String htmlForm = DEFAULT_HTML_TEMPLATE_FOR_MANDATES;
+    htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL, true, ALL);
+    htmlForm = replaceTag(htmlForm, XMLREQUEST_TAG, encodeParameter(xmlRequest), true, ALL);
+    htmlForm = replaceTag(htmlForm, DATAURL_TAG, dataURL, true, ALL);
+  	return htmlForm;
+  }
   /**
    * Encodes a string for inclusion as a parameter in the form.
    * Double quotes are substituted by <code>"&amp;quot;"</code>.
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java
index 2c97f01ae..a6b61e747 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/VerifyXMLSignatureRequestBuilder.java
@@ -152,6 +152,85 @@ public class VerifyXMLSignatureRequestBuilder {
     return requestElem_;
   }
   
+  /**
+   * Builds a <code>&lt;VerifyXMLSignatureRequest&gt;</code>
+   * from an IdentityLink with a known trustProfileID which 
+   * has to exist in MOA-SP
+   * @param identityLink - The IdentityLink
+   * @param trustProfileID - a preconfigured TrustProfile at MOA-SP
+   * 
+   * @return Element - The complete request as Dom-Element
+   * 
+   * @throws ParseException
+   */
+  public Element build(byte[]mandate, String trustProfileID)
+    throws ParseException 
+  { 
+    try {
+      // build the request
+//      Element dateTimeElem = requestDoc_.createElementNS(MOA_NS_URI, "DateTime");
+//      requestElem_.appendChild(dateTimeElem);
+//      Node dateTime = requestDoc_.createTextNode(identityLink.getIssueInstant());
+//      dateTimeElem.appendChild(dateTime);
+      Element verifiySignatureInfoElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureInfo");
+      requestElem_.appendChild(verifiySignatureInfoElem);
+      Element verifySignatureEnvironmentElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureEnvironment");
+      verifiySignatureInfoElem.appendChild(verifySignatureEnvironmentElem);
+      Element base64ContentElem = requestDoc_.createElementNS(MOA_NS_URI, "Base64Content");
+      verifySignatureEnvironmentElem.appendChild(base64ContentElem);
+      // insert the base64 encoded identity link SAML assertion
+      //String serializedAssertion = identityLink.getSerializedSamlAssertion();
+      //String base64EncodedAssertion = Base64Utils.encode(mandate.getBytes("UTF-8"));
+      String base64EncodedAssertion = Base64Utils.encode(mandate);
+      //replace all '\r' characters by no char.
+      StringBuffer replaced = new StringBuffer();
+      for (int i = 0; i < base64EncodedAssertion.length(); i ++) {
+        char c = base64EncodedAssertion.charAt(i);
+        if (c != '\r') {
+          replaced.append(c);
+        }
+      }
+      base64EncodedAssertion = replaced.toString();
+      Node base64Content = requestDoc_.createTextNode(base64EncodedAssertion);
+      base64ContentElem.appendChild(base64Content);      
+      // specify the signature location
+      Element verifySignatureLocationElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "VerifySignatureLocation");
+      verifiySignatureInfoElem.appendChild(verifySignatureLocationElem);
+      Node signatureLocation = requestDoc_.createTextNode(DSIG + "Signature");
+      verifySignatureLocationElem.appendChild(signatureLocation);      
+      // signature manifest params
+      Element signatureManifestCheckParamsElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "SignatureManifestCheckParams");
+      requestElem_.appendChild(signatureManifestCheckParamsElem);
+      signatureManifestCheckParamsElem.setAttribute("ReturnReferenceInputData", "false");
+//      // add the transforms
+//      Element referenceInfoElem = requestDoc_.createElementNS(MOA_NS_URI, "ReferenceInfo");
+//      signatureManifestCheckParamsElem.appendChild(referenceInfoElem);
+//      Element[] dsigTransforms = identityLink.getDsigReferenceTransforms();
+//      
+//      for (int i = 0; i < dsigTransforms.length; i++) {        
+//        Element verifyTransformsInfoProfileElem = 
+//          requestDoc_.createElementNS(MOA_NS_URI, "VerifyTransformsInfoProfile");
+//        referenceInfoElem.appendChild(verifyTransformsInfoProfileElem);
+//        verifyTransformsInfoProfileElem.appendChild(requestDoc_.importNode(dsigTransforms[i], true));        
+//      }
+      Element returnHashInputDataElem = 
+        requestDoc_.createElementNS(MOA_NS_URI, "ReturnHashInputData");
+      requestElem_.appendChild(returnHashInputDataElem);
+      Element trustProfileIDElem = requestDoc_.createElementNS(MOA_NS_URI, "TrustProfileID");
+      trustProfileIDElem.appendChild(requestDoc_.createTextNode(trustProfileID));
+      requestElem_.appendChild(trustProfileIDElem);
+    } catch (Throwable t) {
+      throw new ParseException("builder.00", 
+        new Object[] { "VerifyXMLSignatureRequest (IdentityLink)" }, t);
+    }
+
+    return requestElem_;
+  }
+  
   
   /**
    * Builds a <code>&lt;VerifyXMLSignatureRequest&gt;</code>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index eca02a77b..554b5012e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -68,6 +68,16 @@ public class AuthenticationSession {
      * URL of the BKU
      */
     private String bkuURL;
+    
+    /**
+     * Use mandate
+     */
+    private boolean useMandate;
+    
+    /** 
+     * SessionID for MIS
+     */
+    private String misSessionID;
 	/**
 	 * identity link read from smartcard
 	 */
@@ -582,4 +592,39 @@ public class AuthenticationSession {
     this.pushInfobox = pushInfobox;
   }
   
