From 4b6fd327b29ff84f61914f33b6361fa31441c92e Mon Sep 17 00:00:00 2001
From: Thomas Knall <t.knall@datentechnik-innovation.com>
Date: Wed, 4 Feb 2015 11:31:43 +0100
Subject: Create separate module STORK (MOAID-67)

- Add new maven module moa-id-modules and sub module moa-id-module-stork.
- Move stork relates processes and task to module moa-id-module-stork.
- Move module registration to modules package.
---
 .../id/auth/modules/stork/STORKAuthModuleImpl.java |  39 ++
 .../stork/STORKWebApplicationInitializer.java      |  37 ++
 .../AbstractPepsConnectorWithLocalSigningTask.java | 223 ++++++++
 .../tasks/CreateStorkAuthRequestFormTask.java      | 112 ++++
 .../PepsConnectorHandleLocalSignResponseTask.java  | 216 ++++++++
 ...onnectorHandleResponseWithoutSignatureTask.java | 439 ++++++++++++++++
 .../modules/stork/tasks/PepsConnectorTask.java     | 566 +++++++++++++++++++++
 7 files changed, 1632 insertions(+)
 create mode 100644 id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKAuthModuleImpl.java
 create mode 100644 id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java
 create mode 100644 id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/AbstractPepsConnectorWithLocalSigningTask.java
 create mode 100644 id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java
 create mode 100644 id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java
 create mode 100644 id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
 create mode 100644 id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKAuthModuleImpl.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKAuthModuleImpl.java
new file mode 100644
index 000000000..41384690e
--- /dev/null
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKAuthModuleImpl.java
@@ -0,0 +1,39 @@
+package at.gv.egovernment.moa.id.auth.modules.stork;
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.gv.egovernment.moa.id.auth.modules.AuthModule;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+
+/**
+ * Module descriptor for an auth module providing stork authentication related processes.
+ * @author tknall
+ */
+public class STORKAuthModuleImpl implements AuthModule {
+	
+	private int priority = 0;
+
+	@Override
+	public int getPriority() {
+		return priority;
+	}
+
+	/**
+	 * Sets the priority of this module. Default value is {@code 0}.
+	 * @param priority The priority.
+	 */
+	public void setPriority(int priority) {
+		this.priority = priority;
+	}
+
+	@Override
+	public String selectProcess(ExecutionContext context) {
+		return StringUtils.isNotBlank((String) context.get("ccc")) ? "STORKAuthentication" : null;
+	}
+
+	@Override
+	public String[] getProcessDefinitions() {
+		return new String[] { "classpath:at/gv/egovernment/moa/id/auth/modules/stork/STORKAuthentication.process.xml" };
+	}
+
+}
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java
new file mode 100644
index 000000000..7478a57c3
--- /dev/null
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java
@@ -0,0 +1,37 @@
+package at.gv.egovernment.moa.id.auth.modules.stork;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRegistration;
+
+import org.springframework.web.WebApplicationInitializer;
+
+import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet;
+
+/**
+ * Spring automatically discovers {@link WebApplicationInitializer} implementations at startup.<br/>
+ * This STORK webapp initializer adds the required servlet mappings:
+ * <ul>
+ * <li>{@code /PEPSConnector}</li>
+ * <li>{@code /PEPSConnectorWithLocalSigning}</li>
+ * </ul>
+ * for the {@linkplain ProcessEngineSignalServlet process engine servlet} (named {@code ProcessEngineSignal}) that wakes
+ * up a process in order to execute asynchronous tasks. Therefore the servlet mappings mentioned above do not need to be
+ * declared in {@code web.xml}.
+ * 
+ * @author tknall
+ * @see ProcessEngineSignalServlet
+ */
+public class STORKWebApplicationInitializer implements WebApplicationInitializer {
+
+	@Override
+	public void onStartup(ServletContext servletContext) throws ServletException {
+		ServletRegistration servletRegistration = servletContext.getServletRegistration("ProcessEngineSignal");
+		if (servletRegistration == null) {
+			throw new IllegalStateException("Servlet 'ProcessEngineSignal' expected to be registered.");
+		}
+		servletRegistration.addMapping("/PEPSConnectorWithLocalSigning");
+		servletRegistration.addMapping("/PEPSConnector");
+	}
+
+}
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/AbstractPepsConnectorWithLocalSigningTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/AbstractPepsConnectorWithLocalSigningTask.java
new file mode 100644
index 000000000..702e62fa0
--- /dev/null
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/AbstractPepsConnectorWithLocalSigningTask.java
@@ -0,0 +1,223 @@
+package at.gv.egovernment.moa.id.auth.modules.stork.tasks;
+
+import iaik.x509.X509Certificate;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.security.cert.CertificateException;
+import java.util.HashMap;
+
+import javax.activation.DataSource;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+
+import org.apache.commons.io.IOUtils;
+import org.xml.sax.SAXException;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.data.IdentityLink;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.BKUException;
+import at.gv.egovernment.moa.id.auth.exception.BuildException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.id.auth.exception.ServiceException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.stork.STORKException;
+import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.MOAException;
+import at.gv.egovernment.moa.spss.api.SPSSFactory;
+import at.gv.egovernment.moa.spss.api.SignatureVerificationService;
+import at.gv.egovernment.moa.spss.api.common.Content;
+import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureInfo;
+import at.gv.egovernment.moa.spss.api.xmlverify.VerifySignatureLocation;
+import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureRequest;
+import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse;
+import at.gv.util.xsd.xmldsig.SignatureType;
+import at.gv.util.xsd.xmldsig.X509DataType;
+import eu.stork.oasisdss.api.LightweightSourceResolver;
+import eu.stork.oasisdss.api.exceptions.ApiUtilsException;
+import eu.stork.oasisdss.api.exceptions.UtilsException;
+import eu.stork.oasisdss.profile.SignResponse;
+import eu.stork.peps.auth.commons.IPersonalAttributeList;
+
+public abstract class AbstractPepsConnectorWithLocalSigningTask extends AbstractAuthServletTask {
+
+	String getCitizienSignatureFromSignResponse(SignResponse dssSignResponse) throws IllegalArgumentException,
+			TransformerConfigurationException, UtilsException, TransformerException,
+			TransformerFactoryConfigurationError, IOException, ApiUtilsException {
+		// fetch signed doc
+		DataSource ds = LightweightSourceResolver.getDataSource(dssSignResponse);
+		if (ds == null) {
+			throw new ApiUtilsException("No datasource found in response");
+		}
+
+		InputStream incoming = ds.getInputStream();
+		String citizenSignature = IOUtils.toString(incoming);
+		incoming.close();
+
+		return citizenSignature;
+	}
+
+	void SZRGInsertion(AuthenticationSession moaSession, IPersonalAttributeList personalAttributeList,
+			String authnContextClassRef, String citizenSignature) throws STORKException, MOAIDException {
+		Logger.debug("Foregin Citizen signature successfully extracted from STORK Assertion (signedDoc)");
+		Logger.debug("Citizen signature will be verified by SZR Gateway!");
+
+		Logger.debug("fetching OAParameters from database");
+
+		OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+				moaSession.getPublicOAURLPrefix());
+		if (oaParam == null)
+			throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
+
+		// retrieve target
+		// TODO: check in case of SSO!!!
+		String targetType = null;
+		if (oaParam.getBusinessService()) {
+			String id = oaParam.getIdentityLinkDomainIdentifier();
+			if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
+				targetType = id;
+			else
+				targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_ + moaSession.getDomainIdentifier();
+		} else {
+			targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
+		}
+
+		Logger.debug("Starting connecting SZR Gateway");
+		// contact SZR Gateway
+		IdentityLink identityLink = null;
+
+		identityLink = STORKResponseProcessor.connectToSZRGateway(personalAttributeList, oaParam.getFriendlyName(),
+				targetType, null, oaParam.getMandateProfiles(), citizenSignature);
+		Logger.debug("SZR communication was successfull");
+
+		if (identityLink == null) {
+			Logger.error("SZR Gateway did not return an identity link.");
+			throw new MOAIDException("stork.10", null);
+		}
+		Logger.info("Received Identity Link from SZR Gateway");
+		moaSession.setIdentityLink(identityLink);
+
+		Logger.debug("Adding addtional STORK attributes to MOA session");
+		moaSession.setStorkAttributes(personalAttributeList);
+
+		// We don't have BKUURL, setting from null to "Not applicable"
+		moaSession.setBkuURL("Not applicable (STORK Authentication)");
+
+		// free for single use
+		moaSession.setAuthenticatedUsed(false);
+
+		// stork did the authentication step
+		moaSession.setAuthenticated(true);
+
+		// TODO: found better solution, but QAA Level in response could be not supported yet
+		try {
+			if (authnContextClassRef == null)
+				authnContextClassRef = PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel();
+			moaSession.setQAALevel(authnContextClassRef);
+
+		} catch (Throwable e) {
+			Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
+			moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+
+		}
+
+	}
+
+	X509Certificate getSignerCertificate(String citizenSignature) throws CertificateException, JAXBException,
+			UnsupportedEncodingException {
+		JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName());
+		SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(
+				IOUtils.toInputStream(citizenSignature))).getValue();
+
+		// extract certificate
+		for (Object current : root.getKeyInfo().getContent())
+			if (((JAXBElement<?>) current).getValue() instanceof X509DataType) {
+				for (Object currentX509Data : ((JAXBElement<X509DataType>) current).getValue()
+						.getX509IssuerSerialOrX509SKIOrX509SubjectName()) {
+					JAXBElement<?> casted = ((JAXBElement<?>) currentX509Data);
+					if (casted.getName().getLocalPart().equals("X509Certificate")) {
+						return new X509Certificate(((String) casted.getValue()).getBytes("UTF-8"));
+					}
+				}
+			}
+		return null;
+	}
+
+	VerifyXMLSignatureResponse verifyXMLSignature(String signature) throws AuthenticationException, ParseException,
+			BKUException, BuildException, ConfigurationException, ServiceException, UnsupportedEncodingException,
+			SAXException, IOException, ParserConfigurationException, MOAException {
+		// Based on MOA demo client
+		// Factory und Service instanzieren
+		SPSSFactory spssFac = SPSSFactory.getInstance();
+		SignatureVerificationService sigVerifyService = SignatureVerificationService.getInstance();
+
+		Content sigDocContent1 = spssFac.createContent(IOUtils.toInputStream(signature, "UTF-8"), null);
+
+		// Position der zu prüfenden Signatur im Dokument angeben
+		// (Nachdem im XPath-Ausdruck ein NS-Präfix verwendet wird, muss in einer Lookup-Tabelle
+		// der damit bezeichnete Namenraum mitgegeben werden)
+		HashMap nSMap = new HashMap();
+		nSMap.put("dsig", "http://www.w3.org/2000/09/xmldsig#");
+		VerifySignatureLocation sigLocation = spssFac.createVerifySignatureLocation("//dsig:Signature", nSMap);
+
+		// Zu prüfendes Dokument und Signaturposition zusammenfassen
+
+		VerifySignatureInfo sigInfo = spssFac.createVerifySignatureInfo(sigDocContent1, sigLocation);
+
+		// Prüfrequest zusammenstellen
+		VerifyXMLSignatureRequest verifyRequest = spssFac.createVerifyXMLSignatureRequest(null, // Wird Prüfzeit nicht
+																								// angegeben, wird
+																								// aktuelle Zeit
+																								// verwendet
+				sigInfo, null, // Keine Ergänzungsobjekte notwendig
+				null, // Signaturmanifest-Prüfung soll nicht durchgeführt werden
+				false, // Hash-Inputdaten, d.h. tatsächlich signierte Daten werden nicht zurückgeliefert
+				"MOAIDBuergerkartePersonenbindungMitTestkarten");// TODO load from config
+		// "Test-Signaturdienste"); // ID des verwendeten Vertrauensprofils
+
+		VerifyXMLSignatureResponse verifyResponse = null;
+		try {
+			// Aufruf der Signaturprüfung
+			verifyResponse = sigVerifyService.verifyXMLSignature(verifyRequest);
+		} catch (MOAException e) {
+			// Service liefert Fehler
+			System.err.println("Die Signaturprüfung hat folgenden Fehler geliefert:");
+			System.err.println("Fehlercode: " + e.getMessageId());
+			System.err.println("Fehlernachricht: " + e.getMessage());
+			throw e;
+		}
+
+		return verifyResponse;
+	}
+
+	at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse convert(
+			VerifyXMLSignatureResponse xMLVerifySignatureResponse) {
+		at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse response = new at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse();
+		response.setCertificateCheckCode(xMLVerifySignatureResponse.getCertificateCheck().getCode());
+		response.setPublicAuthority(xMLVerifySignatureResponse.getSignerInfo().isPublicAuthority());
+		// response.setPublicAuthorityCode(publicAuthorityCode)
+		response.setQualifiedCertificate(xMLVerifySignatureResponse.getSignerInfo().isQualifiedCertificate());
+		response.setSignatureCheckCode(xMLVerifySignatureResponse.getSignatureCheck().getCode());
+		response.setSignatureManifestCheckCode(xMLVerifySignatureResponse.getSignatureManifestCheck().getCode());
+		// response.setSigningDateTime()
+		// response.setX509certificate(x509certificate)
+		response.setXmlDSIGManifestCheckCode(xMLVerifySignatureResponse.getSignatureManifestCheck().getCode());
+		// response.setXmlDSIGManigest(xMLVerifySignatureResponse.getSignatureManifestCheck())
+		// response.setXmlDsigSubjectName(xmlDsigSubjectName)
+		return response;
+	}
+
+}
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java
new file mode 100644
index 000000000..f8cc17b93
--- /dev/null
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java
@@ -0,0 +1,112 @@
+package at.gv.egovernment.moa.id.auth.modules.stork.tasks;
+
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.stork.CPEPS;
+import at.gv.egovernment.moa.id.config.stork.STORKConfig;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * Creates a SAML2 STORK authentication request, embeds it in a form (in order to satisfy saml post binging) and returns the form withing the HttpServletResponse.<p/>
+ * In detail:
+ * <ul>
+ * <li>Validates the stork configuration in order to make sure the selected country is supported.</li>
+ * <li>Puts a flag ({@link #PROCESS_CTX_KEY_CPEPS_ISXMLSIGSUPPORTED}) into the ExecutionContext reflecting the capability of the C-PEPS to create xml signatures.</li>
+ * <li>Invokes {@link AuthenticationServer#startSTORKAuthentication(HttpServletRequest, HttpServletResponse, AuthenticationSession)} which</li>
+ * <ul>
+ * <li>Creates and signs a SAML2 stork authentication request.</li>
+ * <li>Creates a signature request for auth block signature (either to be performed by the C-PEPS or locally).</li>
+ * <li>Using the velocity template engine in order to create a form with the embedded stork request.</li>
+ * <li>Writes the form to the response output stream.</li>
+ * </ul>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}</li>
+ * <li>Property {@code ccc} set within the moa session.</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Form containing a SAML2 Stork authentication request and an action url pointing to the selected C-PEPS.</li>
+ * <li>Assertion consumer URL for C-PEPS set either to {@code /PEPSConnector} in case of a C-PEPS supporting xml signatures or {@code /PEPSConnectorWithLocalSigning} if the selected C-PEPS does not support xml signatures.</li>
+ * <li>In case of a C-PEPS not supporting xml signature: moasession with set signedDoc property (containing the signature request for local signing).</li>
+ * <li>ExecutionContext contains the boolean flag {@link #PROCESS_CTX_KEY_CPEPS_ISXMLSIGSUPPORTED}.
+ * </ul>
+ * Code taken from {@link StartAuthenticationBuilder#build(AuthenticationSession, HttpServletRequest, HttpServletResponse)}.<br/>
+ * Using {@link AuthenticationServer#startSTORKAuthentication(HttpServletRequest, HttpServletResponse, AuthenticationSession)}
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ */
+public class CreateStorkAuthRequestFormTask extends AbstractAuthServletTask {
+
+	/**
+	 * Boolean value reflecting the capability of the selected c-peps of creating xml signatures.
+	 */
+	public static final String PROCESS_CTX_KEY_CPEPS_ISXMLSIGSUPPORTED = "C-PEPS:XMLSignatureSupported";
+
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
+			throws Exception {
+
+		String pendingRequestID = null;
+		String sessionID = null;
+		try {
+			setNoCachingHeaders(resp);
+
+			sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
+			// check parameter
+			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
+				throw new WrongParametersException("CreateStorkAuthRequestFormTask", PARAM_SESSIONID, "auth.12");
+			}
+			AuthenticationSession moasession = AuthenticationServer.getSession(sessionID);
+			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+
+			if (StringUtils.isEmpty(moasession.getCcc())) {
+				// illegal state; task should not have been executed without a selected country
+				throw new AuthenticationException("stork.22", new Object[] { sessionID });
+			}
+			STORKConfig storkConfig = AuthConfigurationProvider.getInstance().getStorkConfig();
+			if (!storkConfig.isSTORKAuthentication(moasession.getCcc())) {
+				throw new AuthenticationException("stork.23", new Object[] { moasession.getCcc(), sessionID });
+			}
+
+			// STORK authentication
+			// cpeps cannot be null
+			CPEPS cpeps = storkConfig.getCPEPS(moasession.getCcc());
+			Logger.debug("Found C-PEPS configuration for citizen of country: " + moasession.getCcc());
+			executionContext.put(PROCESS_CTX_KEY_CPEPS_ISXMLSIGSUPPORTED, cpeps.isXMLSignatureSupported());
+
+			Logger.info("Starting STORK authentication for a citizen of country: " + moasession.getCcc());
+			AuthenticationServer.startSTORKAuthentication(req, resp, moasession);
+
+		} catch (MOAIDException ex) {
+			handleError(null, ex, req, resp, pendingRequestID);
+
+		} catch (Exception e) {
+			Logger.error("CreateStorkAuthRequestFormTask has an interal Error.", e);
+			throw new MOAIDException("Internal error.", new Object[] { sessionID }, e);
+		}
+
+		finally {
+			ConfigurationDBUtils.closeSession();
+		}
+	}
+
+}
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java
new file mode 100644
index 000000000..077bb2dee
--- /dev/null
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java
@@ -0,0 +1,216 @@
+package at.gv.egovernment.moa.id.auth.modules.stork.tasks;
+
+import iaik.x509.X509Certificate;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.Source;
+import javax.xml.transform.stream.StreamSource;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.velocity.Template;
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.stork.STORKException;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.moduls.ModulUtils;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.VelocityProvider;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse;
+import eu.stork.oasisdss.api.ApiUtils;
+import eu.stork.oasisdss.profile.SignResponse;
+import eu.stork.peps.auth.commons.IPersonalAttributeList;
+import eu.stork.peps.auth.commons.PersonalAttribute;
+
+/**
+ * Processes the citizen's signature, creates identity link using szr gateway and finalizes authentication.
+ * <p/>
+ * In detail:
+ * <ul>
+ * <li>Changes moa session id.</li>
+ * <li>Decodes and validates the sign response, extracting the citizen's signature.</li>
+ * <li>Verifies the citizen's signature.</li>
+ * <li>Create {@code signedDoc} attribute.</li>
+ * <li>Retrieve identity link from SZR gateway using the citizen's signature.</li>
+ * <li>If the S-PEPS did not provide any gender information, the szr gateway will not be able to issue an identity link.
+ * Therefore a form is presented asking for the subject's gender. The form finally submits the user back to the
+ * {@code /PepsConnectorWithLocalSigning} servlet (this task).</li>
+ * <li>The moa session is updated with authentication information.</li>
+ * <li>Change moa session id.</li>
+ * <li>Redirects back to {@code /dispatcher} in order to finalize the authentication.</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@code moaSessionID}</li>
+ * <li>HttpServletRequest parameter {@code signresponse}</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Updated moa id session (signed auth block, signer certificate etc.)</li>
+ * <li>Redirect to {@code /dispatcher}.</li>
+ * <li>{@link ExecutionContext} contains boolean flag {@code identityLinkAvailable} indicating if an identitylink has been successfully creates or not.</li>
+ * </ul>
+ * Possible branches:
+ * <ul>
+ * <li>In case the szr gateway throws exception due to missing gender information:
+ * <ul>
+ * <li>Returns a form for gender selection with action url back to this servlet/task.</li>
+ * </ul>
+ * </li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet}.<br/>
+ *
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ */
+public class PepsConnectorHandleLocalSignResponseTask extends AbstractPepsConnectorWithLocalSigningTask {
+
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws Exception {
+		String moaSessionID = request.getParameter("moaSessionID");
+		String signResponse = request.getParameter("signresponse");
+		Logger.info("moaSessionID:" + moaSessionID);
+		Logger.info("signResponse:" + signResponse);
+
