From ab7c7b6a64edca60b78a89b18a1972ad5e38586e Mon Sep 17 00:00:00 2001
From: kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>
Date: Fri, 1 Apr 2011 08:03:14 +0000
Subject: - Update Parameterüberprüfung - Update MOA-Template zur
 Bürgerkartenauswahl - Änderung der Konfiguration für: 	- Angabe einer Liste
 von vertrauenswürdigen BKUs (aufgrund Parameterprüfung) - Fixed Bug #552
 (http://egovlabs.gv.at/tracker/index.php?func=detail&aid=552&group_id=6&atid=105)
 - Fixed Bug #551
 (http://egovlabs.gv.at/tracker/index.php?func=detail&aid=551&group_id=6&atid=105)
 - Fixed Bug #550
 (http://egovlabs.gv.at/tracker/index.php?func=detail&aid=550&group_id=6&atid=105)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1198 d688527b-c9ab-4aba-bd8d-4036d912da1d
---
 .../moa/id/auth/AuthenticationServer.java          |   8 +-
 .../moa/id/auth/MOAIDAuthConstants.java            |   2 +
 .../moa/id/auth/servlet/AuthServlet.java           |  16 +-
 .../moa/id/auth/servlet/ConfigurationServlet.java  |   7 +
 .../moa/id/auth/servlet/GetForeignIDServlet.java   |  24 +-
 .../auth/servlet/ProcessValidatorInputServlet.java |  63 ++-
 .../moa/id/auth/servlet/SelectBKUServlet.java      |  27 +-
 .../auth/servlet/StartAuthenticationServlet.java   |  24 +-
 .../servlet/VerifyAuthenticationBlockServlet.java  |  20 +
 .../id/auth/servlet/VerifyCertificateServlet.java  |  16 +-
 .../id/auth/servlet/VerifyIdentityLinkServlet.java |  18 +-
 .../moa/id/config/ConfigurationBuilder.java        |  20 +
 .../id/config/auth/AuthConfigurationProvider.java  |  17 +-
 .../moa/id/util/ParamValidatorUtils.java           | 465 +++++++++++++++++----
 .../java/at/gv/egovernment/moa/id/util/Random.java |  15 +-
 15 files changed, 635 insertions(+), 107 deletions(-)

(limited to 'id/server/idserverlib/src/main/java/at')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 8de82a8d6..64eaf30cd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -800,9 +800,11 @@ public class AuthenticationServer implements MOAIDAuthConstants {
     OAAuthParameter oaParam = 
       authConfigurationProvider.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
     VerifyInfoboxParameters verifyInfoboxParameters = oaParam.getVerifyInfoboxParameters();
+    session.setExtendedSAMLAttributesAUTH(new Vector()); // Initialize SAML Attributes
+    session.setExtendedSAMLAttributesOA(new Vector());
+    
     if (verifyInfoboxParameters != null) {
-      session.setExtendedSAMLAttributesAUTH(new Vector()); // Initialize SAML Attributes
-      session.setExtendedSAMLAttributesOA(new Vector());
+      
       infoboxParameters = verifyInfoboxParameters.getInfoboxParameters();     
       // get the list of infobox identifiers
       List identifiers = verifyInfoboxParameters.getIdentifiers();
@@ -1556,7 +1558,7 @@ public class AuthenticationServer implements MOAIDAuthConstants {
    *             already for the given session ID
    */
   private static AuthenticationSession newSession() throws AuthenticationException {
-    String sessionID = Random.nextRandom();
+    String sessionID = Random.nextRandom();    
     AuthenticationSession newSession = new AuthenticationSession(sessionID);
     synchronized (sessionStore) {
       AuthenticationSession session = (AuthenticationSession) sessionStore.get(sessionID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
index 0e361ee57..259b21db7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java
@@ -28,6 +28,8 @@ public interface MOAIDAuthConstants {
 
   /** servlet parameter &quot;Target&quot; */
   public static final String PARAM_TARGET = "Target";
+  /** servlet parameter &quot;useMandate&quot; */
+  public static final String PARAM_USEMANDATE = "useMandate";
   /** servlet parameter &quot;OA&quot; */
   public static final String PARAM_OA = "OA";
   /** servlet parameter &quot;bkuURI&quot; */
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
index bff0a3fca..109d17d11 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AuthServlet.java
@@ -53,7 +53,7 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {
 
 
   /**
-   * Handles an error. <br>
+   * Handles an error. <br>>
    * <ul>
    * <li>Logs the error</li>
    * <li>Places error message and exception thrown into the request 
@@ -89,7 +89,13 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {
 		//forward this to errorpage-auth.jsp where the HTML error page is generated
 		ServletContext context = getServletContext();
 		RequestDispatcher dispatcher = context.getRequestDispatcher("/errorpage-auth.jsp");
-		try {
+		try		{
+			
+			 resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+				resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+				resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+				resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+			
       dispatcher.forward(req, resp);
     } catch (ServletException e) {
       Logger.error(e);
@@ -111,6 +117,11 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {
     ServletContext context = getServletContext();
     RequestDispatcher dispatcher = context.getRequestDispatcher("/errorpage-auth.jsp");
     try {
+    	resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+		
       dispatcher.forward(req, resp);
     } catch (ServletException e) {
       Logger.error(e);
@@ -123,7 +134,6 @@ public class AuthServlet extends HttpServlet implements MOAIDAuthConstants {
    * Logs all servlet parameters for debugging purposes.
    */
   protected void logParameters(HttpServletRequest req) {
-   //@TODO Parameter?
     for (Enumeration params = req.getParameterNames(); params.hasMoreElements(); ) {
       String parname = (String)params.nextElement();
       Logger.debug("Parameter " + parname + req.getParameter(parname));    
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java
index be8b5e272..a9082dd8e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ConfigurationServlet.java
@@ -26,6 +26,7 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
 import at.gv.egovernment.moa.id.util.HTTPRequestJSPForwarder;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
@@ -48,6 +49,12 @@ public class ConfigurationServlet extends HttpServlet {
   public void doGet(HttpServletRequest request, HttpServletResponse response)
     throws ServletException, IOException {
 