+  /**
+   * 
+   * @param useMandate indicates if mandate is used or not
+   */
+  public void setUseMandate(String useMandate) {
+	  if (useMandate.compareToIgnoreCase("true") == 0)
+		  this.useMandate = true;
+	  else
+		  this.useMandate = false;
+	  
+  }
+  
+  /**
+   * Returns if mandate is used or not
+   * @return
+   */
+  public boolean getUseMandate() {
+	  return this.useMandate;
+  }
+  
+  /**
+   * 
+   * @param misSessionID indicates the MIS session ID
+   */
+  public void setMISSessionID(String misSessionID) {
+	  this.misSessionID = misSessionID;
+  }
+
+  /**
+   * Returns the MIS session ID
+   * @return
+   */
+  public String getMISSessionID() {
+	  return this.misSessionID;
+  }
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java
index c83650587..9a6670617 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java
@@ -219,11 +219,14 @@ public class GetForeignIDServlet extends AuthServlet {
 	    		try {
 	    			client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters));
 	    		} catch (IOException e) {
-	    			throw new SZRGWClientException(e);
+	    			Logger.error("Could not initialize SSL Factory", e);
+	    			throw new SZRGWClientException("Could not initialize SSL Factory");
 	    		} catch (GeneralSecurityException e) {
-	    			throw new SZRGWClientException(e);
+	    			Logger.error("Could not initialize SSL Factory", e);
+	    			throw new SZRGWClientException("Could not initialize SSL Factory");
 	    		} catch (PKIException e) {
-	    			throw new SZRGWClientException(e);
+	    			Logger.error("Could not initialize SSL Factory", e);
+	    			throw new SZRGWClientException("Could not initialize SSL Factory");
 	    		} 
 	    	}
 	    	Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")...");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
new file mode 100644
index 000000000..4c0abdb0f
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetMISSessionIDServlet.java
@@ -0,0 +1,174 @@
+package at.gv.egovernment.moa.id.auth.servlet;
+
+import iaik.pki.PKIException;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.security.GeneralSecurityException;
+import java.util.List;
+import java.util.Map;
+
+import javax.net.ssl.SSLSocketFactory;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
+
+import at.gv.egovernment.moa.id.BuildException;
+import at.gv.egovernment.moa.id.MOAIDException;
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.SSLUtils;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * Servlet requested for getting the foreign eID
+ * provided by the security layer implementation.
+ * Utilizes the {@link AuthenticationServer}.
+ *
+ */
+public class GetMISSessionIDServlet extends AuthServlet {
+
+  /**
+   * Constructor for GetMISSessionIDServlet.
+   */
+  public GetMISSessionIDServlet() {
+    super();
+  }
+
+  /**
+   * GET requested by security layer implementation to verify
+   * that data URL resource is available.
+   * @see javax.servlet.http.HttpServlet#doGet(HttpServletRequest, HttpServletResponse)
+   */
+  protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+    throws ServletException, IOException { 
+    	
+	  doPost(req, resp);
+	  
+//		Logger.debug("GET GetMISSessionIDServlet");
+//		
+//		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+//		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+//		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+//		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+  }
+
+  /**
+   * Gets the signer certificate from the InfoboxReadRequest and 
+   * responds with a new 
+   * <code>CreateXMLSignatureRequest</code>.
+   * <br>
+   * Request parameters:
+   * <ul>
+   * <li>MOASessionID: ID of associated authentication session</li>
+   * <li>XMLResponse: <code>&lt;InfoboxReadResponse&gt;</code></li>
+   * </ul>
+   * @see javax.servlet.http.HttpServlet#doPost(HttpServletRequest, HttpServletResponse)
+   */
+  protected void doPost(HttpServletRequest req, HttpServletResponse resp)
+    throws ServletException, IOException {
+
+		Logger.debug("POST GetMISSessionIDServlet");
+		
+		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+		
+//		Map parameters;
+//	    try 
+//	    {
+//	      parameters = getParameters(req);
+//	    } catch (FileUploadException e) 
+//	    {
+//	      Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
+//	      throw new IOException(e.getMessage());
+//	     	}
+		
+	    String sessionID = req.getParameter(PARAM_SESSIONID);
+	    
+	    // escape parameter strings
+		sessionID = StringEscapeUtils.escapeHtml(sessionID);
+		
+	    AuthenticationSession session = null;
+	    try {
+	       // check parameter
+	       if (!ParamValidatorUtils.isValidSessionID(sessionID))
+	          throw new WrongParametersException("VerifyCertificate", PARAM_SESSIONID, "auth.12");
+	       
+	       session = AuthenticationServer.getSession(sessionID);
+	    	
+	    	String misSessionID = session.getMISSessionID();
+	    	
+	    	//System.out.println("MIS Session ID (GetMISServlet): " + misSessionID);
+	    	
+	    	AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance();
+	    	ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();	
+	    	SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters);
+
+	    	List list = MISSimpleClient.sendGetMandatesRequest(connectionParameters.getUrl(), misSessionID, sslFactory);
+	    	
+	    	if (list == null) {
+	    		Logger.error("Keine Vollmacht gefunden.");
+	    		throw new MISSimpleClientException("Keine Vollmacht gefunden");
+	    	}
+	    	if (list.size() == 0) {
+	    		Logger.error("Keine Vollmacht gefunden.");
+	    		throw new MISSimpleClientException("Keine Vollmacht gefunden");
+	    	}
+	    	
+	    	// for now: list contains only one element
+	    	MISMandate mandate = (MISMandate)list.get(0);	    	
+   	
+	    	// verify mandate signature
+	    	String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyMandate(sessionID, mandate);
+	    	
+	    	String dataurl =
+	             new DataURLBuilder().buildDataURL(
+	               session.getAuthURL(),
+	               REQ_VERIFY_AUTH_BLOCK,
+	               session.getSessionID());
+	    	
+	    	Logger.debug(createXMLSignatureRequestOrRedirect);
+	    	
+	    	String request = getHTMLForm(createXMLSignatureRequestOrRedirect, session.getBkuURL(), dataurl);
+
+	    	resp.setContentType("text/html;charset=UTF-8");
+			PrintWriter out = new PrintWriter(resp.getOutputStream());
+			out.print(request);
+			out.flush();
+	    	
+			    		      
+	    }
+	    catch (MOAIDException ex) {
+	      handleError(null, ex, req, resp);
+	    } catch (GeneralSecurityException ex) {
+	    	handleError(null, ex, req, resp);
+		} catch (PKIException e) {
+			handleError(null, e, req, resp);
+		} catch (MISSimpleClientException e) {
+			handleError(null, e, req, resp);
+		} 
+  }
+  
+  private static String getHTMLForm(String request, String bkuURI, String dataURL) throws BuildException {
+	  return new GetIdentityLinkFormBuilder().buildCreateSignature(bkuURI, request, dataURL);
+	  
+  }
+  
+  
+ 
+ }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java
index 54d08c59e..b50a1edde 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java
@@ -68,8 +68,8 @@ public class ProcessValidatorInputServlet extends AuthServlet {
    * @see javax.servlet.http.HttpServlet#doGet(HttpServletRequest, HttpServletResponse)
    */
   protected void doGet(HttpServletRequest req, HttpServletResponse resp)
-    throws ServletException, IOException { 
-
+    throws ServletException, IOException { 
+	  
     Logger.debug("GET ProcessInput");
     resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
 	resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
index 10b4041df..2e7d59fde 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
@@ -15,11 +15,14 @@
 */
 package at.gv.egovernment.moa.id.auth.servlet;
 