+		if (moaSessionID != null && signResponse != null) {
+			// redirect from oasis with signresponse
+			handleSignResponse(executionContext, request, response);
+		} else {
+			// should not occur
+			throw new IOException("should not occur");
+		}
+		return;
+	}
+
+	private void handleSignResponse(ExecutionContext executionContext, HttpServletRequest request,
+			HttpServletResponse response) {
+		Logger.info("handleSignResponse started");
+		String moaSessionID = request.getParameter("moaSessionID");
+		String signResponse = request.getParameter("signresponse");
+		Logger.info("moaSessionID:" + moaSessionID);
+		Logger.info("signResponse:" + signResponse);
+		String pendingRequestID = null;
+		try {
+
+			// load MOASession from database
+			AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID);
+			// change MOASessionID
+			moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
+
+			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID);
+			Logger.info("pendingRequestID:" + pendingRequestID);
+			String signResponseString = new String(Base64.decodeBase64(signResponse), "UTF8");
+			Logger.info("RECEIVED signresponse:" + signResponseString);
+			// create SignResponse object
+			Source response1 = new StreamSource(new java.io.StringReader(signResponseString));
+			SignResponse dssSignResponse = ApiUtils.unmarshal(response1, SignResponse.class);
+
+			// SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(new
+			// java.io.StringReader(Base64.signResponse)));
+
+			String citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse);
+
+			// memorize signature into authblock
+			moaSession.setAuthBlock(citizenSignature);
+
+			X509Certificate cert = getSignerCertificate(citizenSignature);
+			moaSession.setSignerCertificate(cert);
+			VerifyXMLSignatureResponse xMLVerifySignatureResponse = verifyXMLSignature(citizenSignature);
+			at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse tmp = convert(xMLVerifySignatureResponse);
+
+			moaSession.setXMLVerifySignatureResponse(tmp);
+			executionContext.put("identityLinkAvailable", false);
+			try {
+				IPersonalAttributeList personalAttributeList = moaSession.getAuthnResponseGetPersonalAttributeList();
+				// Add SignResponse TODO Add signature (extracted from signResponse)?
+				List<String> values = new ArrayList<String>();
+				values.add(signResponseString);
+				// values.add(citizenSignature);
+				Logger.debug("Assembling signedDoc attribute");
+				PersonalAttribute signedDocAttribute = new PersonalAttribute("signedDoc", false, values, "Available");
+				personalAttributeList.add(signedDocAttribute);
+
+				String authnContextClassRef = moaSession.getAuthnContextClassRef();
+				SZRGInsertion(moaSession, personalAttributeList, authnContextClassRef, citizenSignature);
+				executionContext.put("identityLinkAvailable", true);
+			} catch (STORKException e) {
+				// this is really nasty but we work against the system here. We are supposed to get the gender attribute
+				// from
+				// stork. If we do not, we cannot register the person in the ERnP - we have to have the
+				// gender for the represented person. So here comes the dirty hack.
+				if (e.getCause() instanceof STORKException
+						&& e.getCause().getMessage().equals("gender not found in response")) {
+					try {
+						Logger.trace("Initialize VelocityEngine...");
+
+						VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
+						Template template = velocityEngine.getTemplate("/resources/templates/fetchGender.html");
+						VelocityContext context = new VelocityContext();
+						context.put("SAMLResponse", request.getParameter("SAMLResponse"));
+						context.put("action", request.getRequestURL());
+
+						StringWriter writer = new StringWriter();
+						template.merge(context, writer);
+						response.getOutputStream().write(writer.toString().getBytes("UTF-8"));
+					} catch (Exception e1) {
+						Logger.error("Error sending gender retrival form.", e1);
+						// httpSession.invalidate();
+						throw new MOAIDException("stork.10", null);
+					}
+
+					return;
+				}
+
+				Logger.error("Error connecting SZR Gateway", e);
+				throw new MOAIDException("stork.10", null);
+			}
+
+			Logger.debug("Add full STORK AuthnResponse to MOA session");
+			moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));// TODO ask Florian/Thomas
+																					// authnResponse?
+			moaSession.setForeigner(true);
+
+			// session is implicit stored in changeSessionID!!!!
+			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
+
+			Logger.info("Changed MOASession " + moaSessionID + " to Session " + newMOASessionID);
+
+			// redirect
+			String redirectURL = null;
+			redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(),
+					ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID),
+					newMOASessionID);
+			redirectURL = response.encodeRedirectURL(redirectURL);
+
+			response.sendRedirect(redirectURL);
+			Logger.info("REDIRECT TO: " + redirectURL);
+
+		} catch (AuthenticationException e) {
+			handleError(null, e, request, response, pendingRequestID);
+
+		} catch (MOAIDException e) {
+			handleError(null, e, request, response, pendingRequestID);
+
+		} catch (Exception e) {
+			Logger.error("PEPSConnector has an interal Error.", e);
+		}
+
+		finally {
+			ConfigurationDBUtils.closeSession();
+		}
+	}
+
+}
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
new file mode 100644
index 000000000..3338804b4
--- /dev/null
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
@@ -0,0 +1,439 @@
+package at.gv.egovernment.moa.id.auth.modules.stork.tasks;
+
+import iaik.x509.X509Certificate;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.Source;
+import javax.xml.transform.stream.StreamSource;
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.velocity.Template;
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
+import org.opensaml.saml2.core.StatusCode;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet;
+import at.gv.egovernment.moa.id.auth.stork.STORKException;
+import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.commons.db.dao.config.AttributeProviderPlugin;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.moduls.ModulUtils;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.id.util.VelocityProvider;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.StringUtils;
+import eu.stork.oasisdss.api.ApiUtils;
+import eu.stork.oasisdss.profile.SignRequest;
+import eu.stork.oasisdss.profile.SignResponse;
+import eu.stork.peps.auth.commons.IPersonalAttributeList;
+import eu.stork.peps.auth.commons.PEPSUtil;
+import eu.stork.peps.auth.commons.PersonalAttribute;
+import eu.stork.peps.auth.commons.STORKAuthnRequest;
+import eu.stork.peps.auth.commons.STORKAuthnResponse;
+import eu.stork.peps.auth.engine.STORKSAMLEngine;
+import eu.stork.peps.exceptions.STORKSAMLEngineException;
+
+/**
+ * Validates the SAML response from C-PEPS.
+ * <p/>
+ * In detail:
+ * <ul>
+ * <li>Decodes and validates SAML response from C-PEPS.</li>
+ * <li>Retrieves the moa session using the session id provided by HttpServletRequest parameter {@code RelayState} or by {@code inResponseTo} attribute of the saml response.</li>
+ * <li>Store saml response in moa session.</li>
+ * <li>Change moa session id.</li>
+ * <li>Redirect to {@code /PEPSConnectorWithLocalSigning}, with providing the moa session id as request parameter.</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@code moaSessionID} <strong>to be {@code null}</strong></li>
+ * <li>HttpServletRequest parameter {@code signresponse} <strong>to be {@code null}</strong></li>
+ * <li>HttpServletRequest parameter {@code SAMLResponse}</li>
+ * <li>Either HttpServletRequest parameter {@code RelayState} or {@code inResponseTo} attribute within the saml response, both reflecting the moa session id.</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Updated moa session (with saml response).</li>
+ * <li>Redirect to {@code /PEPSConnectorWithLocalSigning}, with providing the moa session id as request parameter.</li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet}.<br/>
+ *
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ */
+public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPepsConnectorWithLocalSigningTask {
+
+	private String oasisDssWebFormURL = "https://testvidp.buergerkarte.at/oasis-dss/DSSWebFormServlet";
+	// load from config below
+
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws Exception {
+		String moaSessionID = request.getParameter("moaSessionID");
+		String signResponse = request.getParameter("signresponse");
+		Logger.info("moaSessionID:" + moaSessionID);
+		Logger.info("signResponse:" + signResponse);
+
+		if (moaSessionID == null && signResponse == null) {
+			// normal saml response
+			handleSAMLResponse(executionContext, request, response);
+
+		} else {
+			// should not occur
+			throw new IOException("should not occur");
+		}
+		return;
+	}
+
+	private void handleSAMLResponse(ExecutionContext executionContext, HttpServletRequest request,
+			HttpServletResponse response) {
+		Logger.info("handleSAMLResponse started");
+		String pendingRequestID = null;
+
+		setNoCachingHeaders(response);
+		try {
+			Logger.info("PEPSConnector Servlet invoked, expecting C-PEPS message.");
+			Logger.debug("This ACS endpoint is: " + HTTPUtils.getBaseURL(request));
+
+			Logger.trace("No Caching headers set for HTTP response");
+
+			// check if https or only http
+			super.checkIfHTTPisAllowed(request.getRequestURL().toString());
+
+			Logger.debug("Beginning to extract SAMLResponse out of HTTP Request");
+
+			// extract STORK Response from HTTP Request
+			// Decodes SAML Response
+			byte[] decSamlToken;
+			try {
+				decSamlToken = PEPSUtil.decodeSAMLToken(request.getParameter("SAMLResponse"));
+				Logger.debug("SAMLResponse: " + new String(decSamlToken));
+
+			} catch (NullPointerException e) {
+				Logger.error("Unable to retrieve STORK Response", e);
+				throw new MOAIDException("stork.04", null);
+			}
+
+			// Get SAMLEngine instance
+			STORKSAMLEngine engine = STORKSAMLEngine.getInstance("outgoing");
+
+			STORKAuthnResponse authnResponse = null;
+			try {
+				// validate SAML Token
+				Logger.debug("Starting validation of SAML response");
+				authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());
+				Logger.info("SAML response succesfully verified!");
+			} catch (STORKSAMLEngineException e) {
+				Logger.error("Failed to verify STORK SAML Response", e);
+				throw new MOAIDException("stork.05", null);
+			}
+
+			Logger.info("STORK SAML Response message succesfully extracted");
+			Logger.debug("STORK response: ");
+			Logger.debug(authnResponse.toString());
+
+			Logger.debug("Trying to find MOA Session-ID ...");
+			// String moaSessionID = request.getParameter(PARAM_SESSIONID);
+			// first use SAML2 relayState
+			String moaSessionID = request.getParameter("RelayState");
+
+			// escape parameter strings
+			moaSessionID = StringEscapeUtils.escapeHtml(moaSessionID);
+
+			// check if SAML2 relaystate includes a MOA sessionID
+			if (StringUtils.isEmpty(moaSessionID)) {
+				// if relaystate is emtpty, use SAML response -> inResponseTo element as session identifier
+
+				moaSessionID = authnResponse.getInResponseTo();
+				moaSessionID = StringEscapeUtils.escapeHtml(moaSessionID);
+
+				if (StringUtils.isEmpty(moaSessionID)) {
+					// No authentication session has been started before
+					Logger.error("MOA-SessionID was not found, no previous AuthnRequest had been started");
+					Logger.debug("PEPSConnectorURL was: " + request.getRequestURL());
+					throw new AuthenticationException("auth.02", new Object[] { moaSessionID });
+
+				} else
+					Logger.trace("Use MOA SessionID " + moaSessionID + " from AuthnResponse->inResponseTo attribute.");
+
+			} else
+				// Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter.");
+				Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState.");
+
+			/*
+			 * INFO!!!! SAML message IDs has an different format then MOASessionIDs This is only a workaround because
+			 * many PEPS does not support SAML2 relayState or MOASessionID as AttributConsumerServiceURL GET parameter
+			 */
+			// if (!ParamValidatorUtils.isValidSessionID(moaSessionID))
+			// throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
+
+			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID);
+
+			// load MOASession from database
+			AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID);
+			// change MOASessionID
+			moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
+
+			Logger.info("Found MOA sessionID: " + moaSessionID);
+
+			String statusCodeValue = authnResponse.getStatusCode();
+
+			if (!statusCodeValue.equals(StatusCode.SUCCESS_URI)) {
+				Logger.error("Received ErrorResponse from PEPS: " + statusCodeValue);
+				throw new MOAIDException("stork.06", new Object[] { statusCodeValue });
+			}
+
+			Logger.info("Got SAML response with authentication success message.");
+
+			Logger.debug("MOA session is still valid");
+
+			STORKAuthnRequest storkAuthnRequest = moaSession.getStorkAuthnRequest();
+
+			if (storkAuthnRequest == null) {
+				Logger.error("Could not find any preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
+				throw new MOAIDException("stork.07", null);
+			}
+
+			Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
+
+			// //////////// incorporate gender from parameters if not in stork response
+
+			IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList();
+
+			// but first, check if we have a representation case
+			if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList)
+					|| STORKResponseProcessor.hasAttribute("representative", attributeList)
+					|| STORKResponseProcessor.hasAttribute("represented", attributeList)) {
+				// in a representation case...
+				moaSession.setUseMandate("true");
+
+				// and check if we have the gender value
+				PersonalAttribute gender = attributeList.get("gender");
+				if (null == gender) {
+					String gendervalue = (String) request.getParameter("gender");
+					if (null != gendervalue) {
+						gender = new PersonalAttribute();
+						gender.setName("gender");
+						ArrayList<String> tmp = new ArrayList<String>();
+						tmp.add(gendervalue);
+						gender.setValue(tmp);
+
+						authnResponse.getPersonalAttributeList().add(gender);
+					}
+				}
+			}
+
+			
+			
+			// ////////////////////////////////////////////////////////////////////////
+
+			Logger.debug("Starting extraction of signedDoc attribute");
+			// extract signed doc element and citizen signature
+			String citizenSignature = null;
+			try {
+				PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc");
+				String signatureInfo = null;
+				// FIXME: Remove nonsense code (signedDoc attribute... (throw Exception for "should not occur" situations)), adjust error messages in order to reflect the true problem...
+				if (signedDoc != null) {
+					signatureInfo = signedDoc.getValue().get(0);
+					// should not occur
+				} else {
+
+					// store SAMLResponse
+					moaSession.setSAMLResponse(request.getParameter("SAMLResponse"));
+					// store authnResponse
+
+					// moaSession.setAuthnResponse(authnResponse);//not serializable
+					moaSession.setAuthnResponseGetPersonalAttributeList(authnResponse.getPersonalAttributeList());
+
+					String authnContextClassRef = null;
+					try {
+						authnContextClassRef = authnResponse.getAssertions().get(0).getAuthnStatements().get(0)
+								.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef();
+					} catch (Throwable e) {
+						Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
+					}
+
+					moaSession.setAuthnContextClassRef(authnContextClassRef);
+					moaSession.setReturnURL(request.getRequestURL());
+
+					// load signedDoc
+					String signRequest = moaSession.getSignedDoc();
+
+					// session is implicit stored in changeSessionID!!!!
+					String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
+
+					// set return url to PEPSConnectorWithLocalSigningServlet and add newMOASessionID
+					// signRequest
+
+					String issuerValue = AuthConfigurationProvider.getInstance().getPublicURLPrefix();
+					String acsURL = issuerValue
+							+ PEPSConnectorWithLocalSigningServlet.PEPSCONNECTOR_SERVLET_URL_PATTERN;
+
+					String url = acsURL + "?moaSessionID=" + newMOASessionID;
+					// redirect to OASIS module and sign there
+
+					boolean found = false;
+					try {
+						List<AttributeProviderPlugin> aps = AuthConfigurationProvider.getInstance()
+								.getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix()).getStorkAPs();
+						Logger.info("Found AttributeProviderPlugins:" + aps.size());
+						for (AttributeProviderPlugin ap : aps) {
+							Logger.info("Found AttributeProviderPlugin attribute:" + ap.getAttributes());
+							if (ap.getAttributes().equalsIgnoreCase("signedDoc")) {
+								// FIXME: A servlet's class field is not thread safe!!!
+								oasisDssWebFormURL = ap.getUrl();
+								found = true;
+								Logger.info("Loaded signedDoc attribute provider url from config:" + oasisDssWebFormURL);
+								break;
+							}
+						}
+					} catch (Exception e) {
+						e.printStackTrace();
+						Logger.error("Loading the signedDoc attribute provider url from config failed");
+					}
+					if (!found) {
+						Logger.error("Failed to load the signedDoc attribute provider url from config");
+					}
+					performRedirect(url, request, response, signRequest);
+
+					return;
+				}
+				
+				// FIXME: This servlet/task is intended to handle peps responses without signature, so why do we try to process that signature here?
+				SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(
+						new java.io.StringReader(signatureInfo)));
+
+				citizenSignature = getCitizienSignatureFromSignResponse(dssSignResponse);
+
+				// memorize signature into authblock
+				moaSession.setAuthBlock(citizenSignature);
+
+				X509Certificate cert = getSignerCertificate(citizenSignature);
+				moaSession.setSignerCertificate(cert);
+				moaSession.setForeigner(true);
+
+			} catch (Throwable e) {
+				Logger.error("Could not extract citizen signature from C-PEPS", e);
+				throw new MOAIDException("stork.09", null);
+			}
+
+			// FIXME: Same here; we do not have the citizen's signature, so this code might be regarded as dead code.
+			try {
+				SZRGInsertion(moaSession, authnResponse.getPersonalAttributeList(), authnResponse.getAssertions()
+						.get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef()
+						.getAuthnContextClassRef(), citizenSignature);
+			} catch (STORKException e) {
+				// this is really nasty but we work against the system here. We are supposed to get the gender attribute
+				// from
+				// stork. If we do not, we cannot register the person in the ERnP - we have to have the
+				// gender for the represented person. So here comes the dirty hack.
+				if (e.getCause() instanceof STORKException
+						&& e.getCause().getMessage().equals("gender not found in response")) {
+					try {
+						Logger.trace("Initialize VelocityEngine...");
+
+						VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
+						Template template = velocityEngine.getTemplate("/resources/templates/fetchGender.html");
+						VelocityContext context = new VelocityContext();
+						context.put("SAMLResponse", request.getParameter("SAMLResponse"));
+						context.put("action", request.getRequestURL());
+
+						StringWriter writer = new StringWriter();
+						template.merge(context, writer);
+
+						response.getOutputStream().write(writer.toString().getBytes("UTF-8"));
+					} catch (Exception e1) {
+						Logger.error("Error sending gender retrival form.", e1);
+						// httpSession.invalidate();
+						throw new MOAIDException("stork.10", null);
+					}
+
+					return;
+				}
+
+				Logger.error("Error connecting SZR Gateway", e);
+				throw new MOAIDException("stork.10", null);
+			}
+
+			Logger.debug("Add full STORK AuthnResponse to MOA session");
+			moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));// TODO ask Florian/Thomas
+																					// authnResponse?
+
+			// session is implicit stored in changeSessionID!!!!
+			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
+
+			Logger.info("Changed MOASession " + moaSessionID + " to Session " + newMOASessionID);
+
+			// redirect
+			String redirectURL = null;
+			redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(),
+					ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID),
+					newMOASessionID);
+			redirectURL = response.encodeRedirectURL(redirectURL);
+
+			response.setContentType("text/html");
+			response.setStatus(302);
+			response.addHeader("Location", redirectURL);
+			Logger.info("REDIRECT TO: " + redirectURL);
+
+		} catch (AuthenticationException e) {
+			handleError(null, e, request, response, pendingRequestID);
+
+		} catch (MOAIDException e) {
+			handleError(null, e, request, response, pendingRequestID);
+
+		} catch (Exception e) {
+			Logger.error("PEPSConnector has an interal Error.", e);
+		}
+
+		finally {
+			ConfigurationDBUtils.closeSession();
+		}
+
+	}
+
+	private void performRedirect(String url, HttpServletRequest req, HttpServletResponse resp, String signRequestString)
+			throws MOAIDException {
+
+		try {
+			Logger.trace("Initialize VelocityEngine...");
+
+			VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
+			Template template = velocityEngine.getTemplate("/resources/templates/oasis_dss_webform_binding.vm");
+			VelocityContext context = new VelocityContext();
+
+			Logger.debug("performRedirect, signrequest:" + signRequestString);
+			Source signDoc = new StreamSource(new java.io.StringReader(signRequestString));
+			SignRequest signRequest = ApiUtils.unmarshal(signDoc, SignRequest.class);
+			signRequest.setReturnURL("TODO");
+			signRequestString = IOUtils.toString(ApiUtils.marshalToInputStream(signRequest));