+	  	  
+	  response.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+	  response.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+	  response.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+	  response.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+	  
     MOAIDMessageProvider msg = MOAIDMessageProvider.getInstance();
 
     try {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java
index 23d4eab20..c83650587 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java
@@ -12,11 +12,13 @@ import javax.servlet.http.HttpServletResponse;
 import javax.xml.transform.TransformerException;
 
 import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
@@ -61,7 +63,12 @@ public class GetForeignIDServlet extends AuthServlet {
     throws ServletException, IOException { 
     	
 		Logger.debug("GET GetForeignIDServlet");
-		
+
+		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+
 		
   }
 
@@ -87,6 +94,11 @@ public class GetForeignIDServlet extends AuthServlet {
 
 		Logger.debug("POST GetForeignIDServlet");
 		
+		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+		
 		Map parameters;
 	    try 
 	    {
@@ -97,16 +109,24 @@ public class GetForeignIDServlet extends AuthServlet {
 	      throw new IOException(e.getMessage());
 	     	}
 	    String sessionID = req.getParameter(PARAM_SESSIONID);
+	    
+	    // escape parameter strings
+	    sessionID = StringEscapeUtils.escapeHtml(sessionID);
+	    
 	    String redirectURL = null;
 	    AuthenticationSession session = null;
 	    try {
+	    	String xmlCreateXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
+	    	
           // check parameter
           if (!ParamValidatorUtils.isValidSessionID(sessionID))
              throw new WrongParametersException("GetForeignID", PARAM_SESSIONID, "auth.12");
+          if (!ParamValidatorUtils.isValidXMLDocument(xmlCreateXMLSignatureResponse))
+              throw new WrongParametersException("GetForeignID", PARAM_XMLRESPONSE, "auth.12");
 
 	    	session = AuthenticationServer.getSession(sessionID);
 	    	
-	    	String xmlCreateXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
+	    	
 	    	
 	    	Logger.debug(xmlCreateXMLSignatureResponse);
 	    	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java
index 317af3e06..54d08c59e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessValidatorInputServlet.java
@@ -24,10 +24,13 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
 
 import at.gv.egovernment.moa.id.AuthenticationException;
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.builder.GetVerifyAuthBlockFormBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
@@ -36,6 +39,7 @@ import at.gv.egovernment.moa.id.auth.validator.ValidateException;
 import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.FileUtils;
 
@@ -66,7 +70,12 @@ public class ProcessValidatorInputServlet extends AuthServlet {
   protected void doGet(HttpServletRequest req, HttpServletResponse resp)
     throws ServletException, IOException { 
 
-    Logger.debug("GET ProcessInput");
+    Logger.debug("GET ProcessInput");
+    resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+	resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+	resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+	resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+	  
     Map parameters;
     try {
       parameters = getParameters(req);
@@ -78,8 +87,15 @@ public class ProcessValidatorInputServlet extends AuthServlet {
     if (sessionID==null) sessionID = (String) req.getAttribute(PARAM_SESSIONID);
     if (sessionID==null) sessionID = (String) parameters.get(PARAM_SESSIONID);
     if (sessionID==null) sessionID = (String) parameters.get(PARAM_SESSIONID+"_");
+    
+    // escape parameter strings
+    sessionID = StringEscapeUtils.escapeHtml(sessionID);
     
-    try {
+    try {
+    	
+    	if (!ParamValidatorUtils.isValidSessionID(sessionID))
+            throw new WrongParametersException("ProcessInput", PARAM_SESSIONID, "auth.12");
+    	
       AuthenticationSession session = AuthenticationServer.getSession(sessionID);
       InfoboxValidator infoboxvalidator = session.getFirstPendingValidator();
       String outputStream;
@@ -103,7 +119,10 @@ public class ProcessValidatorInputServlet extends AuthServlet {
       out.flush();
       out.close();
       Logger.debug("Finished GET ProcessInput");
-    }
+    }
+    catch (WrongParametersException ex) {
+        handleWrongParameters(ex, req, resp);
+      }
     catch (MOAIDException ex) {
       handleError(null, ex, req, resp);
     }
@@ -117,7 +136,13 @@ public class ProcessValidatorInputServlet extends AuthServlet {
   protected void doPost(HttpServletRequest req, HttpServletResponse resp)
     throws ServletException, IOException {
 
-		Logger.debug("POST ProcessInput");
+		Logger.debug("POST ProcessInput");
+		
+		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+		
     Map parameters;
     try {
       parameters = getParameters(req);
@@ -125,13 +150,20 @@ public class ProcessValidatorInputServlet extends AuthServlet {
       Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
       throw new IOException(e.getMessage());
     }
-  //@TODO Parameter
+
     String sessionID = req.getParameter(PARAM_SESSIONID);
     if (sessionID==null) sessionID = (String) req.getAttribute(PARAM_SESSIONID);
     if (sessionID==null) sessionID = (String) parameters.get(PARAM_SESSIONID);
     if (sessionID==null) sessionID = (String) parameters.get(PARAM_SESSIONID+"_");
+        
+    // escape parameter strings
+    sessionID = StringEscapeUtils.escapeHtml(sessionID);
     