+import iaik.pki.PKIException;
+
 import java.io.IOException;
 import java.io.PrintWriter;
-import java.io.Reader;
-import java.io.StringReader;
+import java.security.GeneralSecurityException;
+import java.util.List;
 
+import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -31,8 +34,14 @@ import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.SSLUtils;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException;
 import at.gv.egovernment.moa.logging.Logger;
 
 /**
@@ -88,8 +97,7 @@ public class StartAuthenticationServlet extends AuthServlet {
     resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL);
     resp.addHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL_IE);
     
-    //System.out.println("useMandate: " + useMandate);
-    
+ 	
     	try {
 		      // check parameter
 		    if (!ParamValidatorUtils.isValidTarget(target))
@@ -109,7 +117,7 @@ public class StartAuthenticationServlet extends AuthServlet {
 		    
 		    
 			String getIdentityLinkForm =
-				AuthenticationServer.getInstance().startAuthentication(authURL, target, oaURL, templateURL, bkuURL, sessionID, req.getScheme());
+				AuthenticationServer.getInstance().startAuthentication(authURL, target, oaURL, templateURL, bkuURL, useMandate, sessionID, req.getScheme());
 		
 			resp.setContentType("text/html;charset=UTF-8");
 			PrintWriter out = new PrintWriter(resp.getOutputStream());
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
index ad01de6c8..f1fb15be0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
@@ -61,6 +61,8 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {
   protected void doGet(HttpServletRequest req, HttpServletResponse resp)
     throws ServletException, IOException { 
     
+	  //doPost(req, resp);
+	  
 		Logger.debug("GET VerifyAuthenticationBlock");
 		
 		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
index 76c5476ae..d101df1fa 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
@@ -8,12 +8,14 @@ import java.security.GeneralSecurityException;
 import java.security.cert.CertificateEncodingException;
 import java.util.Map;
 
+import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerException;
 
 import org.apache.axis.encoding.Base64;
 import org.apache.commons.fileupload.FileUploadException;
@@ -22,24 +24,25 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Text;
 
+import at.gv.egovernment.moa.id.AuthenticationException;
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.CreateIdentityLinkResponse;
-import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClient;
-import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException;
 import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.ConnectionParameter;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.id.util.ServletUtils;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISSessionId;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
+import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClientException;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
 
 /**
  * Servlet requested for getting the foreign eID
@@ -116,25 +119,96 @@ public class VerifyCertificateServlet extends AuthServlet {
 	       
 	    	session = AuthenticationServer.getSession(sessionID);
 	    	
-	    	X509Certificate cert = AuthenticationServer.getInstance().getCertificate(sessionID, parameters);
-	    		    	
-	    	String createXMLSignatureRequest = AuthenticationServer.getInstance().createXMLSignatureRequestForeignID(sessionID, cert);
-	      // build dataurl (to the GetForeignIDSerlvet)
-	    	String dataurl =
-             new DataURLBuilder().buildDataURL(
-               session.getAuthURL(),
-               REQ_GET_FOREIGN_ID,
-               session.getSessionID());
-       
-	    	ServletUtils.writeCreateXMLSignatureRequest(resp, session, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
 	    	
+    		X509Certificate cert = AuthenticationServer.getInstance().getCertificate(sessionID, parameters);
+    		if (cert == null) {
+    			Logger.error("Certificate could not be read.");
+    			throw new AuthenticationException("auth.14", null);    		
+    		}
+    		
+	    	boolean useMandate = session.getUseMandate();
+	    	if (useMandate) {
+	    		// Mandate Modus	    	
+	    		// make request to MIS
+	    		
+	    		AuthConfigurationProvider authConf= AuthConfigurationProvider.getInstance();
+    			ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();	
+    			SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters);
+    			
+    			// get identitity link as byte[]
+    			Element elem = session.getIdentityLink().getSamlAssertion();
+    			String s = DOMUtils.serializeNode(elem);
+//    			byte[] idl = DOMUtils.nodeToByteArray(elem);
+//    			String s = new String(idl);
+    			byte[] idl = s.getBytes();
+    			
+    			// redirect url
+    			// build redirect(to the GetMISSessionIdSerlvet)
+    	          String redirectURL =
+    	                new DataURLBuilder().buildDataURL(
+    	                  session.getAuthURL(),
+    	                  GET_MIS_SESSIONID,
+    	                  session.getSessionID());
+    			
+    	          String oaURL = session.getOAURLRequested();
+    	          OAAuthParameter oaParam = authConf.getOnlineApplicationParameter(oaURL);
+    	          String profiles = oaParam.getMandateProfiles();
+
+    	          if (profiles == null) {
+    	        	  Logger.error("No Mandate/Profile for OA configured.");
+    	        	  throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID});
+    	          }
+    	          
+    	          String profilesArray[] = profiles.split(",");  	 		 
+    	          for(int i = 0; i < profilesArray.length; i++) {
+    	        	  profilesArray[i] = profilesArray[i].trim();
+    	          }
+    	          
+    	          MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(connectionParameters.getUrl(), idl, cert.getEncoded(), redirectURL, profilesArray, sslFactory);
+    	          String redirectMISGUI = misSessionID.getRedirectURL();
+    	          
+    	          if (misSessionID == null) {
+    	        	  Logger.error("Fehler bei Anfrage an Vollmachten Service. MIS Session ID ist null.");
+    	        	  throw new MISSimpleClientException("Fehler bei Anfrage an Vollmachten Service.");
+    	          }
+    	          
+    	          session.setMISSessionID(misSessionID.getSessiondId());
+    		
+    	          resp.setStatus(302);
+  		    	  resp.addHeader("Location", redirectMISGUI);
+  		    	  Logger.debug("REDIRECT TO: " + redirectURL);
+    	          
+	    	}
+	    	else {
+	    		// Foreign Identities Modus	
+		    	
+		    	String createXMLSignatureRequest = AuthenticationServer.getInstance().createXMLSignatureRequestForeignID(sessionID, cert);
+		      // build dataurl (to the GetForeignIDSerlvet)
+		    	String dataurl =
+	             new DataURLBuilder().buildDataURL(
+	               session.getAuthURL(),
+	               REQ_GET_FOREIGN_ID,
+	               session.getSessionID());
+	       
+		    	ServletUtils.writeCreateXMLSignatureRequest(resp, session, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
+		    	
+		    	
+		    	Logger.debug("Send CreateXMLSignatureRequest to BKU");
+	    	}
 	    	