+			context.put("signrequest", Base64.encodeBase64String(signRequestString.getBytes("UTF8")));
+			context.put("clienturl", url);
+			context.put("action", oasisDssWebFormURL);
+
+			StringWriter writer = new StringWriter();
+			template.merge(context, writer);
+
+			resp.getOutputStream().write(writer.toString().getBytes("UTF-8"));
+		} catch (Exception e) {
+			Logger.error("Error sending DSS signrequest.", e);
+			throw new MOAIDException("stork.11", null);
+		}
+	}
+}
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
new file mode 100644
index 000000000..94017e9f6
--- /dev/null
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -0,0 +1,566 @@
+package at.gv.egovernment.moa.id.auth.modules.stork.tasks;
+
+import iaik.x509.X509Certificate;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringWriter;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Properties;
+
+import javax.activation.DataSource;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.namespace.QName;
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+import javax.xml.ws.soap.SOAPBinding;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.velocity.Template;
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
+import org.opensaml.saml2.core.StatusCode;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.data.IdentityLink;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.stork.STORKException;
+import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.moduls.ModulUtils;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.id.util.VelocityProvider;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.util.xsd.xmldsig.SignatureType;
+import at.gv.util.xsd.xmldsig.X509DataType;
+import eu.stork.documentservice.DocumentService;
+import eu.stork.documentservice.data.DatabaseConnectorMySQLImpl;
+import eu.stork.oasisdss.api.ApiUtils;
+import eu.stork.oasisdss.api.LightweightSourceResolver;
+import eu.stork.oasisdss.api.exceptions.ApiUtilsException;
+import eu.stork.oasisdss.profile.DocumentType;
+import eu.stork.oasisdss.profile.DocumentWithSignature;
+import eu.stork.oasisdss.profile.SignResponse;
+import eu.stork.peps.auth.commons.IPersonalAttributeList;
+import eu.stork.peps.auth.commons.PEPSUtil;
+import eu.stork.peps.auth.commons.PersonalAttribute;
+import eu.stork.peps.auth.commons.PersonalAttributeList;
+import eu.stork.peps.auth.commons.STORKAttrQueryRequest;
+import eu.stork.peps.auth.commons.STORKAuthnRequest;
+import eu.stork.peps.auth.commons.STORKAuthnResponse;
+import eu.stork.peps.auth.engine.STORKSAMLEngine;
+import eu.stork.peps.exceptions.STORKSAMLEngineException;
+
+/**
+ * Evaluates the SAML response from the C-PEPS and authenticates the user.
+ * <p/>
+ * In detail:
+ * <ul>
+ * <li>Decodes and validates the SAML response from the C-PEPS.</li>
+ * <li>Change moa session id.</li>
+ * <li>Extracts the subject's gender from request parameter {@code gender} if not available from the saml response.</li>
+ * <li>Extracts the {@code signedDoc} attribute from the response, get signed doc payload using stork attribute query request.</li>
+ * <li>Request SZR gateway for verification of the citizen's signature and for creating of an identity link.</li>
+ * <li>In case of mandate mode: If the S-PEPS did not provide any gender information, the szr gateway will not be able to issue an identity link. Therefore a form is presented asking for the subject's gender. The form submits the user back to the {@code /PepsConnector} servlet (this task).</li>
+ * <li>The moa session is updated with authentication information.</li>
+ * <li>Change moa session id.</li>
+ * <li>Redirects back to {@code /dispatcher} in order to finalize the authentication.</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@code SAMLResponse}</li>
+ * <li>Either HttpServletRequest parameter {@code RelayState} or {@code inResponseTo} attribute from the SAML response (both depicting the moa session id)</li>
+ * <li>HttpServletRequest parameter {@code gender} in case the request comes from the gender selection form</li>
+ * <li>{@code signedDoc} attribute within the SAML response.</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Updated moa id session (identity link, stork attributes...)</li>
+ * <li>{@link ExecutionContext} contains boolean flag {@code identityLinkAvailable} indicating if an identitylink has been successfully creates or not.</li>
+ * <li>Redirect to {@code /dispatcher}.</li> 
+ * </ul>
+ * Possible branches:
+ * <ul>
+ * <li>In case the szr gateway throws exception due to missing gender information:
+ * <ul>
+ * <li>Returns a form for gender selection with action url back to this servlet/task.</li>
+ * </ul>
+ * </li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet}.<br/>
+ *
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ */
+public class PepsConnectorTask extends AbstractAuthServletTask {
+
+	private String dtlUrl = null;
+
+	public PepsConnectorTask() {
+		super();
+		Properties props = new Properties();
+		try {
+			props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
+			dtlUrl = props.getProperty("docservice.url");
+		} catch (IOException e) {
+			dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
+			Logger.error("Loading DTL config failed, using default value:" + dtlUrl);
+			e.printStackTrace();
+		}
+	}
+
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
+			throws Exception {
+		String pendingRequestID = null;
+
+		setNoCachingHeaders(response);
+
+		try {
+
+			Logger.info("PEPSConnector Servlet invoked, expecting C-PEPS message.");
+			Logger.debug("This ACS endpoint is: " + HTTPUtils.getBaseURL(request));
+
+			// check if https or only http
+			super.checkIfHTTPisAllowed(request.getRequestURL().toString());
+
+			Logger.debug("Beginning to extract SAMLResponse out of HTTP Request");
+
+			// extract STORK Response from HTTP Request
+			// Decodes SAML Response
+			byte[] decSamlToken;
+			try {
+				decSamlToken = PEPSUtil.decodeSAMLToken(request.getParameter("SAMLResponse"));
+				Logger.debug("SAMLResponse: " + new String(decSamlToken));
+
+			} catch (NullPointerException e) {
+				Logger.error("Unable to retrieve STORK Response", e);
+				throw new MOAIDException("stork.04", null);
+			}
+
+			// Get SAMLEngine instance
+			STORKSAMLEngine engine = STORKSAMLEngine.getInstance("outgoing");
+
+			STORKAuthnResponse authnResponse = null;
+			try {
+				// validate SAML Token
+				Logger.debug("Starting validation of SAML response");
+				authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());
+				Logger.info("SAML response succesfully verified!");
+			} catch (STORKSAMLEngineException e) {
+				Logger.error("Failed to verify STORK SAML Response", e);
+				throw new MOAIDException("stork.05", null);
+			}
+
+			Logger.info("STORK SAML Response message succesfully extracted");
+			Logger.debug("STORK response: ");
+			Logger.debug(authnResponse.toString());
+
+			Logger.debug("Trying to find MOA Session-ID ...");
+			// String moaSessionID = request.getParameter(PARAM_SESSIONID);
+			// first use SAML2 relayState
+			String moaSessionID = request.getParameter("RelayState");
+
+			// escape parameter strings
+			moaSessionID = StringEscapeUtils.escapeHtml(moaSessionID);
+
+			// check if SAML2 relaystate includes a MOA sessionID
+			if (StringUtils.isEmpty(moaSessionID)) {
+				// if relaystate is emtpty, use SAML response -> inResponseTo element as session identifier
+
+				moaSessionID = authnResponse.getInResponseTo();
+				moaSessionID = StringEscapeUtils.escapeHtml(moaSessionID);
+
+				if (StringUtils.isEmpty(moaSessionID)) {
+					// No authentication session has been started before
+					Logger.error("MOA-SessionID was not found, no previous AuthnRequest had been started");
+					Logger.debug("PEPSConnectorURL was: " + request.getRequestURL());
+					throw new AuthenticationException("auth.02", new Object[] { moaSessionID });
+
+				} else
+					Logger.trace("Use MOA SessionID " + moaSessionID + " from AuthnResponse->inResponseTo attribute.");
+
+			} else
+				// Logger.trace("MOA SessionID " + moaSessionID + " is found in http GET parameter.");
+				Logger.trace("MOA SessionID " + moaSessionID + " is found in SAML2 relayState.");
+
+			/*
+			 * INFO!!!! SAML message IDs has an different format then MOASessionIDs This is only a workaround because
+			 * many PEPS does not support SAML2 relayState or MOASessionID as AttributConsumerServiceURL GET parameter
+			 */
+			// if (!ParamValidatorUtils.isValidSessionID(moaSessionID))
+			// throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
+
+			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(moaSessionID);
+
+			// load MOASession from database
+			AuthenticationSession moaSession = AuthenticationServer.getSession(moaSessionID);
+			// change MOASessionID
+			moaSessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
+
+			Logger.info("Found MOA sessionID: " + moaSessionID);
+
+			String statusCodeValue = authnResponse.getStatusCode();
+
+			if (!statusCodeValue.equals(StatusCode.SUCCESS_URI)) {
+				Logger.error("Received ErrorResponse from PEPS: " + statusCodeValue);
+				throw new MOAIDException("stork.06", new Object[] { statusCodeValue });
+			}
+
+			Logger.info("Got SAML response with authentication success message.");
+
+			Logger.debug("MOA session is still valid");
+
+			STORKAuthnRequest storkAuthnRequest = moaSession.getStorkAuthnRequest();
+
+			if (storkAuthnRequest == null) {
+				Logger.error("Could not find any preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
+				throw new MOAIDException("stork.07", null);
+			}
+
+			Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
+
+			// //////////// incorporate gender from parameters if not in stork response
+
+			IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList();
+
+			// but first, check if we have a representation case
+			if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList)
+					|| STORKResponseProcessor.hasAttribute("representative", attributeList)
+					|| STORKResponseProcessor.hasAttribute("represented", attributeList)) {
+				// in a representation case...
+				moaSession.setUseMandate("true");
+
+				// and check if we have the gender value
+				PersonalAttribute gender = attributeList.get("gender"); // TODO Do we need to check gender value if
+																		// there is no representation case?
+				if (null == gender) {
+					String gendervalue = (String) request.getParameter("gender");
+					if (null != gendervalue) {
+						gender = new PersonalAttribute();
+						gender.setName("gender");
+						ArrayList<String> tmp = new ArrayList<String>();
+						tmp.add(gendervalue);
+						gender.setValue(tmp);
+
+						authnResponse.getPersonalAttributeList().add(gender);
+					}
+				}
+			}
+
+			// ////////////////////////////////////////////////////////////////////////
+
+			Logger.debug("Starting extraction of signedDoc attribute");
+			// extract signed doc element and citizen signature
+			String citizenSignature = null;
+			try {
+				String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING
+
+				Logger.debug("signatureInfo:" + signatureInfo);
+
+				SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(
+						new java.io.StringReader(signatureInfo)));
+
+				// fetch signed doc
+				DataSource ds = LightweightSourceResolver.getDataSource(dssSignResponse);
+				if (ds == null) {
+					throw new ApiUtilsException("No datasource found in response");
+				}
+
+				InputStream incoming = ds.getInputStream();
+				citizenSignature = IOUtils.toString(incoming);
+				incoming.close();
+
+				Logger.debug("citizenSignature:" + citizenSignature);
+				if (isDocumentServiceUsed(citizenSignature) == true) {
+					Logger.debug("Loading document from DocumentService.");
+					String url = getDtlUrlFromResponse(dssSignResponse);
+					// get Transferrequest
+					String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
+					// Load document from DocujmentService
+					byte[] data = getDocumentFromDtl(transferRequest, url);
+					citizenSignature = new String(data, "UTF-8");
+					Logger.debug("Overridung citizenSignature with:" + citizenSignature);
+				}
+
+				JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName());
+				SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(
+						IOUtils.toInputStream(citizenSignature))).getValue();
+
+				// memorize signature into authblock
+				moaSession.setAuthBlock(citizenSignature);
+
+				// extract certificate
+				for (Object current : root.getKeyInfo().getContent())
+					if (((JAXBElement<?>) current).getValue() instanceof X509DataType) {
+						for (Object currentX509Data : ((JAXBElement<X509DataType>) current).getValue()
+								.getX509IssuerSerialOrX509SKIOrX509SubjectName()) {
+							JAXBElement<?> casted = ((JAXBElement<?>) currentX509Data);
+							if (casted.getName().getLocalPart().equals("X509Certificate")) {
+								moaSession.setSignerCertificate(new X509Certificate(((String) casted.getValue())
+										.getBytes("UTF-8")));
+								break;
+							}
+						}
+					}
+
+			} catch (Throwable e) {
+				Logger.error("Could not extract citizen signature from C-PEPS", e);
+				throw new MOAIDException("stork.09", null);
+			}
+			Logger.debug("Foregin Citizen signature successfully extracted from STORK Assertion (signedDoc)");
+			Logger.debug("Citizen signature will be verified by SZR Gateway!");
+
+			Logger.debug("fetching OAParameters from database");
+
+			// //read configuration paramters of OA
+			// AuthenticationSession moasession;
+			// try {
+			// moasession = AuthenticationSessionStoreage.getSession(moaSessionID);
+			// } catch (MOADatabaseException e2) {
+			// Logger.error("could not retrieve moa session");
+			// throw new AuthenticationException("auth.01", null);
+			// }
+			OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+					moaSession.getPublicOAURLPrefix());
+			if (oaParam == null)
+				throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
+
+			// retrieve target
+			// TODO: check in case of SSO!!!
+			String targetType = null;
+			if (oaParam.getBusinessService()) {
+				String id = oaParam.getIdentityLinkDomainIdentifier();
+				if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
+					targetType = id;
+				else
+					targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_ + moaSession.getDomainIdentifier();
+			} else {
+				targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
+			}
+
+			Logger.debug("Starting connecting SZR Gateway");
+			// contact SZR Gateway
+			IdentityLink identityLink = null;
+			executionContext.put("identityLinkAvailable", false);
+			try {
+				identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(),
+						oaParam.getFriendlyName(), targetType, null, oaParam.getMandateProfiles(), citizenSignature);
+			} catch (STORKException e) {
+				// this is really nasty but we work against the system here. We are supposed to get the gender attribute
+				// from
+				// stork. If we do not, we cannot register the person in the ERnP - we have to have the
+				// gender for the represented person. So here comes the dirty hack.
+				if (e.getCause() instanceof STORKException
+						&& e.getCause().getMessage().equals("gender not found in response")) {
+					try {
+						Logger.trace("Initialize VelocityEngine...");
+
+						VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine();
+						Template template = velocityEngine.getTemplate("/resources/templates/fetchGender.html");
+						VelocityContext context = new VelocityContext();
+						context.put("SAMLResponse", request.getParameter("SAMLResponse"));
+						context.put("action", request.getRequestURL());
+
+						StringWriter writer = new StringWriter();
+						template.merge(context, writer);
+
+						response.getOutputStream().write(writer.toString().getBytes("UTF-8"));
+					} catch (Exception e1) {
+						Logger.error("Error sending gender retrival form.", e1);
+						// httpSession.invalidate();
+						throw new MOAIDException("stork.10", null);
+					}
+
+					return;
+				}
+
+				Logger.error("Error connecting SZR Gateway", e);
+				throw new MOAIDException("stork.10", null);
+			}
+			Logger.debug("SZR communication was successfull");
+
+			if (identityLink == null) {
+				Logger.error("SZR Gateway did not return an identity link.");
+				throw new MOAIDException("stork.10", null);
+			}
+			moaSession.setForeigner(true);
+
+			Logger.info("Received Identity Link from SZR Gateway");
+			executionContext.put("identityLinkAvailable", true);
+			moaSession.setIdentityLink(identityLink);
+
+			Logger.debug("Adding addtional STORK attributes to MOA session");
+			moaSession.setStorkAttributes(authnResponse.getPersonalAttributeList());
+
+			Logger.debug("Add full STORK AuthnResponse to MOA session");
+			moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));
+
+			// We don't have BKUURL, setting from null to "Not applicable"
+			moaSession.setBkuURL("Not applicable (STORK Authentication)");
+
+			// free for single use
+			moaSession.setAuthenticatedUsed(false);
+
+			// stork did the authentication step
+			moaSession.setAuthenticated(true);
+
+			// TODO: found better solution, but QAA Level in response could be not supported yet
+			try {
+
+				moaSession.setQAALevel(authnResponse.getAssertions().get(0).getAuthnStatements().get(0)
+						.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
+
+			} catch (Throwable e) {
+				Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
+				moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+
+			}
+
+			// session is implicit stored in changeSessionID!!!!
+			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
+
+			Logger.info("Changed MOASession " + moaSessionID + " to Session " + newMOASessionID);
+
+			// redirect
+			String redirectURL = null;
+			redirectURL = new DataURLBuilder().buildDataURL(moaSession.getAuthURL(),
+					ModulUtils.buildAuthURL(moaSession.getModul(), moaSession.getAction(), pendingRequestID),
+					newMOASessionID);
+			redirectURL = response.encodeRedirectURL(redirectURL);
+
+			// response.setContentType("text/html");
+			// response.setStatus(302);
+			// response.addHeader("Location", redirectURL);
+			response.sendRedirect(redirectURL);
+			Logger.info("REDIRECT TO: " + redirectURL);
+
+		} catch (AuthenticationException e) {
+			handleError(null, e, request, response, pendingRequestID);
+
+		} catch (MOAIDException e) {
+			handleError(null, e, request, response, pendingRequestID);
+
+		} catch (Exception e) {
+			Logger.error("PEPSConnector has an interal Error.", e);
+		}
+
+		finally {
+			ConfigurationDBUtils.closeSession();
+		}
+
+	}
+
+	private boolean isDocumentServiceUsed(String citizenSignature) // TODo add better check
+	{
+		if (citizenSignature
+				.contains("<table border=\"0\"><tr><td>Service Name:</td><td>{http://stork.eu}DocumentService</td></tr><tr><td>Port Name:</td><td>{http://stork.eu}DocumentServicePort</td></tr></table>"))
+			return true;
+		return false;
+	}
+
+	/**
+	 * Get DTL uril from the oasis sign response
+	 * 
+	 * @param signRequest
+	 *            The signature response
+	 * @return The URL of DTL service
+	 * @throws SimpleException
+	 */
+	private String getDtlUrlFromResponse(SignResponse dssSignResponse) {
+		List<DocumentWithSignature> documents = ApiUtils.findNamedElement(dssSignResponse.getOptionalOutputs(),
+				ApiUtils.OPTIONAL_OUTPUT_DOCUMENTWITHSIGNATURE, DocumentWithSignature.class);
+		DocumentType sourceDocument = documents.get(0).getDocument();
+
+		if (sourceDocument.getDocumentURL() != null)
+			return sourceDocument.getDocumentURL();
+		else
+			return null;// throw new Exception("No document url found");
+	}
+
+	// From DTLPEPSUTIL
+
+	/**
+	 * Get document from DTL
+	 * 
+	 * @param transferRequest
+	 *            The transfer request (attribute query)
+	 * @param eDtlUrl
+	 *            The DTL url of external DTL
+	 * @return the document data
+	 * @throws SimpleException
+	 */
+	private byte[] getDocumentFromDtl(String transferRequest, String eDtlUrl) throws Exception {
+		URL url = null;
+		try {
+			url = new URL(dtlUrl);
+			QName qname = new QName("http://stork.eu", "DocumentService");
+
+			Service service = Service.create(url, qname);
+			DocumentService docservice = service.getPort(DocumentService.class);
+
+			BindingProvider bp = (BindingProvider) docservice;
+			SOAPBinding binding = (SOAPBinding) bp.getBinding();
+			binding.setMTOMEnabled(true);
+
+			if (eDtlUrl.equalsIgnoreCase(dtlUrl))
+				return docservice.getDocument(transferRequest, "");
+			else
+				return docservice.getDocument(transferRequest, eDtlUrl);
+		} catch (Exception e) {
+			e.printStackTrace();
+			throw new Exception("Error in getDocumentFromDtl", e);
+		}
+	}
+
+	/**
+	 * Get a document transfer request (attribute query)
+	 * 
+	 * @param docId
+	 * @return
+	 * @throws SimpleException
+	 */
+	private String getDocTransferRequest(String docId, String destinationUrl) throws Exception {
+		String spCountry = docId.substring(0, docId.indexOf("/"));
+		final STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP");
+		STORKAttrQueryRequest req = new STORKAttrQueryRequest();
+		req.setAssertionConsumerServiceURL(dtlUrl);
+		req.setDestination(destinationUrl);
+		req.setSpCountry(spCountry);
+		req.setQaa(3);// TODO
+		PersonalAttributeList pal = new PersonalAttributeList();
+		PersonalAttribute attr = new PersonalAttribute();
+		attr.setName("docRequest");
+		attr.setIsRequired(true);
+		attr.setValue(Arrays.asList(docId));
+		pal.add(attr);
+		req.setPersonalAttributeList(pal);
+
+		STORKAttrQueryRequest req1;
+		try {
+			req1 = engine.generateSTORKAttrQueryRequest(req);
+			return PEPSUtil.encodeSAMLTokenUrlSafe(req1.getTokenSaml());
+		} catch (STORKSAMLEngineException e) {
+			e.printStackTrace();
+			throw new Exception("Error in doc request attribute query generation", e);
+		}
+	}
+
+}
-- 
cgit v1.2.3