-    try {
+    try {
+    	
+    	if (!ParamValidatorUtils.isValidSessionID(sessionID))
+            throw new WrongParametersException("ProcessInput", PARAM_SESSIONID, "auth.12");
+		    
       AuthenticationSession session = AuthenticationServer.getSession(sessionID);
       AuthenticationServer.processInput(session, parameters);
       String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().getCreateXMLSignatureRequestAuthBlockOrRedirect(session, null, null);
@@ -143,16 +175,22 @@ public class ProcessValidatorInputServlet extends AuthServlet {
         String htmlForm = null;
         
         boolean doInputProcessorSign = false; // If sign process should be within an extra form, provide a parameter. Otherwise transport through security layer is assumed 
-      //@TODO Parameter
+
         String inputProcessorSignForm = req.getParameter("Sign_Form");
         if (inputProcessorSignForm==null) inputProcessorSignForm = (String) req.getAttribute("Sign_Form");
         if (inputProcessorSignForm==null) inputProcessorSignForm = (String) parameters.get("Sign_Form");
-        if (inputProcessorSignForm==null) inputProcessorSignForm = (String) parameters.get("Sign_Form_");
+        if (inputProcessorSignForm==null) inputProcessorSignForm = (String) parameters.get("Sign_Form_");
+        // escape parameter strings
+        inputProcessorSignForm = StringEscapeUtils.escapeHtml(inputProcessorSignForm);
         if (!ParepUtils.isEmpty(inputProcessorSignForm)) doInputProcessorSign = inputProcessorSignForm.equalsIgnoreCase("true");
         if (doInputProcessorSign) {
           // Test if we have a user input form sign template
-         //@TODO Parameter
-          String inputProcessorSignTemplateURL = req.getParameter(PARAM_INPUT_PROCESSOR_SIGN_TEMPLATE);
+         
+          String inputProcessorSignTemplateURL = req.getParameter(PARAM_INPUT_PROCESSOR_SIGN_TEMPLATE);
+          
+          if (!ParamValidatorUtils.isValidSignUrl(inputProcessorSignTemplateURL))
+              throw new WrongParametersException("ProcessInput", PARAM_INPUT_PROCESSOR_SIGN_TEMPLATE, "auth.12");
+          
           String inputProcessorSignTemplate = null;
           OAAuthParameter oaParam =
             AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(session.getOAURLRequested());
@@ -199,7 +237,10 @@ public class ProcessValidatorInputServlet extends AuthServlet {
         resp.addHeader("Location", redirectURL);
         Logger.debug("REDIRECT TO: " + redirectURL);
       }
-    }
+    }
+    catch (WrongParametersException ex) {
+        handleWrongParameters(ex, req, resp);
+      }
     catch (MOAIDException ex) {
       handleError(null, ex, req, resp);
     }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java
index 09b3ae15f..6e285a2c0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java
@@ -24,7 +24,10 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
+
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
@@ -70,6 +73,12 @@ public class SelectBKUServlet extends AuthServlet {
     throws ServletException, IOException {
 
     Logger.debug("GET SelectBKU");
+    
+    resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+    resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+	resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+	resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+    
     String authURL = req.getScheme() + "://" + req.getServerName();
     if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) { 
       authURL = authURL.concat(":" + req.getServerPort());
@@ -80,6 +89,14 @@ public class SelectBKUServlet extends AuthServlet {
     String oaURL = req.getParameter(PARAM_OA);
     String bkuSelectionTemplateURL = req.getParameter(PARAM_BKUTEMPLATE);
     String templateURL = req.getParameter(PARAM_TEMPLATE);
+    
+    // escape parameter strings
+    target = StringEscapeUtils.escapeHtml(target);
+    oaURL = StringEscapeUtils.escapeHtml(oaURL);    
+    templateURL = StringEscapeUtils.escapeHtml(templateURL);
+    bkuSelectionTemplateURL = StringEscapeUtils.escapeHtml(bkuSelectionTemplateURL);
+    
+    
     resp.setHeader(HEADER_EXPIRES,HEADER_VALUE_EXPIRES);
     resp.setHeader(HEADER_PRAGMA,HEADER_VALUE_PRAGMA);
     resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL);
@@ -89,11 +106,13 @@ public class SelectBKUServlet extends AuthServlet {
        
        // check parameter
        if (!ParamValidatorUtils.isValidTarget(target))
-          throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
+          throw new WrongParametersException("SelectBKU", PARAM_TARGET, "auth.12");
        if (!ParamValidatorUtils.isValidOA(oaURL))
-          throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12");
-       if (!ParamValidatorUtils.isValidTemplate(templateURL))
-          throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
+          throw new WrongParametersException("SelectBKU", PARAM_OA, "auth.12");
+       if (!ParamValidatorUtils.isValidTemplate(req, templateURL))
+          throw new WrongParametersException("SelectBKU", PARAM_TEMPLATE, "auth.12");
+       if (!ParamValidatorUtils.isValidTemplate(req, bkuSelectionTemplateURL))
+           throw new WrongParametersException("SelectBKU", PARAM_TEMPLATE, "auth.12");
 