-	    	Logger.debug("Send CreateXMLSignatureRequest to BKU");
 			    		      
 	    }
 	    catch (MOAIDException ex) {
 	      handleError(null, ex, req, resp);
-	    } 
+	    } catch (GeneralSecurityException ex) {
+	    	handleError(null, ex, req, resp);
+		} catch (PKIException e) {
+			handleError(null, e, req, resp);
+		} catch (MISSimpleClientException e) {
+			handleError(null, e, req, resp);
+		} catch (TransformerException e) {
+			handleError(null, e, req, resp);
+		} 
   }
     
   /**
@@ -161,58 +235,58 @@ public class VerifyCertificateServlet extends AuthServlet {
  * @throws SZRGWClientException 
    */
   /*private Element getIdentityLink(Element signature) throws SZRGWClientException {*/
-     private Element getIdentityLink(X509Certificate cert) throws SZRGWClientException {
-
-    SZRGWClient client = new SZRGWClient();
-      
-    try {
-    	AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
-    	 ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter();
-     	//url = "http://localhost:8081/szr-gateway/services/IdentityLinkCreation";
-    	Logger.debug("Connection Parameters: " + connectionParameters);
-      client.setAddress(connectionParameters.getUrl());
-      if (connectionParameters.getUrl().toLowerCase().startsWith("https:")) {
-         Logger.debug("Initialisiere SSL Verbindung");
-         try {
-            client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters));
-         } catch (IOException e) {
-            // TODO Auto-generated catch block
-            e.printStackTrace();
-         } catch (GeneralSecurityException e) {
-            // TODO Auto-generated catch block
-            e.printStackTrace();
-         } catch (PKIException e) {
-            // TODO Auto-generated catch block
-            e.printStackTrace();
-         }
-       }
-       
-       Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")...");
-      
-   
-    }
-   catch (ConfigurationException e) {
-      Logger.warn(e);
-      Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null ));
-
-    }
-    	// create request
-    	Document doc = buildGetIdentityLinkRequest(cert);
-    	Element request = doc.getDocumentElement();
-    	CreateIdentityLinkResponse response = null;
-   
-    //try {
-        response = client.createIdentityLinkResponse(request);
-    //} catch (SZRGWClientException e) {
-        // give him a second try - Nach dem Starten des Tomcat wird beim ersten Mal das Client-Zertifikat offenbar vom HTTPClient nicht mitgeschickt.
-      //  client = new SZRGWClient(url);
-      //  response = client.createIdentityLinkResponse(request);
-   // }
-   	 
-        
-	return response.getAssertion();
-	
-  }
+//     private Element getIdentityLink(X509Certificate cert) throws SZRGWClientException {
+//
+//    SZRGWClient client = new SZRGWClient();
+//      
+//    try {
+//    	AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
+//    	 ConnectionParameter connectionParameters = authConf.getForeignIDConnectionParameter();
+//     	//url = "http://localhost:8081/szr-gateway/services/IdentityLinkCreation";
+//    	Logger.debug("Connection Parameters: " + connectionParameters);
+//      client.setAddress(connectionParameters.getUrl());
+//      if (connectionParameters.getUrl().toLowerCase().startsWith("https:")) {
+//         Logger.debug("Initialisiere SSL Verbindung");
+//         try {
+//            client.setSSLSocketFactory(SSLUtils.getSSLSocketFactory(AuthConfigurationProvider.getInstance(), connectionParameters));
+//         } catch (IOException e) {
+//            // TODO Auto-generated catch block
+//            e.printStackTrace();
+//         } catch (GeneralSecurityException e) {
+//            // TODO Auto-generated catch block
+//            e.printStackTrace();
+//         } catch (PKIException e) {
+//            // TODO Auto-generated catch block
+//            e.printStackTrace();
+//         }
+//       }
+//       
+//       Logger.info("Starte Kommunikation mit dem Stammzahlenregister Gateway(" + connectionParameters.getUrl() + ")...");
+//      
+//   
+//    }
+//   catch (ConfigurationException e) {
+//      Logger.warn(e);
+//      Logger.warn(MOAIDMessageProvider.getInstance().getMessage("config.12", null ));
+//
+//    }
+//    	// create request
+//    	Document doc = buildGetIdentityLinkRequest(cert);
+//    	Element request = doc.getDocumentElement();
+//    	CreateIdentityLinkResponse response = null;
+//   
+//    //try {
+//        response = client.createIdentityLinkResponse(request);
+//    //} catch (SZRGWClientException e) {
+//        // give him a second try - Nach dem Starten des Tomcat wird beim ersten Mal das Client-Zertifikat offenbar vom HTTPClient nicht mitgeschickt.
+//      //  client = new SZRGWClient(url);
+//      //  response = client.createIdentityLinkResponse(request);
+//   // }
+//   	 
+//        
+//	return response.getAssertion();
+//	
+//  }
   
   /**
    * Builds the szrgw:GetIdentityLinkRequest für the SZR-GW
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
index dff366829..23861d290 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
@@ -18,6 +18,7 @@ package at.gv.egovernment.moa.id.auth.servlet;
 import java.io.IOException;
 import java.util.Map;
 
+import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -25,6 +26,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.fileupload.FileUploadException;
 import org.apache.commons.lang.StringEscapeUtils;
 
+import at.gv.egovernment.moa.id.AuthenticationException;
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.ParseException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
@@ -33,7 +35,10 @@ import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.config.ConnectionParameter;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.id.util.ServletUtils;
 import at.gv.egovernment.moa.logging.Logger;
 
@@ -126,11 +131,17 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
     	if (createXMLSignatureRequestOrRedirect == null) {
     	   // no identity link found
     		
+    		boolean useMandate = session.getUseMandate();
+    		if (useMandate) {
+    			Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
+    			throw new AuthenticationException("auth.13", null);
+    		}
+    		
     		try {
     		
     		   Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
     		   
-    		// create the InfoboxReadRequest to get the certificate
+    		   // create the InfoboxReadRequest to get the certificate
     		   String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
 
     		   // build dataurl (to the GetForeignIDSerlvet)
@@ -142,6 +153,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
           
          
           ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+          
     	    	
     	    }
     	    catch(Exception e) {
@@ -150,7 +162,28 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
     	    