From a9dc7e094a8732f9826ab77648758dd39adc7324 Mon Sep 17 00:00:00 2001
From: Thomas Knall <t.knall@datentechnik-innovation.com>
Date: Wed, 4 Feb 2015 13:54:32 +0100
Subject: Add logging for automatic servlet registration.

---
 id/server/auth/src/main/webapp/WEB-INF/web.xml        |  9 ++++++++-
 .../modules/stork/STORKWebApplicationInitializer.java | 19 +++++++++++++++----
 2 files changed, 23 insertions(+), 5 deletions(-)

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/auth/src/main/webapp/WEB-INF/web.xml b/id/server/auth/src/main/webapp/WEB-INF/web.xml
index 41c46bd22..930b10f43 100644
--- a/id/server/auth/src/main/webapp/WEB-INF/web.xml
+++ b/id/server/auth/src/main/webapp/WEB-INF/web.xml
@@ -137,16 +137,23 @@
 		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet</servlet-class>
 	</servlet>
 	<servlet-mapping>
+		<!-- do not change this servlet-name -->
 		<servlet-name>ProcessEngineSignal</servlet-name>
+		
 		<!-- Use this url-pattern in order to signal the next (asynchronous) task. -->
 		<url-pattern>/signalProcess</url-pattern>
+		
 		<!-- legacy url patterns for asynchronous tasks (internal default module/processes) -->
 		<url-pattern>/GetMISSessionID</url-pattern>
 		<url-pattern>/GetForeignID</url-pattern>
 		<url-pattern>/VerifyAuthBlock</url-pattern>
 		<url-pattern>/VerifyCertificate</url-pattern>
 		<url-pattern>/VerifyIdentityLink</url-pattern>
-		<!-- STORK servlet mappings; automatically registered by the stork module -->
+		
+		<!--
+			STORK servlet mappings; automatically registered by the stork module;
+			refer to at.gv.egovernment.moa.id.auth.modules.stork.STORKWebApplicationInitializer
+		-->
 		<!--
 		<url-pattern>/PEPSConnectorWithLocalSigning</url-pattern>
 		<url-pattern>/PEPSConnector</url-pattern>
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java
index 7478a57c3..c54c9a26d 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java
@@ -4,6 +4,8 @@ import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRegistration;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.web.WebApplicationInitializer;
 
 import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet;
@@ -23,15 +25,24 @@ import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet;
  * @see ProcessEngineSignalServlet
  */
 public class STORKWebApplicationInitializer implements WebApplicationInitializer {
+	
+	private Logger log = LoggerFactory.getLogger(getClass());
+	
+	private static final String SIGNAL_SERVLET_NAME = "ProcessEngineSignal";
+	
+	private void addMapping(ServletRegistration servletRegistration, String mapping) {
+		log.debug("Adding mapping '{}' to servlet '{}' ({}).", mapping, SIGNAL_SERVLET_NAME, servletRegistration.getClassName());
+		servletRegistration.addMapping(mapping);
+	}
 