        
       String returnValue = AuthenticationServer.getInstance().selectBKU(
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
index 2430095b2..10b4041df 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
@@ -17,12 +17,16 @@ package at.gv.egovernment.moa.id.auth.servlet;
 
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.io.Reader;
+import java.io.StringReader;
 
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
+
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
@@ -64,16 +68,27 @@ public class StartAuthenticationServlet extends AuthServlet {
     authURL = authURL.concat(req.getContextPath() + "/");
 
     String target = req.getParameter(PARAM_TARGET);
-	 String oaURL = req.getParameter(PARAM_OA);
+    String oaURL = req.getParameter(PARAM_OA);
     String bkuURL = req.getParameter(PARAM_BKU);
     String templateURL = req.getParameter(PARAM_TEMPLATE);
     String sessionID = req.getParameter(PARAM_SESSIONID);
+    String useMandate = req.getParameter(PARAM_USEMANDATE);
+    
     
+    // escape parameter strings
+    target = StringEscapeUtils.escapeHtml(target);
+    oaURL = StringEscapeUtils.escapeHtml(oaURL);
+    bkuURL = StringEscapeUtils.escapeHtml(bkuURL);
+    templateURL = StringEscapeUtils.escapeHtml(templateURL);
+    sessionID = StringEscapeUtils.escapeHtml(sessionID);
+    useMandate = StringEscapeUtils.escapeHtml(useMandate);
+       
     resp.setHeader(HEADER_EXPIRES,HEADER_VALUE_EXPIRES);
     resp.setHeader(HEADER_PRAGMA,HEADER_VALUE_PRAGMA);
     resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL);
     resp.addHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL_IE);
     
+    //System.out.println("useMandate: " + useMandate);
     
     	try {
 		      // check parameter
@@ -83,10 +98,14 @@ public class StartAuthenticationServlet extends AuthServlet {
              throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12");
 		    if (!ParamValidatorUtils.isValidBKUURI(bkuURL))
 		       throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12");
-		    if (!ParamValidatorUtils.isValidTemplate(templateURL))
+		    if (!ParamValidatorUtils.isValidTemplate(req, templateURL))
 		       throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
 		    if (!ParamValidatorUtils.isValidSessionID(sessionID))
              throw new WrongParametersException("StartAuthentication", PARAM_SESSIONID, "auth.12");
+		    if (!ParamValidatorUtils.isValidUseMandate(useMandate))
+	             throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12");
+		    
+		    
 		    
 		    
 			String getIdentityLinkForm =
@@ -97,6 +116,7 @@ public class StartAuthenticationServlet extends AuthServlet {
 			out.print(getIdentityLinkForm);
 			out.flush();
 			Logger.debug("Finished GET StartAuthentication");
+		
 		}
     catch (WrongParametersException ex) {
       handleWrongParameters(ex, req, resp);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
index 8ae951dda..ad01de6c8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyAuthenticationBlockServlet.java
@@ -23,9 +23,11 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
 
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
@@ -60,6 +62,12 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {
     throws ServletException, IOException { 
     
 		Logger.debug("GET VerifyAuthenticationBlock");
+		
+		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+		
   }
 
   /**
@@ -87,6 +95,12 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {
     throws ServletException, IOException {
 
 		Logger.debug("POST VerifyAuthenticationBlock");
+		
+		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+		  
     Map parameters;
     try 
     {
@@ -98,11 +112,17 @@ public class VerifyAuthenticationBlockServlet extends AuthServlet {
     }
 		String sessionID = req.getParameter(PARAM_SESSIONID);
 		String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
+
+		// escape parameter strings
+		sessionID = StringEscapeUtils.escapeHtml(sessionID);
+
 		String redirectURL = null;
 		try {
          // check parameter
          if (!ParamValidatorUtils.isValidSessionID(sessionID))
             throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
+         if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
+            throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_XMLRESPONSE, "auth.12");
 
          
 			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
index 1b96ce8a4..76c5476ae 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
@@ -17,12 +17,14 @@ import javax.xml.parsers.ParserConfigurationException;
 
 import org.apache.axis.encoding.Base64;
 import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Text;
 
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
@@ -64,7 +66,10 @@ public class VerifyCertificateServlet extends AuthServlet {
     	
 		Logger.debug("GET VerifyCertificateServlet");
 		
-		
+		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
   }
 
   /**
@@ -84,6 +89,11 @@ public class VerifyCertificateServlet extends AuthServlet {
 
 		Logger.debug("POST VerifyCertificateServlet");
 		
+		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+		
 		Map parameters;
 	    try 
 	    {
@@ -94,6 +104,10 @@ public class VerifyCertificateServlet extends AuthServlet {
 	      throw new IOException(e.getMessage());
 	     	}
 	    String sessionID = req.getParameter(PARAM_SESSIONID);
+	    
+	    // escape parameter strings
+		sessionID = StringEscapeUtils.escapeHtml(sessionID);
+		
 	    AuthenticationSession session = null;
 	    try {
 	       // check parameter
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
index ba3e2141b..dff366829 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
@@ -23,10 +23,12 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
 
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.ParseException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate;
@@ -61,6 +63,11 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
     throws ServletException, IOException { 
     	
 		Logger.debug("GET VerifyIdentityLink");
+		
+		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+		resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
   }
 
   /**
@@ -85,6 +92,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
     throws ServletException, IOException {
 
 		Logger.debug("POST VerifyIdentityLink");
+		  
     Map parameters;
     try 
     {
@@ -95,10 +103,16 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
       throw new IOException(e.getMessage());
     }
     String sessionID = req.getParameter(PARAM_SESSIONID);
-    
-    
 