     	}
     	else {
-    		ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
+    		boolean useMandate = session.getUseMandate();
+    		if (useMandate) { // Mandate modus
+    			// read certificate and set dataurl to VerifyCertificateForMandatesServlet
+    			
+    			Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
+    			
+     		   String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+     		   // build dataurl (to the GetForeignIDSerlvet)
+     		   String dataurl =
+                 new DataURLBuilder().buildDataURL(
+                   session.getAuthURL(),
+                   REQ_VERIFY_CERTIFICATE,
+                   session.getSessionID());
+           
+          
+     		   ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+    			
+    		}
+    		else {
+    			ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink");
+    		}
     	}
       
     }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
index a8e22562a..51551834e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
@@ -43,6 +43,7 @@ import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.BoolUtils;
 import at.gv.egovernment.moa.util.Constants;
+import at.gv.egovernment.moa.util.DOMUtils;
 import at.gv.egovernment.moa.util.StringUtils;
 
 /**
@@ -245,9 +246,13 @@ public class ParepUtils {
     try {
       Element nameSpaceNode = mandator.getOwnerDocument().createElement("NameSpaceNode");
       nameSpaceNode.setAttribute("xmlns" + SZRGWConstants.PD_POSTFIX, Constants.PD_NS_URI);
-
+
+      String s = DOMUtils.serializeNode(mandator);
+      
       // check if physical person
-      Element physicalPerson = (Element) XPathAPI.selectSingleNode(mandator, "descendant-or-self::pr:PhysicalPerson", nameSpaceNode);
+      Element physicalPerson = (Element) XPathAPI.selectSingleNode(mandator, "descendant-or-self::pr:PhysicalPerson", nameSpaceNode);
+      
+      
       // Element physicalPerson = (Element)XPathAPI.selectSingleNode(mandator,
       // "descendant-or-self::pr:CorporateBody", nameSpaceNode);
       return physicalPerson != null;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepValidator.java
index 2a0126b82..9d5c0f7cf 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepValidator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepValidator.java
@@ -95,7 +95,11 @@ public class ParepValidator implements InfoboxValidator {
   public final static String EXT_SAML_MANDATE_NAME = "MandatorName";
   public final static String EXT_SAML_MANDATE_DOB = "MandatorDateOfBirth";
   public final static String EXT_SAML_MANDATE_WBPK = "MandatorWbpk";
-  public final static String EXT_SAML_MANDATE_REPRESENTATIONTYPE = "RepresentationType";
+  public final static String EXT_SAML_MANDATE_REPRESENTATIONTYPE = "RepresentationType";
+  public final static String EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION = "OIDTextualDescription";
+  
+  /** */
+  public final static String EXT_SAML_MANDATE_REPRESENTATIONTEXT = "Vollmachtsvertreter";
 
   /** register and register number for non physical persons - the domain identifier for business applications*/
   public final static String EXT_SAML_MANDATE_CB_BASE_ID = "MandatorDomainIdentifier";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
index dbfbda535..b5275cdd5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
@@ -125,6 +125,10 @@ public class ConfigurationBuilder {
   public static final String AUTH_FOREIGN_IDENTITIES_XPATH =
     ROOT + CONF + "AuthComponent/" + CONF + "ForeignIdentities";
   
+  /** an XPATH-Expression */ 
+  public static final String AUTH_ONLINEMANDATES_XPATH =
+    ROOT + CONF + "AuthComponent/" + CONF + "OnlineMandates";
+  
   
   
   /** an XPATH-Expression */ 
@@ -146,6 +150,8 @@ public class ConfigurationBuilder {
   /** an XPATH-Expression */ 
   protected static final String OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH = CONF + "VerifyInfoboxes";
   /** an XPATH-Expression */ 
+  protected static final String OA_AUTH_COMPONENT_MANDATES_PROFILES_XPATH = CONF + "Mandates" + "/" + CONF + "Profiles";
+  /** an XPATH-Expression */ 
   protected static final String CONNECTION_PARAMETER_URL_XPATH =
     CONF + "ConnectionParameter/@URL";
   /** an XPATH-Expression */ 
@@ -242,6 +248,18 @@ public class ConfigurationBuilder {
      return buildConnectionParameter(foreignid);
 
   }
+  
+  /**
+   * Build a ConnectionParameter containing all information
+   * of the OnlineMandates element in the authentication component
+   * @return ConnectionParameter of the authentication component OnlineMandates element
+   */
+  public ConnectionParameter buildOnlineMandatesConnectionParameter() {
+     Element onlinemandates = (Element)XPathUtils.selectSingleNode(configElem_, AUTH_ONLINEMANDATES_XPATH);
+     if (onlinemandates==null) return null;
+     return buildConnectionParameter(onlinemandates);
+
+  }
 
   /**
    * Method buildAuthBKUSelectionType.
@@ -529,7 +547,19 @@ public class ConfigurationBuilder {
         } 
         Node verifyInfoboxParamtersNode = XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH);
         oap.setVerifyInfoboxParameters(buildVerifyInfoboxParameters(
-          verifyInfoboxParamtersNode, defaultVerifyInfoboxParameters, moaSpIdentityLinkTrustProfileID)); 
+          verifyInfoboxParamtersNode, defaultVerifyInfoboxParameters, moaSpIdentityLinkTrustProfileID));
+        
+        Node mandateProfilesNode = XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_MANDATES_PROFILES_XPATH);
+        if (mandateProfilesNode != null) {
+        	if ("businessService".equalsIgnoreCase(oaType)) {        		
+        		Logger.error("No Online Mandate Modus for OA of type \"businessService\" allowed.");
+                throw new ConfigurationException("config.02", null);
+        	}
+        	else {
+        		String profiles = DOMUtils.getText(mandateProfilesNode);
+        		oap.setMandateProfiles(profiles);
+        	}        	
+        }        
       } 
       OA_set.add(oap);
     }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index 6e296b4f4..ceb047280 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -164,6 +164,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
    */
   private ConnectionParameter foreignIDConnectionParameter;
   