 	@Override
 	public void onStartup(ServletContext servletContext) throws ServletException {
-		ServletRegistration servletRegistration = servletContext.getServletRegistration("ProcessEngineSignal");
+		ServletRegistration servletRegistration = servletContext.getServletRegistration(SIGNAL_SERVLET_NAME);
 		if (servletRegistration == null) {
-			throw new IllegalStateException("Servlet 'ProcessEngineSignal' expected to be registered.");
+			throw new IllegalStateException("Servlet '" + SIGNAL_SERVLET_NAME + "' expected to be registered (e.g. by web.xml).");
 		}
-		servletRegistration.addMapping("/PEPSConnectorWithLocalSigning");
-		servletRegistration.addMapping("/PEPSConnector");
+		addMapping(servletRegistration, "/PEPSConnectorWithLocalSigning");
+		addMapping(servletRegistration, "/PEPSConnector");
 	}
 
 }
-- 
cgit v1.2.3


From 299c1b3679abecdae88d71002acb626661616b0d Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 19 Feb 2015 12:25:55 +0100
Subject: manuell merge: PEPSConnecterServlet --> PepsConnectorTask

---
 .../resources/xmldata/fakeIdL_IdL_template.xml     |  51 ----
 .../modules/stork/tasks/PepsConnectorTask.java     | 269 +++++++++++++++++----
 .../resources/xmldata/fakeIdL_IdL_template.xml     |  51 ++++
 3 files changed, 268 insertions(+), 103 deletions(-)
 delete mode 100644 id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml
 create mode 100644 id/server/modules/module-stork/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml b/id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml
deleted file mode 100644
index 09084a34f..000000000
--- a/id/server/idserverlib/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml
+++ /dev/null
@@ -1,51 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:si="http://www.w3.org/2001/XMLSchema-instance" AssertionID="szr.bmi.gv.at-AssertionID13456264458587874" IssueInstant="2012-08-22T11:07:25+01:00" Issuer="http://portal.bmi.gv.at/ref/szr/issuer" MajorVersion="1" MinorVersion="0" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
-	<saml:AttributeStatement>
-		<saml:Subject>
-			<saml:SubjectConfirmation>
-				<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
-				<saml:SubjectConfirmationData>
-					<pr:Person si:type="pr:PhysicalPersonType"><pr:Identification><pr:Value>wJO/bvDJjUysG0yARn7I6w==</pr:Value><pr:Type>urn:publicid:gv.at:baseid</pr:Type></pr:Identification><pr:Name><pr:GivenName>XXXRúùd</pr:GivenName><pr:FamilyName primary="undefined">XXXVàn Nisteĺrooy</pr:FamilyName></pr:Name><pr:DateOfBirth>1969-02-13</pr:DateOfBirth></pr:Person>
-				</saml:SubjectConfirmationData>
-			</saml:SubjectConfirmation>
-		</saml:Subject>
-	<saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><ecdsa:ECDSAKeyValue><ecdsa:DomainParameters><ecdsa:NamedCurve URN="urn:oid:1.2.840.10045.3.1.7"/></ecdsa:DomainParameters><ecdsa:PublicKey><ecdsa:X Value="22280299907126338788314199678167217078072953115254374209747379168424021905237" si:type="ecdsa:PrimeFieldElemType"/><ecdsa:Y Value="40387096985250872237992703378062984723606079359080588656963239072881568409170" si:type="ecdsa:PrimeFieldElemType"/></ecdsa:PublicKey></ecdsa:ECDSAKeyValue></saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><dsig:RSAKeyValue><dsig:Modulus>4Y4FL09VhczsfYQgFPuycP8quJNZBAAu1R1rFXNodI2711B6BTMjAGQn6xuFWfd3/nyFav/MLTr/
-t2VazvANS4TRFxJAcWyIx7xbxCdzZr6gJ+FCmq4g5JPrQvt50v3JX+wKSYft1gHBOWlDn90Ia4Gm
-P8MVuze21T+VVKM6ZklmS6d5PT1er/uYQFydGErmJ17xlSQG6Fi5xuftopBDyJxG1tL1KIebpLFg
-gaM2EyuB1HxH8/+Mfqa4UgeqIH65</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
-	<dsig:Signature>
-		<dsig:SignedInfo>
-			<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
-			<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
-			<dsig:Reference URI="">
-				<dsig:Transforms>
-					<dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
-						<dsig:XPath>not(ancestor-or-self::pr:Identification)</dsig:XPath>
-					</dsig:Transform>
-					<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
-				</dsig:Transforms>
-				<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-				<dsig:DigestValue>KEQEPY2O3Z3IRaISSSoRZVPzsHE=</dsig:DigestValue>
-			</dsig:Reference>
-			<dsig:Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest" URI="#manifest">
-				<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-				<dsig:DigestValue>gzGhjH1kdmPcPbgen0xojNIoJLk=</dsig:DigestValue>
-			</dsig:Reference>
-		</dsig:SignedInfo>
-		<dsig:SignatureValue>
-    06wqWHgplwpu3N5HMhzb6QC5NkXMO1z4N4oc1L6eDqwZlvFJ9X1XGW//QqviKO9oog3il7IzdfJwnjygR4trgGCIqx+JYCDHJCrG9l8zlxlSW0ZqfsygGXthutcQ1aeUpfO6jYuhnWOUywa8BgzukRtWT+AOJBQZPRYTb8IBmey+uAwlhFLni94eMOd81l+efCvkWi3jRajwsG8ZOaNxSZT3aEV5vj+32Aqtx2MPEVzQWtIA7GqZi+EzcdSdHQvHhg7UB+8kqbU70ENAJbEMTANFZYvLOJ0Om9KfDtPf/+R2TvTc360fNo9RnPl04pHPhCIjcGZhFZorBpUhXFwd2Q==
-  </dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIF3TCCBMWgAwIBAgIDByniMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMSIwIAYDVQQLDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMSIwIAYDVQQDDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMB4XDTEwMDcyODExMzY0M1oXDTE1MDcyODExMzY0M1owgbYxCzAJBgNVBAYTAkFUMR4wHAYDVQQKDBVEYXRlbnNjaHV0emtvbW1pc3Npb24xIjAgBgNVBAsMGVN0YW1temFobHJlZ2lzdGVyYmVob2VyZGUxLjAsBgNVBAMMJVNpZ25hdHVyc2VydmljZSBEYXRlbnNjaHV0emtvbW1pc3Npb24xFTATBgNVBAUTDDMyNTkyODMyMzk5ODEcMBoGCSqGSIb3DQEJARYNZHNrQGRzay5ndi5hdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+dBSEBGj2jUXIK1Mp3lVxc/Za+pJMiyKrX3G1ZxgX/ikx7D9scsPYMt473LlAWl9cmCbHbJK+PV2XNNdURLMUCIX+4vUNs2MHeDTQtX8BXjJFpwJYSoaRJQ39FVS/1r5sWcra9Hhdm7w5Gtx/2ukyDX0kdkxawkhP4EQEzi/SI+Fugn+WqgQ1nAdlbxb/dcBw5w1h9b3lmuwUf4z3ooQWUD2DgA/kKd1KejNR43mLUsmvSzevPxT9zs78pOR1OacB7IszTVJPXeOEaaNZHnnB/UeO3g8LEV/3OkXcUgcMkbIIiaBHlll71Pq0COj9kqjXoe7OrRjLY5i3KwOpa6TMCAwEAAaOCAgcwggIDMBMGA1UdIwQMMAqACEkcWDpP6A0DMH8GCCsGAQUFBwEBBHMwcTAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10cnVzdC5hdC9vY3NwMEYGCCsGAQUFBzAChjpodHRwOi8vd3d3LmEtdHJ1c3QuYXQvY2VydHMvYS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMmEuY3J0MFQGA1UdIARNMEswSQYGKigAEQESMD8wPQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cuYS10cnVzdC5hdC9kb2NzL2NwL2Etc2lnbi1BbXRzc2lnbmF0dXIwgZ4GA1UdHwSBljCBkzCBkKCBjaCBioaBh2xkYXA6Ly9sZGFwLmEtdHJ1c3QuYXQvb3U9YS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMixvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlmaWNhdGlvbkF1dGhvcml0eTARBgNVHQ4ECgQITAgOnhr0tbowDgYDVR0PAQH/BAQDAgSwMCAGA1UdEQQZMBeBFW1hcmN1cy5oaWxkQGRzay5ndi5hdDAJBgNVHRMEAjAAMA4GByooAAoBBwEEAwEB/zAUBgcqKAAKAQEBBAkMB0JTQi1EU0swDQYJKoZIhvcNAQEFBQADggEBAHTklnvPCH/bJSOlIPbLUEkSGuFHsektSZ8Vr22x/Yv7EzsxoQrJIiz2mQ2gQqFuExdWYxvsowjiSbiis9iUf1c0zscvDS3mIZxGs4M89XHsjHnIyb+Fuwnamw65QrFvM1tNB1ZMjxJ3x+YmHLHdtT3BEBcr3/NCRHd2S0HoBspNz9HVgJaZY1llR7poKBvnAc4g1i+QTvyVb00PtKxR9Lw/9ABInX/1pzpxqrPy7Ib2OP8z6dd3WHmIsCiSHUaj0Dxwwln6fYJjhxZ141SnbovlCLYtrsZLXoi9ljIqX4xO0PwMI2RfNc9cXxTRrRS6rEOvX7PpvgXiDXhp592Yyp4=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo>
-		<dsig:Object>
-			<dsig:Manifest Id="manifest">
-				<dsig:Reference URI="">
-					<dsig:Transforms>
-						<dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
-							<dsig:XPath>not(ancestor-or-self::dsig:Signature)</dsig:XPath>
-						</dsig:Transform>
-					</dsig:Transforms>
-					<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-					<dsig:DigestValue>8e7RjLnA4Mgltq5ruIJzheKGxu0=</dsig:DigestValue>
-				</dsig:Reference>
-			</dsig:Manifest>
-		</dsig:Object>
-	</dsig:Signature>
-</saml:Assertion>
\ No newline at end of file
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 94017e9f6..1a18f8198 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -28,6 +28,8 @@ import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.opensaml.saml2.core.StatusCode;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
@@ -36,6 +38,8 @@ import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet;
 import at.gv.egovernment.moa.id.auth.stork.STORKException;
 import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
@@ -46,9 +50,12 @@ import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.HTTPUtils;
+import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
 import at.gv.egovernment.moa.id.util.VelocityProvider;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
 import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.egovernment.moa.util.XPathUtils;
 import at.gv.util.xsd.xmldsig.SignatureType;
 import at.gv.util.xsd.xmldsig.X509DataType;
 import eu.stork.documentservice.DocumentService;
@@ -111,19 +118,9 @@ import eu.stork.peps.exceptions.STORKSAMLEngineException;
  */
 public class PepsConnectorTask extends AbstractAuthServletTask {
 
-	private String dtlUrl = null;
-
 	public PepsConnectorTask() {
 		super();
-		Properties props = new Properties();
-		try {
-			props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
-			dtlUrl = props.getProperty("docservice.url");
-		} catch (IOException e) {
-			dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
-			Logger.error("Loading DTL config failed, using default value:" + dtlUrl);
-			e.printStackTrace();
-		}
+		
 	}
 
 	@Override
@@ -235,6 +232,57 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 				throw new MOAIDException("stork.07", null);
 			}
 
+			OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(moaSession.getPublicOAURLPrefix());
+    		if (oaParam == null)
+    				throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
+    		
+			//================== Check QAA level start ====================
+			int reqQaa = -1;
+			int authQaa = -1;
+			String authQaaStr = null; 
+			try {
+				reqQaa = storkAuthnRequest.getQaa();
+				
+				//TODO: found better solution, but QAA Level in response could be not supported yet
+				try {
+
+					authQaaStr = authnResponse.getAssertions().get(0).
+							getAuthnStatements().get(0).getAuthnContext().
+							getAuthnContextClassRef().getAuthnContextClassRef();
+					moaSession.setQAALevel(authQaaStr);
+					
+				} catch (Throwable e) {
+					Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
+					moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+					authQaaStr = PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel();
+				}
+				if(authQaaStr != null)//Check value only if set
+				{
+					authQaa = Integer.valueOf(authQaaStr.substring(PVPConstants.STORK_QAA_PREFIX.length()));
+//					authQaa = Integer.valueOf(authQaaStr);
+					if (reqQaa > authQaa) {
+						Logger.warn("Requested QAA level does not match to authenticated QAA level");
+						throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+	
+					}
+				}
+			} catch (MOAIDException e) {
+				throw e;
+
+			} catch (Exception e) {
+				if (Logger.isDebugEnabled())
+					Logger.warn("STORK QAA Level evaluation error", e);
+
+				else
+					Logger.warn("STORK QAA Level evaluation error (ErrorMessage=" 
+							+  e.getMessage() + ")");
+
+				throw new MOAIDException("stork.21", new Object[]{reqQaa, authQaa});
+
+			}
+			//================== Check QAA level end ====================
+			
+			
 			Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
 
 			// //////////// incorporate gender from parameters if not in stork response
@@ -279,27 +327,42 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 						new java.io.StringReader(signatureInfo)));
 