+    // escape parameter strings
+	sessionID = StringEscapeUtils.escapeHtml(sessionID);
     
+    resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+	resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+	resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+	resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+
+	
     try {
     // check parameter
        if (!ParamValidatorUtils.isValidSessionID(sessionID))
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
index 7cc33ca52..dbfbda535 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java
@@ -161,6 +161,10 @@ public class ConfigurationBuilder {
   protected static final String GENERIC_CONFIGURATION_XPATH =
     ROOT + CONF + "GenericConfiguration";
   
+  /** an XPATH-Expression */ 
+  protected static final String TRUSTED_BKUS =
+    ROOT + CONF + "TrustedBKUs/" + CONF + "BKUURL";
+  
   /** an XPATH-Expression */ 
   protected static final String CHAINING_MODES_XPATH =
     ROOT + CONF + "ChainingModes";
@@ -372,6 +376,22 @@ public class ConfigurationBuilder {
     return result;
   }
 
+  public List getTrustedBKUs() {
+	  
+	  List trustedBKUs = new ArrayList();
+	    
+	      NodeIterator bkuIter = XPathUtils.selectNodeIterator(configElem_, TRUSTED_BKUS);
+	      
+	      Element vtElem;
+
+	      while ((vtElem = (Element) bkuIter.nextNode()) != null) {
+		      	String bkuURL = DOMUtils.getText(vtElem);
+		      	trustedBKUs.add(bkuURL);
+	      }
+	      
+	      return trustedBKUs;
+	  
+  }
 
   /**
    * Returns a list containing all X509 Subject Names 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index a25bc1af5..6e296b4f4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -164,6 +164,11 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
    */
   private ConnectionParameter foreignIDConnectionParameter;
   
+  /**
+   * Parameter for trusted BKUs
+   */
+  private List trustedBKUs;
+  
  /**
    * Return the single instance of configuration data.
    * 
@@ -271,7 +276,8 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
     	defaultChainingMode = builder.getDefaultChainingMode();
     	chainingModes = builder.buildChainingModes();  
     	trustedCACertificates = builder.getTrustedCACertificates();
-    	trustedCACertificates = FileUtils.makeAbsoluteURL(trustedCACertificates, rootConfigFileDir);     
+    	trustedCACertificates = FileUtils.makeAbsoluteURL(trustedCACertificates, rootConfigFileDir);
+    	trustedBKUs = builder.getTrustedBKUs();
 
     } catch (Throwable t) {
       throw new ConfigurationException("config.02", null, t);
@@ -411,6 +417,15 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
   public List getIdentityLinkX509SubjectNames() {
     return identityLinkX509SubjectNames;
   }
+  
+  /**
+   * Returns the trustBKUs.
+   * @return List
+   */
+  public List getTrustedBKUs() {
+    return this.trustedBKUs;
+  }
+
 
   /**
    * Returns the bKUConnectionParameter.
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index 684291c59..79db9907b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -1,14 +1,25 @@
 package at.gv.egovernment.moa.id.util;
 
-import java.io.BufferedReader;
 import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
+import java.io.StringReader;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.logging.Logger;
+
 
 public class ParamValidatorUtils {
    
@@ -19,52 +30,266 @@ public class ParamValidatorUtils {
     */
    public static boolean isValidTarget(String target) {
    
+	   Logger.debug("Überprüfe Parameter Target");
+	   
       // if non parameter is given return true
-      if (target == null)
-         return true;
+      if (target == null) {
+    	  Logger.debug("Parameter Target ist null");
+    	  return true;
+      }
+         
       
       Pattern pattern = Pattern.compile("[a-zA-Z-]{1,5}");
       Matcher matcher = pattern.matcher(target);
-      return matcher.matches();     
+      boolean b = matcher.matches();
+      if (b) {
+    	Logger.debug("Parameter Target erfolgreich überprüft");
+    	return true;
+      }
+      else {
+    	  Logger.error("Fehler Überprüfung Parameter Target. Target entspricht nicht den Kriterien (nur Zeichen a-z, A-Z und -, sowie 1-5 Zeichen lang)");
+    	  return false;  
+      }
+            
    }
    
    /**
-    * Checks if the given bkuURI is valid
+    * Checks if the given useMandate is valid
     * @param target HTTP parameter from request
     * @return 
     */
-   public static boolean isValidBKUURI(String bkuURI) {
+   public static boolean isValidUseMandate(String usemandate) {
    
+	   Logger.debug("Überprüfe Parameter useMandate");
+	   
       // if non parameter is given return true
-      if (bkuURI == null)
-         return true;
+      if (usemandate== null) {
+    	  Logger.debug("Parameter useMandate ist null");
+    	  return true;
+      }
+         
       
-      // check if bkuURI is a valid URL
-      try {
-         new URL(bkuURI);
-         return true;
-      } catch (MalformedURLException e) {
-         return false;
+      if (usemandate.compareToIgnoreCase("true") == 0 || usemandate.compareToIgnoreCase("false") == 0) {
+    	  Logger.debug("Parameter useMandate erfolgreich überprüft");
+    	  return true;
       }
+      else {
+    	  Logger.error("Fehler Überprüfung Parameter useMandate. useMandate ist weder 'true' noch 'false')");
+    	  return false;
+      }
+    	  
+      
+    	  
+    	
+            
    }
    