+  /**
+   * parameter for connection to OnlineMandates Service
+   */
+  private ConnectionParameter onlineMandatesConnectionParameter;
+  
   /**
    * Parameter for trusted BKUs
    */
@@ -271,6 +276,7 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
         
         
       foreignIDConnectionParameter = builder.buildForeignIDConnectionParameter();
+      onlineMandatesConnectionParameter = builder.buildOnlineMandatesConnectionParameter();
     	onlineApplicationAuthParameters  = builder.buildOnlineApplicationAuthParameters(defaultVerifyInfoboxParameters, moaSpIdentityLinkTrustProfileID);
     	identityLinkX509SubjectNames =  builder.getIdentityLink_X509SubjectNames();
     	defaultChainingMode = builder.getDefaultChainingMode();
@@ -393,6 +399,15 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
   public ConnectionParameter getForeignIDConnectionParameter() {
      return foreignIDConnectionParameter;
   }
+  
+  /**
+   * Return a ConnectionParameter bean containing all information
+   * of the authentication component OnlineMandates element
+   * @return ConnectionParameter of the authentication component OnlineMandates element
+   */
+  public ConnectionParameter getOnlineMandatesConnectionParameter() {
+     return onlineMandatesConnectionParameter;
+  }
 
   /**
    * Return a string with a url-reference to the VerifyIdentityLink trust 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
index c352fae6c..aa5aa21a3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java
@@ -88,6 +88,11 @@ public class OAAuthParameter extends OAParameter {
    */
   private VerifyInfoboxParameters verifyInfoboxParameters;
   
+  /**
+   * Parameter for Mandate profiles
+   */
+  private String mandateProfiles;
+  
   /**
    * BZ
    * Type for authentication number (e.g. Firmenbuchnummer)
@@ -325,5 +330,21 @@ public class OAAuthParameter extends OAParameter {
   public void setIdentityLinkDomainIdentifierType(String identityLinkDomainIdentifierType) {
       this.identityLinkDomainIdentifierType = identityLinkDomainIdentifierType;
   }
+  
+  /**
+   * Sets the Mandate/Profiles
+   * @param profiles
+   */
+  public void setMandateProfiles(String profiles) {
+	  this.mandateProfiles = profiles;
+  }
+  
+  /**
+   * Returns the Mandates/Profiles
+   * @return
+   */
+  public String getMandateProfiles() {
+	  return this.mandateProfiles;
+  }
 
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
index ce15b75bd..6802005f1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/proxy/servlet/ProxyServlet.java
@@ -41,6 +41,8 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.lang.StringEscapeUtils;
+
 import at.gv.egovernment.moa.id.AuthenticationException;
 import at.gv.egovernment.moa.id.BuildException;
 import at.gv.egovernment.moa.id.MOAIDException;
@@ -117,12 +119,15 @@ public class ProxyServlet extends HttpServlet {
   protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
 
     Logger.debug("getRequestURL:" + req.getRequestURL().toString());
-  //@TODO Parameter
+    
+    String artifact = req.getParameter(PARAM_SAMLARTIFACT);
+    artifact = StringEscapeUtils.escapeHtml(artifact);
+    
     try {
-      if (req.getParameter(PARAM_SAMLARTIFACT) != null) {
+      if (artifact != null) {
  		// check if SAML Artifact was already used in this session (in case of page reload)
 		HttpSession session = req.getSession();
-		if (null != session && req.getParameter(PARAM_SAMLARTIFACT).equals(session.getAttribute(ATT_SAML_ARTIFACT))) {
+		if (null != session && artifact.equals(session.getAttribute(ATT_SAML_ARTIFACT))) {
 			if (session.getAttribute(ATT_BROWSERREQU)==null) {
 			    tunnelRequest(req, resp); 
 			}else{
@@ -498,7 +503,6 @@ private int tunnelRequest(HttpServletRequest req, HttpServletResponse resp, Map
   
   
   Vector parameters  = new Vector();
-//@TODO Parameter
   for (Enumeration enu = req.getParameterNames(); enu.hasMoreElements();) {
     String paramName = (String) enu.nextElement();
     if (!(paramName.equals(PARAM_SAMLARTIFACT) || paramName.equals(PARAM_TARGET))) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index 79db9907b..d35fc875d 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -446,6 +446,9 @@ public class ParamValidatorUtils {
    