 				// fetch signed doc
-				DataSource ds = LightweightSourceResolver.getDataSource(dssSignResponse);
-				if (ds == null) {
-					throw new ApiUtilsException("No datasource found in response");
+				DataSource ds = null;
+				try{
+					ds = LightweightSourceResolver.getDataSource(dssSignResponse);
+				}catch(Exception e)
+				{
+					e.printStackTrace();
 				}
-
-				InputStream incoming = ds.getInputStream();
-				citizenSignature = IOUtils.toString(incoming);
-				incoming.close();
-
-				Logger.debug("citizenSignature:" + citizenSignature);
-				if (isDocumentServiceUsed(citizenSignature) == true) {
-					Logger.debug("Loading document from DocumentService.");
-					String url = getDtlUrlFromResponse(dssSignResponse);
-					// get Transferrequest
-					String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
-					// Load document from DocujmentService
-					byte[] data = getDocumentFromDtl(transferRequest, url);
-					citizenSignature = new String(data, "UTF-8");
-					Logger.debug("Overridung citizenSignature with:" + citizenSignature);
+				if(ds == null){
+					//Normal DocumentServices return a http-page, but the SI DocumentService returns HTTP error 500 
+					//which results in an exception and ds==null
+					
+					//try to load document from documentservice
+					citizenSignature = loadDocumentFromDocumentService(dssSignResponse);
+					//throw new ApiUtilsException("No datasource found in response");
+				}		
+				else
+				{
+					InputStream incoming  = ds.getInputStream();
+					citizenSignature = IOUtils.toString(incoming);
+					incoming.close();
+					
+					Logger.debug("citizenSignature:"+citizenSignature);
+					if(isDocumentServiceUsed(citizenSignature)==true)
+					{
+						citizenSignature = loadDocumentFromDocumentService(dssSignResponse);
+	//					Logger.debug("Loading document from DocumentService.");
+	//					String url = getDtlUrlFromResponse(dssSignResponse);
+	//					//get Transferrequest
+	//					String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
+	//					//Load document from DocumentService
+	//					byte[] data = getDocumentFromDtl(transferRequest, url);
+	//					citizenSignature = new String(data, "UTF-8");
+	//					Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+					}
 				}
-
+				
 				JAXBContext ctx = JAXBContext.newInstance(SignatureType.class.getPackage().getName());
 				SignatureType root = ((JAXBElement<SignatureType>) ctx.createUnmarshaller().unmarshal(
 						IOUtils.toInputStream(citizenSignature))).getValue();
@@ -338,11 +401,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			// Logger.error("could not retrieve moa session");
 			// throw new AuthenticationException("auth.01", null);
 			// }
-			OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
-					moaSession.getPublicOAURLPrefix());
-			if (oaParam == null)
-				throw new AuthenticationException("auth.00", new Object[] { moaSession.getPublicOAURLPrefix() });
-
+			
 			// retrieve target
 			// TODO: check in case of SSO!!!
 			String targetType = null;
@@ -361,8 +420,66 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			IdentityLink identityLink = null;
 			executionContext.put("identityLinkAvailable", false);
 			try {
-				identityLink = STORKResponseProcessor.connectToSZRGateway(authnResponse.getPersonalAttributeList(),
-						oaParam.getFriendlyName(), targetType, null, oaParam.getMandateProfiles(), citizenSignature);
+				AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
+				if(config.isStorkFakeIdLActive() && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {
+					// create fake IdL
+					// - fetch IdL template from resources
+					InputStream s = PepsConnectorTask.class.getResourceAsStream("/resources/xmldata/fakeIdL_IdL_template.xml");
+					Element idlTemplate = DOMUtils.parseXmlValidating(s);
+
+				    identityLink = new IdentityLinkAssertionParser(idlTemplate).parseIdentityLink();
+
+				    // replace data
+		            Element idlassertion = identityLink.getSamlAssertion();
+		            // - set bpk/wpbk;
+			        Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);
+			        if(!STORKResponseProcessor.hasAttribute("eIdentifier", attributeList))
+			        	throw new STORKException("eIdentifier is missing");
+			        String eIdentifier = STORKResponseProcessor.getAttributeValue("eIdentifier", attributeList, false);
+			        prIdentification.getFirstChild().setNodeValue(eIdentifier);
+
+			        // - set last name
+			        Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
+			        if(!STORKResponseProcessor.hasAttribute("surname", attributeList))
+			        	throw new STORKException("surname is missing");
+					String familyName = STORKResponseProcessor.getAttributeValue("surname", attributeList, false);
+					prFamilyName.getFirstChild().setNodeValue(familyName);
+
+			        // - set first name
+			        Node prGivenName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_GIVEN_NAME_XPATH);
+			        if(!STORKResponseProcessor.hasAttribute("givenName", attributeList))
+			        	throw new STORKException("givenName is missing");
+					String givenName = STORKResponseProcessor.getAttributeValue("givenName", attributeList, false);
+					prGivenName.getFirstChild().setNodeValue(givenName);
+
+			        // - set date of birth
+			        Node prDateOfBirth = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_DATE_OF_BIRTH_XPATH);
+			        if(!STORKResponseProcessor.hasAttribute("dateOfBirth", attributeList))
+			        	throw new STORKException("dateOfBirth is missing");
+					String dateOfBirth = STORKResponseProcessor.getAttributeValue("dateOfBirth", attributeList, false);
+					prDateOfBirth.getFirstChild().setNodeValue(dateOfBirth);
+
+		            identityLink = new IdentityLinkAssertionParser(idlassertion).parseIdentityLink();
+
+		            //resign IDL
+					IdentityLinkReSigner identitylinkresigner = IdentityLinkReSigner.getInstance();
+					Element resignedilAssertion = identitylinkresigner.resignIdentityLink(identityLink.getSamlAssertion(), config.getStorkFakeIdLResigningKey());
+					identityLink = new IdentityLinkAssertionParser(resignedilAssertion).parseIdentityLink();
+					
+				} else {
+					//contact SZR Gateway
+					Logger.debug("Starting connecting SZR Gateway");
+				
+					identityLink = STORKResponseProcessor.connectToSZRGateway(
+							authnResponse.getPersonalAttributeList(),
+							oaParam.getFriendlyName(), 
+							targetType, 
+							null, 
+							oaParam.getMandateProfiles(), 
+							citizenSignature);
+					
+				}
+				
 			} catch (STORKException e) {
 				// this is really nasty but we work against the system here. We are supposed to get the gender attribute
 				// from
@@ -422,17 +539,17 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			// stork did the authentication step
 			moaSession.setAuthenticated(true);
 
-			// TODO: found better solution, but QAA Level in response could be not supported yet
-			try {
-
-				moaSession.setQAALevel(authnResponse.getAssertions().get(0).getAuthnStatements().get(0)
-						.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
-
-			} catch (Throwable e) {
-				Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
-				moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
-
-			}
+			// TODO: found better solution, but QAA Level in STORK response is not be supported yet
+//			try {
+//
+//				moaSession.setQAALevel(authnResponse.getAssertions().get(0).getAuthnStatements().get(0)
+//						.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
+//
+//			} catch (Throwable e) {
+//				Logger.warn("STORK QAA-Level is not found in AuthnResponse. Set QAA Level to requested level");
+//				moaSession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + oaParam.getQaaLevel());
+//
+//			}
 
 			// session is implicit stored in changeSessionID!!!!
 			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(moaSession);
@@ -471,8 +588,12 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 	private boolean isDocumentServiceUsed(String citizenSignature) // TODo add better check
 	{
 		if (citizenSignature
-				.contains("<table border=\"0\"><tr><td>Service Name:</td><td>{http://stork.eu}DocumentService</td></tr><tr><td>Port Name:</td><td>{http://stork.eu}DocumentServicePort</td></tr></table>"))
+				.contains("<table border=\"0\"><tr><td>Service Name:</td><td>{http://stork.eu}DocumentService</td></tr><tr><td>Port Name:</td><td>{http://stork.eu}DocumentServicePort</td></tr></table>")) {
+			Logger.trace("isDocumentServiceUsed => true");
 			return true;
+		}
+		
+		Logger.trace("isDocumentServiceUsed => false");
 		return false;
 	}
 
@@ -510,7 +631,9 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 	private byte[] getDocumentFromDtl(String transferRequest, String eDtlUrl) throws Exception {
 		URL url = null;
 		try {
-			url = new URL(dtlUrl);
+			
+			Logger.trace("getDocumentFromDtl, dtlUrl:'"+getdtlUrl()+"' eDtlUrl:'"+eDtlUrl+"'");
+			url = new URL(getdtlUrl());
 			QName qname = new QName("http://stork.eu", "DocumentService");
 
 			Service service = Service.create(url, qname);
@@ -520,7 +643,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			SOAPBinding binding = (SOAPBinding) bp.getBinding();
 			binding.setMTOMEnabled(true);
 
-			if (eDtlUrl.equalsIgnoreCase(dtlUrl))
+			if (eDtlUrl.equalsIgnoreCase(getdtlUrl()))
 				return docservice.getDocument(transferRequest, "");
 			else
 				return docservice.getDocument(transferRequest, eDtlUrl);
@@ -541,7 +664,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 		String spCountry = docId.substring(0, docId.indexOf("/"));
 		final STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP");
 		STORKAttrQueryRequest req = new STORKAttrQueryRequest();
-		req.setAssertionConsumerServiceURL(dtlUrl);
+		req.setAssertionConsumerServiceURL(getdtlUrl());
 		req.setDestination(destinationUrl);
 		req.setSpCountry(spCountry);
 		req.setQaa(3);// TODO
@@ -562,5 +685,47 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			throw new Exception("Error in doc request attribute query generation", e);
 		}
 	}
+	
+	private String getdtlUrl() {
+		String dtlUrl;
+		try {
+			AuthConfigurationProvider authConfigurationProvider = AuthConfigurationProvider.getInstance();
+			dtlUrl = authConfigurationProvider.getDocumentServiceUrl();
+			Logger.info ("PEPSConnectorServlet, using dtlUrl:"+dtlUrl);
+			
+		} catch (Exception e) {
+			dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
+			Logger.error("Loading documentservice url failed, using default value:"+dtlUrl, e);
+			
+		}
+	
+		
+//		Properties props = new Properties();
+//		try {
+//			props.load(DatabaseConnectorMySQLImpl.class.getResourceAsStream("docservice.properties"));
+//			dtlUrl = props.getProperty("docservice.url");
+//		} catch (IOException e) {
+//			dtlUrl = "http://testvidp.buergerkarte.at/DocumentService/DocumentService";
+//			Logger.error("Loading DTL config failed, using default value:" + dtlUrl);
+//			e.printStackTrace();
+//		}
+	
+		return dtlUrl;
+		
+	}
+	
+	private String loadDocumentFromDocumentService(SignResponse dssSignResponse) throws Exception
+	{ 
+		Logger.debug("Loading document from DocumentService.");
+		String url = getDtlUrlFromResponse(dssSignResponse);
+		Logger.debug("Loading document from DocumentService, url:"+url);
+		//get Transferrequest
+		String transferRequest = getDocTransferRequest(dssSignResponse.getDocUI(), url);
+		//Load document from DocumentService
+		byte[] data = getDocumentFromDtl(transferRequest, url);
+		String citizenSignature = new String(data, "UTF-8");
+		Logger.debug("Overridung citizenSignature with:"+citizenSignature);
+		return citizenSignature;
+	}
 
 }
diff --git a/id/server/modules/module-stork/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml b/id/server/modules/module-stork/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml
new file mode 100644
index 000000000..09084a34f
--- /dev/null
+++ b/id/server/modules/module-stork/src/main/resources/resources/xmldata/fakeIdL_IdL_template.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ecdsa="http://www.w3.org/2001/04/xmldsig-more#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#" xmlns:si="http://www.w3.org/2001/XMLSchema-instance" AssertionID="szr.bmi.gv.at-AssertionID13456264458587874" IssueInstant="2012-08-22T11:07:25+01:00" Issuer="http://portal.bmi.gv.at/ref/szr/issuer" MajorVersion="1" MinorVersion="0" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+	<saml:AttributeStatement>
+		<saml:Subject>
+			<saml:SubjectConfirmation>
+				<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
+				<saml:SubjectConfirmationData>
+					<pr:Person si:type="pr:PhysicalPersonType"><pr:Identification><pr:Value>wJO/bvDJjUysG0yARn7I6w==</pr:Value><pr:Type>urn:publicid:gv.at:baseid</pr:Type></pr:Identification><pr:Name><pr:GivenName>XXXRúùd</pr:GivenName><pr:FamilyName primary="undefined">XXXVàn Nisteĺrooy</pr:FamilyName></pr:Name><pr:DateOfBirth>1969-02-13</pr:DateOfBirth></pr:Person>
+				</saml:SubjectConfirmationData>
+			</saml:SubjectConfirmation>
+		</saml:Subject>
+	<saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><ecdsa:ECDSAKeyValue><ecdsa:DomainParameters><ecdsa:NamedCurve URN="urn:oid:1.2.840.10045.3.1.7"/></ecdsa:DomainParameters><ecdsa:PublicKey><ecdsa:X Value="22280299907126338788314199678167217078072953115254374209747379168424021905237" si:type="ecdsa:PrimeFieldElemType"/><ecdsa:Y Value="40387096985250872237992703378062984723606079359080588656963239072881568409170" si:type="ecdsa:PrimeFieldElemType"/></ecdsa:PublicKey></ecdsa:ECDSAKeyValue></saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2"><saml:AttributeValue><dsig:RSAKeyValue><dsig:Modulus>4Y4FL09VhczsfYQgFPuycP8quJNZBAAu1R1rFXNodI2711B6BTMjAGQn6xuFWfd3/nyFav/MLTr/
+t2VazvANS4TRFxJAcWyIx7xbxCdzZr6gJ+FCmq4g5JPrQvt50v3JX+wKSYft1gHBOWlDn90Ia4Gm
+P8MVuze21T+VVKM6ZklmS6d5PT1er/uYQFydGErmJ17xlSQG6Fi5xuftopBDyJxG1tL1KIebpLFg
+gaM2EyuB1HxH8/+Mfqa4UgeqIH65</dsig:Modulus><dsig:Exponent>AQAB</dsig:Exponent></dsig:RSAKeyValue></saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
+	<dsig:Signature>
+		<dsig:SignedInfo>
+			<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+			<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+			<dsig:Reference URI="">
+				<dsig:Transforms>
+					<dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
+						<dsig:XPath>not(ancestor-or-self::pr:Identification)</dsig:XPath>
+					</dsig:Transform>
+					<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+				</dsig:Transforms>
+				<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+				<dsig:DigestValue>KEQEPY2O3Z3IRaISSSoRZVPzsHE=</dsig:DigestValue>
+			</dsig:Reference>
+			<dsig:Reference Type="http://www.w3.org/2000/09/xmldsig#Manifest" URI="#manifest">
+				<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+				<dsig:DigestValue>gzGhjH1kdmPcPbgen0xojNIoJLk=</dsig:DigestValue>
+			</dsig:Reference>
+		</dsig:SignedInfo>
+		<dsig:SignatureValue>
+    06wqWHgplwpu3N5HMhzb6QC5NkXMO1z4N4oc1L6eDqwZlvFJ9X1XGW//QqviKO9oog3il7IzdfJwnjygR4trgGCIqx+JYCDHJCrG9l8zlxlSW0ZqfsygGXthutcQ1aeUpfO6jYuhnWOUywa8BgzukRtWT+AOJBQZPRYTb8IBmey+uAwlhFLni94eMOd81l+efCvkWi3jRajwsG8ZOaNxSZT3aEV5vj+32Aqtx2MPEVzQWtIA7GqZi+EzcdSdHQvHhg7UB+8kqbU70ENAJbEMTANFZYvLOJ0Om9KfDtPf/+R2TvTc360fNo9RnPl04pHPhCIjcGZhFZorBpUhXFwd2Q==
+  </dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIIF3TCCBMWgAwIBAgIDByniMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMSIwIAYDVQQLDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMSIwIAYDVQQDDBlhLXNpZ24tY29ycG9yYXRlLWxpZ2h0LTAyMB4XDTEwMDcyODExMzY0M1oXDTE1MDcyODExMzY0M1owgbYxCzAJBgNVBAYTAkFUMR4wHAYDVQQKDBVEYXRlbnNjaHV0emtvbW1pc3Npb24xIjAgBgNVBAsMGVN0YW1temFobHJlZ2lzdGVyYmVob2VyZGUxLjAsBgNVBAMMJVNpZ25hdHVyc2VydmljZSBEYXRlbnNjaHV0emtvbW1pc3Npb24xFTATBgNVBAUTDDMyNTkyODMyMzk5ODEcMBoGCSqGSIb3DQEJARYNZHNrQGRzay5ndi5hdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+dBSEBGj2jUXIK1Mp3lVxc/Za+pJMiyKrX3G1ZxgX/ikx7D9scsPYMt473LlAWl9cmCbHbJK+PV2XNNdURLMUCIX+4vUNs2MHeDTQtX8BXjJFpwJYSoaRJQ39FVS/1r5sWcra9Hhdm7w5Gtx/2ukyDX0kdkxawkhP4EQEzi/SI+Fugn+WqgQ1nAdlbxb/dcBw5w1h9b3lmuwUf4z3ooQWUD2DgA/kKd1KejNR43mLUsmvSzevPxT9zs78pOR1OacB7IszTVJPXeOEaaNZHnnB/UeO3g8LEV/3OkXcUgcMkbIIiaBHlll71Pq0COj9kqjXoe7OrRjLY5i3KwOpa6TMCAwEAAaOCAgcwggIDMBMGA1UdIwQMMAqACEkcWDpP6A0DMH8GCCsGAQUFBwEBBHMwcTAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10cnVzdC5hdC9vY3NwMEYGCCsGAQUFBzAChjpodHRwOi8vd3d3LmEtdHJ1c3QuYXQvY2VydHMvYS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMmEuY3J0MFQGA1UdIARNMEswSQYGKigAEQESMD8wPQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cuYS10cnVzdC5hdC9kb2NzL2NwL2Etc2lnbi1BbXRzc2lnbmF0dXIwgZ4GA1UdHwSBljCBkzCBkKCBjaCBioaBh2xkYXA6Ly9sZGFwLmEtdHJ1c3QuYXQvb3U9YS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMixvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0P2Jhc2U/b2JqZWN0Y2xhc3M9ZWlkQ2VydGlmaWNhdGlvbkF1dGhvcml0eTARBgNVHQ4ECgQITAgOnhr0tbowDgYDVR0PAQH/BAQDAgSwMCAGA1UdEQQZMBeBFW1hcmN1cy5oaWxkQGRzay5ndi5hdDAJBgNVHRMEAjAAMA4GByooAAoBBwEEAwEB/zAUBgcqKAAKAQEBBAkMB0JTQi1EU0swDQYJKoZIhvcNAQEFBQADggEBAHTklnvPCH/bJSOlIPbLUEkSGuFHsektSZ8Vr22x/Yv7EzsxoQrJIiz2mQ2gQqFuExdWYxvsowjiSbiis9iUf1c0zscvDS3mIZxGs4M89XHsjHnIyb+Fuwnamw65QrFvM1tNB1ZMjxJ3x+YmHLHdtT3BEBcr3/NCRHd2S0HoBspNz9HVgJaZY1llR7poKBvnAc4g1i+QTvyVb00PtKxR9Lw/9ABInX/1pzpxqrPy7Ib2OP8z6dd3WHmIsCiSHUaj0Dxwwln6fYJjhxZ141SnbovlCLYtrsZLXoi9ljIqX4xO0PwMI2RfNc9cXxTRrRS6rEOvX7PpvgXiDXhp592Yyp4=</dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo>
+		<dsig:Object>
+			<dsig:Manifest Id="manifest">
+				<dsig:Reference URI="">
+					<dsig:Transforms>
+						<dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
+							<dsig:XPath>not(ancestor-or-self::dsig:Signature)</dsig:XPath>
+						</dsig:Transform>
+					</dsig:Transforms>
+					<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+					<dsig:DigestValue>8e7RjLnA4Mgltq5ruIJzheKGxu0=</dsig:DigestValue>
+				</dsig:Reference>
+			</dsig:Manifest>
+		</dsig:Object>
+	</dsig:Signature>
+</saml:Assertion>
\ No newline at end of file
-- 
cgit v1.2.3