    /**
-    * Checks if the given template is valid
+    * Checks if the given bkuURI is valid
     * @param target HTTP parameter from request
     * @return 
     */
-   public static boolean isValidTemplate(String template) {
+   public static boolean isValidBKUURI(String bkuURI) {
+	   Logger.debug("Überprüfe Parameter bkuURI");
+	   // if non parameter is given return true
+	      if (bkuURI == null) {
+	    	 Logger.debug("Parameter bkuURI ist null");
+	         return true;
+	      }
+	      
+	      // check if template is a valid URL
+	      try {	    	  
+	    	  // check if bku url starts with http or https 
+	    	  if (bkuURI.startsWith("http") || bkuURI.startsWith("https")) {
+	    		  URL url =new URL(bkuURI);
+	    		  
+	    		  // check if bkuURI is a local BKU
+	    		  if (bkuURI.compareToIgnoreCase("https://localhost:3496/https-security-layer-request") == 0 || 
+	    			  bkuURI.compareToIgnoreCase("http://localhost:3495/http-security-layer-request") == 0) {
+	    			  Logger.debug("Parameter bkuURI erfolgreich überprüft");
+	    			  return true;
+	    		  }
+	    		  else {
+	    			  Logger.debug("Parameter bkuURI ist keine lokale BKU. Überprüfe Liste der vertrauenswürdigen BKUs.");
+	    			  AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
+		    		  List trustedBKUs = authConf.getTrustedBKUs();
+		    		  boolean b = trustedBKUs.contains(bkuURI);
+		    		  if (b) {
+		    			  Logger.debug("Parameter bkuURI erfolgreich überprüft");
+		    			  return true;
+		    		  }
+		    		  else {
+		    			  Logger.error("Fehler Überprüfung Parameter bkuURI. bkuURI ist nicht auf Liste der vertrauenswürdigen BKUs (Konfigurationselement: MOA-IDConfiguration/TrustedBKUs)");  
+		    			  return false;
+		    		  }  
+	    		  }
+	    		  
+	    			
+	    	  }
+	    	  else {
+	    		  Logger.error("Fehler Überprüfung Parameter bkuURI. bkuURI beginnt nicht mit http or https");
+	    		  return false;
+	    	  }
+	    	  
+	            
+	      } catch (MalformedURLException e) {
+	    	  Logger.error("Fehler Überprüfung Parameter bkuURI", e);
+	         return false;
+	      } catch (ConfigurationException e) {
+	    	  Logger.error("Fehler Überprüfung Parameter bkuURI", e);
+	    	  return false;
+		}
+   }
+   
+//   private static boolean testBKUConnection(URL url) {
+//	
+//	   // make NullOperationRequest
+//	   //String request = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sl:NullOperationRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\"/>";
+//	   String request = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sl:GetPropertiesRequest xmlns:sl=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\"/>";
+//	   	   
+//	   HttpURLConnection connection;
+//	   if (url != null) {
+//		   try {
+//			    if (url.toExternalForm().startsWith("https")) {
+//					connection = (HttpsURLConnection)url.openConnection();
+//				}
+//				else { 
+//					connection = (HttpURLConnection)url.openConnection();
+//				}
+//				
+//				connection.setRequestMethod("POST");
+//			    connection.setDoOutput(true);
+//			      
+//			    connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
+//			      
+//			    String toSend = URLEncoder.encode(request, "UTF-8");
+//			    toSend = "XMLRequest=" + toSend;
+//			    connection.setRequestProperty("Content-Length", String.valueOf(toSend.getBytes().length));
+//	
+//			    Logger.debug("Send NullOperationRequest to BKU.");
+//			    
+//			    OutputStream out = connection.getOutputStream();
+//			    out.write(toSend.getBytes());
+//			      
+//			    // get response
+//			    connection.connect();
+//			    int responseCode = connection.getResponseCode();
+//		      
+//			    if (responseCode != 200) {
+//			    	InputStream is = connection.getErrorStream();
+//			    	int ch;
+//			    	String ret = "";
+//			    	while ((ch = is.read()) != -1) 
+//			    		ret += (char)ch;
+//			    	
+//			    	is.close();
+//			    	
+//			    	System.out.println("ret: " + ret);
+//			    	
+//			    	Logger.error("Fehler Überprüfung Parameter bkuURI. Antwortcode von BKU ist nicht 200.");
+//			    	return false;
+//			    }
+//		      
+//			    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();	
+//			    factory.setNamespaceAware(true);
+//			    DocumentBuilder builder = factory.newDocumentBuilder();
+//			    
+//			    //Document doc = builder.parse(connection.getInputStream());
+//			    
+//			    System.out.println(convertStreamToString(connection.getInputStream()));
+//			    
+////			    NodeList l = doc.getElementsByTagNameNS(Constants.SL12_NS_URI, "ErrorResponse");		    	
+////		    	if (l.getLength() != 0) {
+////		    		Logger.error("Fehler Überprüfung Parameter bkuURI. ErrorResponse von BKU empfangen.");
+////		    		return false;			    	
+////		    	}
+//		    	
+//		    	Logger.debug("Parameter Template bkuURI erfolgreich überprüft");
+//			    return true;
+//			    
+////		   } catch (SAXException e) {
+////				Logger.error("Fehler Überprüfung Parameter bkuURI.", e);
+////				return false;
+//			} catch (IOException e) {
+//				Logger.error("Fehler Überprüfung Parameter bkuURI.", e);
+//				return false;
+//			} catch (ParserConfigurationException e) {
+//				Logger.error("Fehler Überprüfung Parameter bkuURI.", e);
+//				return false;
+//			}
+//		}
+//	   else {
+//		   Logger.error("Fehler Überprüfung Parameter bkuURI. bkuURI ist null.");
+//		   return false;
+//	   }
+//		    
+//
+//   }
+   
+//   public static String convertStreamToString(InputStream is)  {
+//	   if (is != null) {
+//		   Writer writer = new StringWriter();
+//   
+//		   char[] buffer = new char[1024];
+//		   try {
+//			   Reader reader = new BufferedReader(new InputStreamReader(is, "UTF-8"));
+//			   int n;
+//			   while ((n = reader.read(buffer)) != -1) {
+//				   writer.write(buffer, 0, n);
+//			   }
+//		   } catch (IOException e) {			
+//			e.printStackTrace();
+//		} 
+//		   
+//		   	return writer.toString();
+//	   }	
+//	   else {       
+//		   return "";
+//	   }
+//   }
+   
+   /**
+    * Checks if the given template is valid
+    * @param req
+    * @param template
+    * @return
+    */
+   public static boolean isValidTemplate(HttpServletRequest req, String template) {
    