    public static boolean isValidXMLDocument(String document) {
 	   
+	   if (document == null)
+		   return false;
+	   
 	   Logger.debug("Überprüfe Parameter XMLDocument");
 	   try {   
 		   DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ServletUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ServletUtils.java
index 1915ce40a..24e5ff3d0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ServletUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ServletUtils.java
@@ -64,7 +64,8 @@ public class ServletUtils {
       out.write(createXMLSignatureRequestOrRedirect.getBytes("UTF-8"));
       out.flush();
       out.close();
-      Logger.debug("Finished POST " + servletName);
+      Logger.debug("Finished POST " + servletName);
+      
     } else {
       String redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), servletGoal, session.getSessionID());
       resp.setContentType("text/html");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
new file mode 100644
index 000000000..59ca0d5ca
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISMandate.java
@@ -0,0 +1,48 @@
+package at.gv.egovernment.moa.id.util.client.mis.simple;
+
+public class MISMandate {
+
+	final static private String OID_NOTAR = "1.2.40.0.10.3.1";
+	final static private String TEXT_NOTAR = "berufsmäßige(r) Parteienvertreter(in) mit Notariatseigenschaft";
+	
+	final static private String OID_RECHTSANWALT = "1.2.40.0.10.3.2";
+	final static private String TEXT_RECHTSANWALT = "berufsmäßige(r) Parteienvertreter(in) mit Rechtsanwaltseigenschaft";
+	
+	final static private String OID_ZIVILTECHNIKER = "1.2.40.0.10.3.3";
+	final static private String TEXT_ZIVILTECHNIKER = "berufsmäßige(r) Parteienvertreter(in) mit Ziviltechnikerinneneigenschaft";
+
+	final static private String OID_ORGANWALTER = "1.2.40.0.10.3.4";
+	final static private String TEXT_ORGANWALTER = "Organwalter";
+	
+	
+	private String oid = null;
+	private byte[] mandate = null;
+	
+	public String getProfRep() {
+  	return oid;
+  }
+	public void setProfRep(String oid) {
+  	this.oid = oid;
+  }
+	public byte[] getMandate() {
+  	return mandate;
+  }
+	public void setMandate(byte[] mandate) {
+  	this.mandate = mandate;
+  }
+	
+	public String getTextualDescriptionOfOID() {
+		if (this.oid.equalsIgnoreCase(OID_NOTAR))
+			return TEXT_NOTAR;
+		if (this.oid.equalsIgnoreCase(OID_RECHTSANWALT))
+			return TEXT_RECHTSANWALT;
+		if (this.oid.equalsIgnoreCase(OID_ZIVILTECHNIKER))
+			return TEXT_ZIVILTECHNIKER;
+		if (this.oid.equalsIgnoreCase(OID_ORGANWALTER))
+			return TEXT_ORGANWALTER;
+		
+		return "Keine textuelle Beschreibung für OID " + oid;
+		
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSessionId.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSessionId.java
new file mode 100644
index 000000000..d8bec4900
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSessionId.java
@@ -0,0 +1,22 @@
+package at.gv.egovernment.moa.id.util.client.mis.simple;
+
+public class MISSessionId {
+
+	private String sessiondId = null;
+	private String redirectURL = null;
+	
+	public String getSessiondId() {
+  	return sessiondId;
+  }
+	public void setSessiondId(String sessiondId) {
+  	this.sessiondId = sessiondId;
+  }
+	public String getRedirectURL() {
+  	return redirectURL;
+  }
+	public void setRedirectURL(String redirectURL) {
+  	this.redirectURL = redirectURL;
+  }
+
+	
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
new file mode 100644
index 000000000..25c341584
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java
@@ -0,0 +1,261 @@
+package at.gv.egovernment.moa.id.util.client.mis.simple;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.net.ssl.SSLSocketFactory;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerException;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.methods.PostMethod;
+import org.apache.commons.httpclient.methods.StringRequestEntity;
+import org.apache.commons.httpclient.protocol.Protocol;
+import org.apache.xerces.parsers.DOMParser;
+import org.apache.xpath.XPathAPI;
+import org.w3c.dom.DOMException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
+
+import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWSecureSocketFactory;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
+
+
+public class MISSimpleClient {
+
+		
+	private final static String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/";
+	private final static String MIS_NS = "http://reference.e-government.gv.at/namespace/mandates/mis/1.0/xsd";
+	
+	private static Element NS_NODE = null;
+	
+		
+	static {
+		try {
+			NS_NODE = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument().createElement("test");
+			NS_NODE.setAttribute("xmlns:soap", SOAP_NS);
+			NS_NODE.setAttribute("xmlns:mis", MIS_NS);
+		} catch (Exception e) {
+			Logger.warn("Error initializing namespace node.", e);
+		}
+	}
+	
+	public static List sendGetMandatesRequest(String webServiceURL, String sessionId, SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException {
+		if (webServiceURL == null) {
+			throw new NullPointerException("Argument webServiceURL must not be null.");
+		}
+		if (sessionId == null) {
+			throw new NullPointerException("Argument sessionId must not be null.");
+		}
+		
+		// ssl settings
+		if (sSLSocketFactory != null) {
+	        SZRGWSecureSocketFactory fac = new SZRGWSecureSocketFactory(sSLSocketFactory); 
+	        Protocol.registerProtocol("https", new Protocol("https", fac, 443));
+		}
+
+		
+		try {
+			Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+			Element mirElement = doc.createElementNS(MIS_NS, "MandateIssueRequest");
+			Element sessionIdElement = doc.createElementNS(MIS_NS, "SessionID");
+			sessionIdElement.appendChild(doc.createTextNode(sessionId));
+			mirElement.appendChild(sessionIdElement);
+	    
+			// send soap request
+			Element mandateIssueResponseElement = sendSOAPRequest(webServiceURL, mirElement);
+	    
+			// check for error
+			checkForError(mandateIssueResponseElement);
+	    
+			// check for session id
+			NodeList mandateElements  = XPathAPI.selectNodeList(mandateIssueResponseElement, "//mis:MandateIssueResponse/mis:Mandates/mis:Mandate", NS_NODE);
+	    
+			if (mandateElements == null || mandateElements.getLength() == 0) {
+				throw new MISSimpleClientException("No mandates found in response.");
+			}
+	    
+			ArrayList foundMandates = new ArrayList();
+			for (int i=0; i<mandateElements.getLength(); i++) {
+				Element mandate = (Element) mandateElements.item(i);
+				MISMandate misMandate = new MISMandate();
+				if (mandate.hasAttribute("ProfessionalRepresentative")) {
+					misMandate.setProfRep(mandate.getAttribute("ProfessionalRepresentative"));
+				}
+				
+				//misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate)));
+				misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes()));
+				foundMandates.add(misMandate);
+			}
+			return foundMandates;
+		} catch (ParserConfigurationException e) {
+			throw new MISSimpleClientException(e);
+		} catch (DOMException e) {
+			throw new MISSimpleClientException(e);
+		} catch (TransformerException e) {
+			throw new MISSimpleClientException(e);
+		} 
+	}
+	
+	public static MISSessionId sendSessionIdRequest(String webServiceURL, byte[] idl, byte[] cert, String redirectURL, String mandateIdentifier[], SSLSocketFactory sSLSocketFactory) throws MISSimpleClientException {
+		if (webServiceURL == null) {
+			throw new NullPointerException("Argument webServiceURL must not be null.");
+		}