From fd2752d6cb5a95aca7ed2206a9b8258942f17655 Mon Sep 17 00:00:00 2001
From: Thomas Knall <t.knall@datentechnik-innovation.com>
Date: Mon, 23 Feb 2015 18:57:12 +0100
Subject: Improve Process Engine signal servlet (MOAID-73)

- Update Process Engine signal servlet in order to allow module to provider their own strategy for providing the moa session id.
- Update moa id handbook.
- Update javadoc.
---
 .../doc/handbook/moduledevinfo/moduledevinfo.html  |   9 ++
 .../moa/id/auth/modules/AuthModule.java            |   5 +-
 .../modules/registration/ModuleRegistration.java   |   2 +-
 .../auth/servlet/ProcessEngineSignalServlet.java   |  27 +++--
 .../springweb/SpringWebExpressionEvaluator.java    |  17 ++--
 id/server/modules/module-stork/pom.xml             |  19 +++-
 .../stork/STORKProcessEngineSignalServlet.java     | 113 +++++++++++++++++++++
 .../stork/STORKWebApplicationInitializer.java      |  48 ---------
 .../stork/STORKProcessEngineSignalServletTest.java |  27 +++++
 .../moa/id/auth/modules/stork/SAMLResponse.base64  |   1 +
 10 files changed, 204 insertions(+), 64 deletions(-)
 create mode 100644 id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKProcessEngineSignalServlet.java
 delete mode 100644 id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java
 create mode 100644 id/server/modules/module-stork/src/test/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKProcessEngineSignalServletTest.java
 create mode 100644 id/server/modules/module-stork/src/test/resources/at/gv/egovernment/moa/id/auth/modules/stork/SAMLResponse.base64

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/doc/handbook/moduledevinfo/moduledevinfo.html b/id/server/doc/handbook/moduledevinfo/moduledevinfo.html
index 801bfcce6..28e4f1bb4 100644
--- a/id/server/doc/handbook/moduledevinfo/moduledevinfo.html
+++ b/id/server/doc/handbook/moduledevinfo/moduledevinfo.html
@@ -218,6 +218,15 @@
 		das auf die URL <code>/signalProcess</code> gemappt wurde.
 	</p>
 	<p>
+		<strong>Hinweis</strong>: Das interne <code>ProcessEngineSignalServlet</code> bzw. dessen Methode <code>getMoaSessionId(HttpServletRequest request)</code>
+		k&ouml;nnen bei Bedarf durch eine Modulspezifische Implementierung &uuml;berschrieben werden, um ggf. speziellen
+		Anforderungen in Bezug auf die Ermittlung der jeweiligen MOA Session Id Rechnung zu tragen (STORK PEPS
+		unterst&uuml;tzen keine Parameter wie <code>MOASessionID</code> in der assertion consumer url).<br/>
+		Als Beispiel dazu kann das Servlet <code>at.gv.egovernment.moa.id.auth.modules.stork.STORKProcessEngineSignalServlet</code>
+		des STORK-Moduls dienen. 
+	</p>
+	<p>
+		&nbsp;<br/>
 		Als Beispiele typischer Tasks k&ouml;nnen die Klassen im package <code>at.gv.egovernment.moa.id.auth.modules.internal.tasks</code> herangezogen werden.<br/>
 	</p>
 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AuthModule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AuthModule.java
index a31f3ceb0..8983403d8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AuthModule.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/AuthModule.java
@@ -22,8 +22,9 @@ public interface AuthModule {
 	int getPriority();
 
 	/**
-	 * Checks if the module has a process, which is able to perform an authentication with the given
-	 * {@link ExecutionContext}.
+	 * Selects a process (description), referenced by its unique id, which is able to perform authentication with the
+	 * given {@link ExecutionContext}. Returns {@code null} if no appropriate process (description) was available within
+	 * this module.
 	 * 
 	 * @param context
 	 *            an ExecutionContext for a process.
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/registration/ModuleRegistration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/registration/ModuleRegistration.java
index fa1878e74..9c950366c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/registration/ModuleRegistration.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/registration/ModuleRegistration.java
@@ -128,7 +128,7 @@ public class ModuleRegistration {
 	}
 
 	/**
-	 * Returns the process id of the first process, in the highest ranked
+	 * Returns the process description id of the first process, in the highest ranked
 	 * module, which is able to work with the given execution context.
 	 * 
 	 * @param context
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java
index a99b7aeef..d670cbe8a 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/ProcessEngineSignalServlet.java
@@ -9,6 +9,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang.StringEscapeUtils;
 
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;
@@ -23,7 +24,7 @@ import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 public class ProcessEngineSignalServlet extends AuthServlet {
 
 	private static final long serialVersionUID = 1L;
-
+	
 	/**
 	 * Sets response headers that prevent caching (code taken from {@link AuthServlet}).
 	 * 
@@ -51,14 +52,13 @@ public class ProcessEngineSignalServlet extends AuthServlet {
 	 */
 	@Override
 	protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-		String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
+		String sessionID = StringEscapeUtils.escapeHtml(getMoaSessionId(req));
 
 		setNoCachingHeaders(resp);
 		try {
-
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
-				throw new WrongParametersException("ProcessEngineSignal", PARAM_SESSIONID, "auth.12");
+			
+			if (sessionID == null) {
+				throw new IllegalStateException("Unable to determine MOA session id.");
 			}
 
 			// retrieve moa session
@@ -80,4 +80,19 @@ public class ProcessEngineSignalServlet extends AuthServlet {
 
 	}
 
+	/**
+	 * Retrieves the current MOA session id from the HttpServletRequest parameter
+	 * {@link MOAIDAuthConstants#PARAM_SESSIONID}.
+	 * <p/>
+	 * Note that this class/method can be overwritten by modules providing their own strategy of retrieving the
+	 * respective MOA session id.
+	 * 
+	 * @param request
+	 *            The unterlying HttpServletRequest.
+	 * @return The current MOA session id.
+	 */
+	public String getMoaSessionId(HttpServletRequest request) {
+		return StringEscapeUtils.escapeHtml(request.getParameter(PARAM_SESSIONID));
+	}
+
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/process/springweb/SpringWebExpressionEvaluator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/process/springweb/SpringWebExpressionEvaluator.java
index 499e86fa0..af6822ba6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/process/springweb/SpringWebExpressionEvaluator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/process/springweb/SpringWebExpressionEvaluator.java
@@ -124,12 +124,17 @@ public class SpringWebExpressionEvaluator implements ExpressionEvaluator {
 		log.trace("Evaluating '{}'.", expression);
 
 		Expression expr = parser.parseExpression(expression);
-		Boolean result = expr.getValue(evaluationContext, new SpringWebExpressionEvaluationContext(expressionContext),
-				Boolean.class);
-		if (result == null) {
-			log.warn("Evaluation of '{}' results in null-value.", expression);
-		} else {
-			log.debug("Expression '{}' -> {}", expression, result);
+		Boolean result = null;
+		try {
+			result = expr.getValue(evaluationContext, new SpringWebExpressionEvaluationContext(expressionContext),
+					Boolean.class);
+			if (result == null) {
+				log.warn("Evaluation of '{}' results in null-value.", expression);
+			} else {
+				log.debug("Expression '{}' -> {}", expression, result);
+			}
+		} catch (Exception e) {
+			log.warn("Expression '{}' could not be processed.", expression, e);
 		}
 