+	   Logger.debug("Überprüfe Parameter Template bzw. bkuSelectionTemplateURL");
+	   
       // if non parameter is given return true
-      if (template == null)
-         return true;
+      if (template == null) {
+    	  Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL ist null");
+    	  return true;
+      }
       
       // check if template is a valid URL
       try {
-         new URL(template);
-         return true;         
+    	  
+    	  // check if template url starts with http or https 
+    	  if (template.startsWith("http") || template.startsWith("https")) {
+    	
+    		  // check if template url is from same server
+    		  if (template.contains(req.getServerName())) {
+    			 new URL(template);
+    			 Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich überprüft");
+     	         return true;
+    		  }
+    		  else {
+    			  Logger.error("Fehler Überprüfung Parameter Template bzw. bkuSelectionTemplateURL. Parameter liegt nicht am gleichen Server wie die MOA-Instanz (" + req.getServerName() + ")");
+    			  return false;
+    		  }
+    		  
+    	  }
+    	  else {
+    		  Logger.error("Fehler Überprüfung Parameter Template bzw. bkuSelectionTemplateURL. Paramter beginnt nicht mit http oder https.");
+    		  return false;
+    	  }
+    	  
+            
       } catch (MalformedURLException e) {
-         e.printStackTrace();
+    	 Logger.error("Fehler Überprüfung Parameter Template bzw. bkuSelectionTemplateURL.", e);
          return false;
       }
    }
@@ -75,16 +300,31 @@ public class ParamValidatorUtils {
     * @return 
     */
    public static boolean isValidSessionID(String sessionID) {
-   
+	   Logger.debug("Überprüfe Parameter MOASessionId");
+	   
       // if non parameter is given return true
-      if (sessionID == null)
-         return true;
+      if (sessionID == null) {
+    	  Logger.debug("Parameter MOASessionId ist null");
+    	  return true; 
+      }
+         
 
       Pattern pattern = Pattern.compile("[0-9-]*");
       Matcher matcher = pattern.matcher(sessionID);
-      return matcher.matches();     
-
+      boolean b = matcher.matches();
+      if (b) {
+    	  Logger.debug("Parameter MOASessionId erfolgreich überprüft");
+    	  return true;
+      }
+      else {
+    	  Logger.error("Fehler Überprüfung Parameter MOASessionId. MOASessionId entspricht nicht den Kriterien (nur Zeichen 0-9 und -)");
+    	  return false;
+      }
 
+      
+  	  
+      
+      
    }
    
    /**
@@ -93,18 +333,68 @@ public class ParamValidatorUtils {
     * @return 
     */
    public static boolean isValidOA(String oa) {
+	   Logger.debug("Überprüfe Parameter oa");
+	   // if non parameter is given return true
+	   if (oa == null) {
+		   Logger.debug("Parameter oa ist null");
+		   return true;
+	   }
+	      
+      // check if template is a valid URL
+	   try {
+	    	  
+		   // check if template url starts with http or https 
+		   if (oa.startsWith("http") || oa.startsWith("https")) {
+			   new URL(oa);
+			   Logger.debug("Parameter oa erfolgreich überprüft");
+			   return true;	    		  
+	    	  }
+	    	  else  {
+	    		  Logger.error("Fehler Überprüfung Parameter oa. oa beginnt nicht mit http or https");
+	    		  return false;    	  
+	    	  }
+	            
+	      } catch (MalformedURLException e) {
+	    	  Logger.error("Fehler Überprüfung Parameter oa", e);
+	         return false;
+	      }
+	   
+   }
    
-      // if non parameter is given return true
-      if (oa == null)
-         return true;
-     
-      // check if oa is a valid URL
-      try {
-         new URL(oa);
-         return true;
-      } catch (MalformedURLException e) {
-         return false;
-      }
+   /**
+    * Checks if the given signurl is valid
+    * @param target HTTP parameter from request
+    * @return 
+    */
+   public static boolean isValidSignUrl(String signurl) {
+	   
+	   Logger.debug("Überprüfe Parameter signurl");
+   
+	   // if non parameter is given return true
+	   if (signurl == null) {
+		   Logger.debug("Parameter signurl ist null");
+		   return true;
+	   }
+	      
+      // check if template is a valid URL
+	   try {
+	    	  
+		   // check if signurl starts with http or https 
+		   if (signurl.startsWith("http") || signurl.startsWith("https")) {
+			   new URL(signurl);
+			   Logger.debug("Parameter signurl erfolgreich überprüft");
+			   return true;	    		  
+	    	  }
+	    	  else {
+	    		  Logger.error("Fehler Überprüfung Parameter signurl. signurl beginnt nicht mit http or https");
+	    		  return false;
+	    	  }	    	  
+	            
+	      } catch (MalformedURLException e) {
+	    	  Logger.error("Fehler Überprüfung Parameter signurl", e);
+	         return false;
+	      }
+	   
    }
    