+		if (idl == null) {
+			throw new NullPointerException("Argument idl must not be null.");
+		}
+		if (redirectURL == null) {
+			throw new NullPointerException("Argument redirectURL must not be null.");
+		}
+		
+		// ssl settings
+		if (sSLSocketFactory != null) {
+	        SZRGWSecureSocketFactory fac = new SZRGWSecureSocketFactory(sSLSocketFactory); 
+	        Protocol.registerProtocol("https", new Protocol("https", fac, 443));
+		}
+		
+		try {
+			Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+			Element mirElement = doc.createElementNS(MIS_NS, "MandateIssueRequest");
+			Element idlElement = doc.createElementNS(MIS_NS, "IdentityLink");
+	    
+			idlElement.appendChild(doc.createTextNode(new String(Base64.encodeBase64(idl))));
+			mirElement.appendChild(idlElement);
+
+			if (cert != null && cert.length > 0) {
+				Element certElement = doc.createElementNS(MIS_NS, "X509SignatureCertificate");
+				certElement.appendChild(doc.createTextNode(new String(Base64.encodeBase64(cert))));
+				//certElement.appendChild(doc.createTextNode(Base64.encodeBase64(cert)));
+				//	    	certElement.appendChild(doc.createTextNode(new String(Base64.encodeBase64(cert))));
+				mirElement.appendChild(certElement);
+			}
+			Element redirectElement = doc.createElementNS(MIS_NS, "RedirectURL");
+			redirectElement.appendChild(doc.createTextNode(redirectURL));
+			mirElement.appendChild(redirectElement);
+			if (mandateIdentifier != null && mandateIdentifier.length > 0) {
+				Element filtersElement = doc.createElementNS(MIS_NS, "Filters");
+				Element mandateIdentifiersElement = doc.createElementNS(MIS_NS, "MandateIdentifiers");
+				for (int i=0; i<mandateIdentifier.length; i++) {
+					Element mandateIdentifierElement = doc.createElementNS(MIS_NS, "MandateIdentifier");
+					mandateIdentifierElement.appendChild(doc.createTextNode(mandateIdentifier[i]));
+					mandateIdentifiersElement.appendChild(mandateIdentifierElement);
+				}
+				filtersElement.appendChild(mandateIdentifiersElement);
+				mirElement.appendChild(filtersElement);
+			}
+			// send soap request
+			Element mandateIssueResponseElement = sendSOAPRequest(webServiceURL, mirElement);
+
+			// check for error
+			checkForError(mandateIssueResponseElement);
+	    
+			// check for session id
+			//String sessionId = ((Node) XPathAPI.selectSingleNode(mandateIssueResponseElement, "/mis:MandateIssueResponse/mis:SessionID/text()", NS_NODE)).getNodeValue();
+			Node sessionIdNode = ((Node) XPathAPI.selectSingleNode(mandateIssueResponseElement, "//mis:MandateIssueResponse/mis:SessionID/text()", NS_NODE));
+			if (sessionIdNode == null) {
+				throw new MISSimpleClientException("SessionId not found in response.");
+			}
+			String sessionId = sessionIdNode.getNodeValue();
+
+			Node guiRedirectURLNode = ((Node) XPathAPI.selectSingleNode(mandateIssueResponseElement, "//mis:MandateIssueResponse/mis:GuiRedirectURL/text()", NS_NODE));
+			if (guiRedirectURLNode == null) {
+				throw new MISSimpleClientException("GuiRedirectURL not found in response.");
+			}
+			String guiRedirectURL = guiRedirectURLNode.getNodeValue();
+	    
+			// create return object
+			MISSessionId msid = new MISSessionId();
+			msid.setSessiondId(sessionId);
+			msid.setRedirectURL(guiRedirectURL);
+	    
+			return msid;
+		} catch (ParserConfigurationException e) {
+			throw new MISSimpleClientException(e);
+		} catch (DOMException e) {
+			throw new MISSimpleClientException(e);
+		} catch (TransformerException e) {
+			throw new MISSimpleClientException(e);
+		}
+		
+	}
+	
+	private static void checkForError(Element mandateIssueResponseElement) throws MISSimpleClientException {
+		if (mandateIssueResponseElement == null) {
+			throw new NullPointerException("Argument mandateIssueResponseElement must not be null.");
+		}
+		try {
+		    Element errorElement = (Element) XPathAPI.selectSingleNode(mandateIssueResponseElement, "//mis:MandateIssueResponse/mis:Error", NS_NODE);
+		    if (errorElement != null) {
+		    	String code = ((Node) XPathAPI.selectSingleNode(mandateIssueResponseElement, "//mis:MandateIssueResponse/mis:Error/mis:Code/text()", NS_NODE)).getNodeValue();
+		    	String text = ((Node) XPathAPI.selectSingleNode(mandateIssueResponseElement, "//mis:MandateIssueResponse/mis:Error/mis:Text/text()", NS_NODE)).getNodeValue();
+		    	throw new MISSimpleClientException("Fehler beim Abfragen des Online-Vollmachten Services: " + code + " / " + text);	    }
+		} catch (TransformerException e) {
+			throw new MISSimpleClientException(e);
+		}
+	}
+	
+	private static Element sendSOAPRequest(String webServiceURL, Element request) throws MISSimpleClientException {
+		if (webServiceURL == null) {
+			throw new NullPointerException("Argument webServiceURL must not be null.");
+		}
+		if (request == null) {
+			throw new NullPointerException("Argument request must not be null.");
+		}
+		try {
+			HttpClient httpclient = new HttpClient();
+			PostMethod post = new PostMethod(webServiceURL);
+			StringRequestEntity re = new StringRequestEntity(DOMUtils.serializeNode(packIntoSOAP(request)),"text/xml", "UTF-8");
+			post.setRequestEntity(re);
+			int responseCode = httpclient.executeMethod(post);			
+			if (responseCode != 200) {
+				throw new MISSimpleClientException("Invalid HTTP response code " + responseCode);
+			}
+			//Element elem = parse(post.getResponseBodyAsStream());
+			Document doc = DOMUtils.parseDocumentSimple(post.getResponseBodyAsStream());
+			return unpackFromSOAP(doc.getDocumentElement());
+		} catch(IOException e) {
+			throw new MISSimpleClientException(e);
+		} catch (TransformerException e) {
+			throw new MISSimpleClientException(e);
+		} catch (SAXException e) {
+			throw new MISSimpleClientException(e);
+		} catch (ParserConfigurationException e) {
+			throw new MISSimpleClientException(e);
+		}
+	}
+	
+	private static Element packIntoSOAP(Element element) throws MISSimpleClientException {
+		try {
+			Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+			Element soapEnvelope = doc.createElement("Envelope");
+			soapEnvelope.setAttribute("xmlns", SOAP_NS);
+			Element soapBody = doc.createElement("Body");
+			soapEnvelope.appendChild(soapBody);
+			soapBody.appendChild(doc.importNode(element, true));
+			return soapEnvelope;
+		} catch(ParserConfigurationException e) {
+			throw new MISSimpleClientException(e);
+		}
+	}
+	
+	private static Element unpackFromSOAP(Element element) throws MISSimpleClientException {
+		try {
+			return (Element) XPathAPI.selectSingleNode(element, "/soap:Envelope/soap:Body/child::*[position()=1]", NS_NODE);
+		} catch(TransformerException e) {
+			throw new MISSimpleClientException(e);
+		}
+	}	
+}
\ No newline at end of file
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClientException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClientException.java
new file mode 100644
index 000000000..6f2627e1d
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClientException.java
@@ -0,0 +1,22 @@
+package at.gv.egovernment.moa.id.util.client.mis.simple;
+
+public class MISSimpleClientException extends Exception {
+
+	private static final long serialVersionUID = 1L;
+
+	public MISSimpleClientException() {
+	}
+
+	public MISSimpleClientException(String message) {
+		super(message);
+	}
+
+	public MISSimpleClientException(Throwable cause) {
+		super(cause);
+	}
+
+	public MISSimpleClientException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+}
\ No newline at end of file
-- 
cgit v1.2.3