    /**
@@ -115,44 +405,69 @@ public class ParamValidatorUtils {
     * @param data
     * @return
     */
-   private static boolean checkPlaceHolders(String data) {
-
-      boolean bku = data.contains("<BKU>");
-      boolean xmlrequest = data.contains("<XMLRequest>");
-      boolean dataurl = data.contains("<DataURL>");
-      boolean certinfoxmlrequest = data.contains("<CertInfoXMLRequest>");
-      boolean certinfodataurl = data.contains("<CertInfoDataURL>");
-      
-      System.out.println("Check Data: ");
-      System.out.println("bku: " + bku);
-      System.out.println("xmlrequest: " + xmlrequest);
-      System.out.println("dataurl: " + dataurl);
-      System.out.println("certinfoxmlrequest: " + certinfoxmlrequest);
-      System.out.println("certinfodataurl: " + certinfodataurl);
-
-      
-      //return bku && xmlrequest && dataurl && certinfoxmlrequest && certinfodataurl;
-      return true;
-      
-   }
+//   private static boolean checkPlaceHolders(String data) {
+//
+//      boolean bku = data.contains("<BKU>");
+//      boolean xmlrequest = data.contains("<XMLRequest>");
+//      boolean dataurl = data.contains("<DataURL>");
+//      boolean certinfoxmlrequest = data.contains("<CertInfoXMLRequest>");
+//      boolean certinfodataurl = data.contains("<CertInfoDataURL>");
+//      
+//      System.out.println("Check Data: ");
+//      System.out.println("bku: " + bku);
+//      System.out.println("xmlrequest: " + xmlrequest);
+//      System.out.println("dataurl: " + dataurl);
+//      System.out.println("certinfoxmlrequest: " + certinfoxmlrequest);
+//      System.out.println("certinfodataurl: " + certinfodataurl);
+//
+//      
+//      //return bku && xmlrequest && dataurl && certinfoxmlrequest && certinfodataurl;
+//      return true;
+//      
+//   }
    
 
-   /**
-    * Converts an input stream to a string
-    * @param is
-    * @return
-    * @throws Exception
-    */
-   private static String convertStreamToString(InputStream is) throws Exception {
-       BufferedReader reader = new BufferedReader(new InputStreamReader(is));
-       StringBuilder sb = new StringBuilder();
-       String line = null;
-       while ((line = reader.readLine()) != null) {
-         sb.append(line);
-       }
-       is.close();
-       return sb.toString();
-     }
+//   /**
+//    * Converts an input stream to a string
+//    * @param is
+//    * @return
+//    * @throws Exception
+//    */
+//   private static String convertStreamToString(InputStream is) throws Exception {
+//       BufferedReader reader = new BufferedReader(new InputStreamReader(is));
+//       StringBuilder sb = new StringBuilder();
+//       String line = null;
+//       while ((line = reader.readLine()) != null) {
+//         sb.append(line);
+//       }
+//       is.close();
+//       return sb.toString();
+//     }
+   
+   public static boolean isValidXMLDocument(String document) {
+	   
+	   Logger.debug("Überprüfe Parameter XMLDocument");
+	   try {   
+		   DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		   DocumentBuilder builder = factory.newDocumentBuilder();
+		   InputSource is = new InputSource(new StringReader(document));
+		   builder.parse(is);
+		   
+		   Logger.debug("Parameter XMLDocument erfolgreich überprüft");
+		   return true;
+	   
+	   } catch (ParserConfigurationException e) {
+		   Logger.error("Fehler Überprüfung Parameter XMLDocument", e);
+		   return false;
+	   } catch (SAXException e) {
+		   Logger.error("Fehler Überprüfung Parameter XMLDocument", e);
+		   return false;
+	   } catch (IOException e) {
+		   Logger.error("Fehler Überprüfung Parameter XMLDocument", e);
+		   return false;
+	   }	
+	   
+   }
 
 }
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
index 225a5e246..450c002f9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/Random.java
@@ -15,7 +15,8 @@
 */
 package at.gv.egovernment.moa.id.util;
 
-import java.util.Date;
+import java.nio.ByteBuffer;
+import java.security.SecureRandom;
 
 /**
  * Random number generator used to generate ID's
@@ -25,13 +26,21 @@ import java.util.Date;
 public class Random {
 
   /** random number generator used */
-  private static java.util.Random random = new java.util.Random(new Date().getTime());
+	private static SecureRandom random = new SecureRandom();
   /**
    * Creates a new random number, to be used as an ID.
    * 
    * @return random long as a String
    */
   public static String nextRandom() {
-  	return "" + random.nextLong();
+
+	  byte[] b = new byte[16]; // 16 bytes = 128 bits
+	  random.nextBytes(b);
+		 
+	  
+	  ByteBuffer bb = ByteBuffer.wrap(b);
+	  long l = bb.getLong();
+	  
+	  return "" + l;
   }
 }
-- 
cgit v1.2.3