 		return BooleanUtils.isTrue(result);
diff --git a/id/server/modules/module-stork/pom.xml b/id/server/modules/module-stork/pom.xml
index 8761e17ee..234c8d28a 100644
--- a/id/server/modules/module-stork/pom.xml
+++ b/id/server/modules/module-stork/pom.xml
@@ -18,5 +18,22 @@
 	<properties>
 		<repositoryPath>${basedir}/../../../../repository</repositoryPath>
 	</properties>
-	
+
+	<dependencies>
+
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>${junit.version}</version>
+			<scope>test</scope>
+		</dependency>
+
+	</dependencies>
+
 </project>
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKProcessEngineSignalServlet.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKProcessEngineSignalServlet.java
new file mode 100644
index 000000000..989f2b6bd
--- /dev/null
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKProcessEngineSignalServlet.java
@@ -0,0 +1,113 @@
+package at.gv.egovernment.moa.id.auth.modules.stork;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathFactory;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.bouncycastle.util.encoders.Base64;
+import org.springframework.util.xml.SimpleNamespaceContext;
+import org.w3c.dom.Document;
+import org.xml.sax.SAXException;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet;
+import at.gv.egovernment.moa.logging.Logger;
+
+/**
+ * STORK module specific servlet, overloading {@link ProcessEngineSignalServlet}'s method
+ * {@linkplain ProcessEngineSignalServlet#getMoaSessionId(HttpServletRequest) getMoaSessionId(HttpServletRequest)}
+ * extending its capabilities for retrieving the current moa session id.
+ * <p/>
+ * This {@code STORKProcessEngineSignalServlet} tries to resolve the moa session id using the following strategy:
+ * <ul>
+ * <li>Use the super class' approach, looking at the HttpServletRequest parameter
+ * {@link MOAIDAuthConstants#PARAM_SESSIONID}.</li>
+ * <li>Evaluate the request parameter "{@code RelayState}".
+ * <li>Finally evaluate the SAML response, which should come base64 encoded as request parameter "{@code SAMLResponse}".</li>
+ * </ul>
+ * 
+ * @author tknall
+ * 
+ */
+@WebServlet(urlPatterns = { "/PEPSConnectorWithLocalSigning", "/PEPSConnector" }, loadOnStartup = 1)
+public class STORKProcessEngineSignalServlet extends ProcessEngineSignalServlet {
+
+	private static final long serialVersionUID = 1L;
+
+	public STORKProcessEngineSignalServlet() {
+		super();
+		Logger.debug("Registering servlet " + getClass().getName() + " with mappings '/PEPSConnectorWithLocalSigning', '/PEPSConnector'.");
+	}
+
+	@Override
+	public String getMoaSessionId(HttpServletRequest request) {
+		String sessionId = super.getMoaSessionId(request);
+
+		try {
+
+			// use SAML2 relayState
+			if (sessionId == null) {
+				sessionId = StringEscapeUtils.escapeHtml(request.getParameter("RelayState"));
+			}
+
+			// take from InResponseTo attribute of SAMLResponse
+			if (sessionId == null) {
+				String base64SamlToken = request.getParameter("SAMLResponse");
+				if (base64SamlToken != null) {
+					byte[] samlToken = Base64.decode(base64SamlToken);
+					Document samlResponse = parseDocument(new ByteArrayInputStream(samlToken));
+
+					XPath xPath = XPathFactory.newInstance().newXPath();
+					SimpleNamespaceContext nsContext = new SimpleNamespaceContext();
+					nsContext.bindNamespaceUri("saml2p", "urn:oasis:names:tc:SAML:2.0:protocol");
+					xPath.setNamespaceContext(nsContext);
+					XPathExpression expression = xPath.compile("string(/saml2p:Response/@InResponseTo)");
+					sessionId = (String) expression.evaluate(samlResponse, XPathConstants.STRING);
+					sessionId = StringEscapeUtils.escapeHtml(StringUtils.trimToNull(sessionId));
+				} else {
+					Logger.warn("No parameter 'SAMLResponse'. Unable to retrieve MOA session id.");
+				}
+			}
+
+		} catch (Exception e) {
+			Logger.warn("Unable to retrieve moa session id.", e);
+		}
+
+		return sessionId;
+	}
+
+	/**
+	 * Parses a xml document (namespace aware).
+	 * 
+	 * @param in
+	 *            The input stream.
+	 * @return The DOM document.
+	 * @throws ParserConfigurationException
+	 *             Thrown in case of configuration error.
+	 * @throws IOException
+	 *             Thrown in case of error reading from the input stream.
+	 * @throws SAXException
+	 *             Thrown in case of error parsing the document.
+	 */
+	public static Document parseDocument(InputStream in) throws ParserConfigurationException, SAXException, IOException {
+		DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+		documentBuilderFactory.setNamespaceAware(true);
+		documentBuilderFactory.setIgnoringElementContentWhitespace(false);
+		documentBuilderFactory.setValidating(false);
+		DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
+		return documentBuilder.parse(in);
+	}
+
+}
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java
deleted file mode 100644
index c54c9a26d..000000000
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKWebApplicationInitializer.java
+++ /dev/null
@@ -1,48 +0,0 @@
-package at.gv.egovernment.moa.id.auth.modules.stork;
-
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRegistration;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.web.WebApplicationInitializer;
-
-import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet;
-
-/**
- * Spring automatically discovers {@link WebApplicationInitializer} implementations at startup.<br/>
- * This STORK webapp initializer adds the required servlet mappings:
- * <ul>
- * <li>{@code /PEPSConnector}</li>
- * <li>{@code /PEPSConnectorWithLocalSigning}</li>
- * </ul>
- * for the {@linkplain ProcessEngineSignalServlet process engine servlet} (named {@code ProcessEngineSignal}) that wakes
- * up a process in order to execute asynchronous tasks. Therefore the servlet mappings mentioned above do not need to be
- * declared in {@code web.xml}.
- * 
- * @author tknall
- * @see ProcessEngineSignalServlet
- */
-public class STORKWebApplicationInitializer implements WebApplicationInitializer {
-	
-	private Logger log = LoggerFactory.getLogger(getClass());
-	
-	private static final String SIGNAL_SERVLET_NAME = "ProcessEngineSignal";
-	
-	private void addMapping(ServletRegistration servletRegistration, String mapping) {
-		log.debug("Adding mapping '{}' to servlet '{}' ({}).", mapping, SIGNAL_SERVLET_NAME, servletRegistration.getClassName());
-		servletRegistration.addMapping(mapping);
-	}
-
-	@Override
-	public void onStartup(ServletContext servletContext) throws ServletException {
-		ServletRegistration servletRegistration = servletContext.getServletRegistration(SIGNAL_SERVLET_NAME);
-		if (servletRegistration == null) {
-			throw new IllegalStateException("Servlet '" + SIGNAL_SERVLET_NAME + "' expected to be registered (e.g. by web.xml).");
-		}
-		addMapping(servletRegistration, "/PEPSConnectorWithLocalSigning");
-		addMapping(servletRegistration, "/PEPSConnector");
-	}
-
-}
diff --git a/id/server/modules/module-stork/src/test/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKProcessEngineSignalServletTest.java b/id/server/modules/module-stork/src/test/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKProcessEngineSignalServletTest.java
new file mode 100644
index 000000000..ab2d3071f
--- /dev/null
+++ b/id/server/modules/module-stork/src/test/java/at/gv/egovernment/moa/id/auth/modules/stork/STORKProcessEngineSignalServletTest.java
@@ -0,0 +1,27 @@
+package at.gv.egovernment.moa.id.auth.modules.stork;
+
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.apache.commons.io.IOUtils;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+
+public class STORKProcessEngineSignalServletTest {
+
+	@Test
+	public void testGetMoaSessionId() throws IOException {
+		try (InputStream in = getClass().getResourceAsStream("SAMLResponse.base64")) {
+			String samlResponse = IOUtils.toString(in);
+
+			MockHttpServletRequest request = new MockHttpServletRequest("GET", "/service/createTransactionId");
+			request.addParameter("SAMLResponse", samlResponse);
+			assertEquals("_f2358f2f4db445bd1ac75ce415d76a95",
+					new STORKProcessEngineSignalServlet().getMoaSessionId(request));
+		}
+
+	}
+
+}
diff --git a/id/server/modules/module-stork/src/test/resources/at/gv/egovernment/moa/id/auth/modules/stork/SAMLResponse.base64 b/id/server/modules/module-stork/src/test/resources/at/gv/egovernment/moa/id/auth/modules/stork/SAMLResponse.base64
new file mode 100644
index 000000000..e4061a705
--- /dev/null
+++ b/id/server/modules/module-stork/src/test/resources/at/gv/egovernment/moa/id/auth/modules/stork/SAMLResponse.base64
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnN0b3JrPSJ1cm46ZXU6c3Rvcms6bmFtZXM6dGM6U1RPUks6MS4wOmFzc2VydGlvbiIgeG1sbnM6c3RvcmtwPSJ1cm46ZXU6c3Rvcms6bmFtZXM6dGM6U1RPUks6MS4wOnByb3RvY29sIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50Om9idGFpbmVkIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9sb2NhbGhvc3Q6ODQ0My9tb2EtaWQtYXV0aC9QRVBTQ29ubmVjdG9yIiBJRD0iXzY0MjUzODBkMjdlNjViY2I3NDc0OGE1ZjFjOWU2Yzk5IiBJblJlc3BvbnNlVG89Il9mMjM1OGYyZjRkYjQ0NWJkMWFjNzVjZTQxNWQ3NmE5NSIgSXNzdWVJbnN0YW50PSIyMDE1LTAyLTIzVDE2OjEzOjA4LjYxMVoiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI+aHR0cDovL0MtUEVQUy5nb3YueHg8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+PGRzOlJlZmVyZW5jZSBVUkk9IiNfNjQyNTM4MGQyN2U2NWJjYjc0NzQ4YTVmMWM5ZTZjOTkiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9InhzIi8+PC9kczpUcmFuc2Zvcm0+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5Ha2czSHZoemNSMjlEdko2U1U5TmI2bUlNb009PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkJUOVY0SVNWa2kwdExRUk1OZU1WaTc2QTB5VHpGRXRkdGIwS1VvQVpQUTNNWkcwSmlrL09wRnhoRFdjQ2gxSFR6am5PVzhsa21sVnpJcENGQ2l2cm9GOTZoN2ZLWmloODdLNi9JL084bEhKOGR0R0NobXFERUgrQ2liNEM3K3hsaUNna0luMGZoZzhDYTVBWWtJSzBIZTVHWm9VSk5uOWNKbnFNalNuQ2ZRRzNsUHRLOURPSTVsMU9oTkdYWGIrY3JVVHo2eUVlZFB1OENNUUpiWG1PVFFsb21ud00rN2VxV0RMWnd4dzJ3VHUrV252clpvYUJ4cG8rMlNrMTRhV0gxcytzVDJYbE1URE5ubVpzb21WalYzdTUrWlhxWlZFcm9TYkNkZW9BbmFZM3o2OGkxdWYzQzYvNFRBbzhBbENkbVBYMlNUUSs1Y21OUHMvRHhCM3RrZz09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlGYkRDQ0JGU2dBd0lCQWdJRVFMSzU5ekFOQmdrcWhraUc5dzBCQVFVRkFEQStNUXN3Q1FZRFZRUUdFd0p6YVRFYk1Ca0dBMVVFCkNoTVNjM1JoZEdVdGFXNXpkR2wwZFhScGIyNXpNUkl3RUFZRFZRUUxFd2x6YVhSbGMzUXRZMkV3SGhjTk1UQXdNek13TVRNd09USXoKV2hjTk1UVXdNek13TVRNek9USXpXakNCaGpFTE1Ba0dBMVVFQmhNQ2Mya3hHekFaQmdOVkJBb1RFbk4wWVhSbExXbHVjM1JwZEhWMAphVzl1Y3pFU01CQUdBMVVFQ3hNSlUwbFVSVk5VTFVOQk1Sa3dGd1lEVlFRTEV4QmpaWEowYVdacFkyRjBaWE10ZDJWaU1Tc3dFd1lEClZRUURFd3hVUlZOVUlGQkZVRk1nVTBrd0ZBWURWUVFGRXcwek1EQXpNakF4TURBd01EQXhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUYKQUFPQ0FROEFNSUlCQ2dLQ0FRRUE0aDZMOVB2MVRLN2Z6NUs2VXVyMFJsaTZFS3pad1R0djl4WGhTdDJ4bEk0d0ZXenpGaUN5NS9PLwpRNUdQUmExMFlvTWM4czdXbU1kTTV5SS9iVTBCRjJ0NVNZdEVIN013YkdhRlpGS0p0MTdPdGJwWkFhQ1NvaDZmbTF5TzBIdFZWa0c5ClVkSDRtc3dTM3dIcC9kMUM5MWxRTmJhMmVuVmMycDlOZDRnWW9wL3picm9FdG9GZUR5SHhUbDBtWU4vY1VIUUZUNEgyNGh6QWZXWGgKMkZPQmZOU252TmwySG5QSk9UNkhuclVCc2R5emtTekxOMEVpczJSMUc1K21Ra3pBd1c2VU9yb29qdk1jbEVKSzN6MW9la2oyT1dqMQpGaGFsVE5tQTVEOWRrRHltVFJuNG8zQlcyUzdvdm1XUG14WVVXOXMyNmJrUGh6L0NiQ1F3SUY5eVBRSURBUUFCbzRJQ0p6Q0NBaU13CkRnWURWUjBQQVFIL0JBUURBZ1dnTUNzR0ExVWRFQVFrTUNLQUR6SXdNVEF3TXpNd01UTXdPVEl6V29FUE1qQXhOVEF6TXpBeE16TTUKTWpOYU1Fc0dBMVVkSUFSRU1FSXdOZ1lMS3dZQkJBR3ZXUUlCQVFJd0p6QWxCZ2dyQmdFRkJRY0NBUllaYUhSMGNEb3ZMM2QzZHk1agpZUzVuYjNZdWMya3ZZM0J6THpBSUJnWUVBSXN3QVFJd0dBWUlLd1lCQlFVSEFRTUVEREFLTUFnR0JnUUFqa1lCQVRBZUJnTlZIUkVFCkZ6QVZnUk4wWlhOMExuTnBMWEJsY0hOQVoyOTJMbk5wTUlIMkJnTlZIUjhFZ2U0d2dlc3dWYUJUb0ZHa1R6Qk5NUXN3Q1FZRFZRUUcKRXdKemFURWJNQmtHQTFVRUNoTVNjM1JoZEdVdGFXNXpkR2wwZFhScGIyNXpNUkl3RUFZRFZRUUxFd2x6YVhSbGMzUXRZMkV4RFRBTApCZ05WQkFNVEJFTlNURE13Z1pHZ2dZNmdnWXVHV0d4a1lYQTZMeTk0TlRBd0xtZHZkaTV6YVM5dmRUMXphWFJsYzNRdFkyRXNiejF6CmRHRjBaUzFwYm5OMGFYUjFkR2x2Ym5Nc1l6MXphVDlqWlhKMGFXWnBZMkYwWlZKbGRtOWpZWFJwYjI1TWFYTjBQMkpoYzJXR0wyaDAKZEhBNkx5OTNkM2N1YzJsblpXNHRZMkV1YzJrdlkzSnNMM05wZEdWemRDOXphWFJsYzNRdFkyRXVZM0pzTUI4R0ExVWRJd1FZTUJhQQpGRlJKQjBhSHp4MkpuY3F1Y3Flb29LQnB0eUhuTUIwR0ExVWREZ1FXQkJReVNlbWVEaTEwRGJlVFlqMXRrR1o1Wm80bXdqQUpCZ05WCkhSTUVBakFBTUJrR0NTcUdTSWIyZlFkQkFBUU1NQW9iQkZZM0xqRURBZ09vTUEwR0NTcUdTSWIzRFFFQkJRVUFBNElCQVFBU1E0bDEKVmQrTVJETEZvMkE2cVlZV0xWcVR2dFBMSWs3djdCc3dtcTJTRkFMMlhtUG9MNXhiUUZlRFcrTGlXaFFCbXJsZ1d5STdnYmkvMS9ycwoxRTAwWjRTa244bDk3dHVJeXV4dkNLVEZoSkR4OXB6Z1VRR293b0NZbzlJemNNTlFweHg2bGtlcHJlQ0R1YytlMGZBYnZUTkdFcHZRCjdEa2dyd0pkY3NVQUVsUTRPSjBpZkVMb2FoMURIOHdwVTMxenI3RDNZc2l6WmdwdTVURUlHUDU0QU9oYkZlWkVtWmxUVTZnd053NGkKVGY2blZRa0dheHNKdDZnR0dzeUw4UlV1dndwVlJSM1dtcGxDdGpYcnlHQ2U0Qi9hZ0FlM0VLVWgxNUlhUHZXcWRpeFNqeVN4akJJMQpiTjhJRUZIWVBabXV3aDdZMUZRdU9ZUUdqdVNMc0p5OTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PHNhbWwycDpTdGF0dXNNZXNzYWdlPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2Vzczwvc2FtbDJwOlN0YXR1c01lc3NhZ2U+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24gSUQ9Il8zNzhiMGNjNTk0YThkMzhmMzJjN2M3NjQ5NTQ0OWQ1ZCIgSXNzdWVJbnN0YW50PSIyMDE1LTAyLTIzVDE2OjEzOjA4LjYxMVoiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5odHRwOi8vQy1QRVBTLmdvdi54eDwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iI18zNzhiMGNjNTk0YThkMzhmMzJjN2M3NjQ5NTQ0OWQ1ZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPnJCYTMrbTU0RXVVZzgzSzhpTnVPVDlTaktQcz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+RGlZc3UxRXRzMzFocEJySEtvT2IvVnloRisxL1dxYjI5akE4T1J6cnZZb2h1WUlUdjV2V3oxcjhKdkpkK2NubVRNSFlZSU9hQ2V6SXd6L08yUlZ1K3IwWHEwdWNKbmhhcnQ3aUcwTTdFSGR4MVdFaGVzMWtHcHd2c1VjbnlLbm9tdnlSVklNVC80YmU3YTJLRTJZNzJkMGg3bVBsZmV4bVNvUENiaGJYSDIzc0grNTlVYjM1d3pwaXRUUFFtREFmOU5ibVAzV1I2OHpFS0VMTnRuaEZ2VUIyMHZVaGxGNi9hN3pPMlhRTmdFbzFaZW53RlBtWjdYbFhIK29BT3Q1cnFwUXNyMjN4R0tpYXV5YUpjRXpzQ0E5Z0I4YVhMYlQxR0xta1IwTndVa0RMWWxzcWwyeVZ2M01ZaHI5VjU3enk2T3dDR0dzUEltNTdlYnZ1d3RSbE5RPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUZiRENDQkZTZ0F3SUJBZ0lFUUxLNTl6QU5CZ2txaGtpRzl3MEJBUVVGQURBK01Rc3dDUVlEVlFRR0V3SnphVEViTUJrR0ExVUUKQ2hNU2MzUmhkR1V0YVc1emRHbDBkWFJwYjI1ek1SSXdFQVlEVlFRTEV3bHphWFJsYzNRdFkyRXdIaGNOTVRBd016TXdNVE13T1RJegpXaGNOTVRVd016TXdNVE16T1RJeldqQ0JoakVMTUFrR0ExVUVCaE1DYzJreEd6QVpCZ05WQkFvVEVuTjBZWFJsTFdsdWMzUnBkSFYwCmFXOXVjekVTTUJBR0ExVUVDeE1KVTBsVVJWTlVMVU5CTVJrd0Z3WURWUVFMRXhCalpYSjBhV1pwWTJGMFpYTXRkMlZpTVNzd0V3WUQKVlFRREV3eFVSVk5VSUZCRlVGTWdVMGt3RkFZRFZRUUZFdzB6TURBek1qQXhNREF3TURBeE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTRoNkw5UHYxVEs3Zno1SzZVdXIwUmxpNkVLelp3VHR2OXhYaFN0MnhsSTR3Rld6ekZpQ3k1L08vClE1R1BSYTEwWW9NYzhzN1dtTWRNNXlJL2JVMEJGMnQ1U1l0RUg3TXdiR2FGWkZLSnQxN090YnBaQWFDU29oNmZtMXlPMEh0VlZrRzkKVWRING1zd1Mzd0hwL2QxQzkxbFFOYmEyZW5WYzJwOU5kNGdZb3AvemJyb0V0b0ZlRHlIeFRsMG1ZTi9jVUhRRlQ0SDI0aHpBZldYaAoyRk9CZk5TbnZObDJIblBKT1Q2SG5yVUJzZHl6a1N6TE4wRWlzMlIxRzUrbVFrekF3VzZVT3Jvb2p2TWNsRUpLM3oxb2VrajJPV2oxCkZoYWxUTm1BNUQ5ZGtEeW1UUm40bzNCVzJTN292bVdQbXhZVVc5czI2YmtQaHovQ2JDUXdJRjl5UFFJREFRQUJvNElDSnpDQ0FpTXcKRGdZRFZSMFBBUUgvQkFRREFnV2dNQ3NHQTFVZEVBUWtNQ0tBRHpJd01UQXdNek13TVRNd09USXpXb0VQTWpBeE5UQXpNekF4TXpNNQpNak5hTUVzR0ExVWRJQVJFTUVJd05nWUxLd1lCQkFHdldRSUJBUUl3SnpBbEJnZ3JCZ0VGQlFjQ0FSWVphSFIwY0RvdkwzZDNkeTVqCllTNW5iM1l1YzJrdlkzQnpMekFJQmdZRUFJc3dBUUl3R0FZSUt3WUJCUVVIQVFNRUREQUtNQWdHQmdRQWprWUJBVEFlQmdOVkhSRUUKRnpBVmdSTjBaWE4wTG5OcExYQmxjSE5BWjI5MkxuTnBNSUgyQmdOVkhSOEVnZTR3Z2Vzd1ZhQlRvRkdrVHpCTk1Rc3dDUVlEVlFRRwpFd0p6YVRFYk1Ca0dBMVVFQ2hNU2MzUmhkR1V0YVc1emRHbDBkWFJwYjI1ek1SSXdFQVlEVlFRTEV3bHphWFJsYzNRdFkyRXhEVEFMCkJnTlZCQU1UQkVOU1RETXdnWkdnZ1k2Z2dZdUdXR3hrWVhBNkx5OTROVEF3TG1kdmRpNXphUzl2ZFQxemFYUmxjM1F0WTJFc2J6MXoKZEdGMFpTMXBibk4wYVhSMWRHbHZibk1zWXoxemFUOWpaWEowYVdacFkyRjBaVkpsZG05allYUnBiMjVNYVhOMFAySmhjMldHTDJoMApkSEE2THk5M2QzY3VjMmxuWlc0dFkyRXVjMmt2WTNKc0wzTnBkR1Z6ZEM5emFYUmxjM1F0WTJFdVkzSnNNQjhHQTFVZEl3UVlNQmFBCkZGUkpCMGFIengySm5jcXVjcWVvb0tCcHR5SG5NQjBHQTFVZERnUVdCQlF5U2VtZURpMTBEYmVUWWoxdGtHWjVabzRtd2pBSkJnTlYKSFJNRUFqQUFNQmtHQ1NxR1NJYjJmUWRCQUFRTU1Bb2JCRlkzTGpFREFnT29NQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUFTUTRsMQpWZCtNUkRMRm8yQTZxWVlXTFZxVHZ0UExJazd2N0Jzd21xMlNGQUwyWG1Qb0w1eGJRRmVEVytMaVdoUUJtcmxnV3lJN2diaS8xL3JzCjFFMDBaNFNrbjhsOTd0dUl5dXh2Q0tURmhKRHg5cHpnVVFHb3dvQ1lvOUl6Y01OUXB4eDZsa2VwcmVDRHVjK2UwZkFidlROR0VwdlEKN0RrZ3J3SmRjc1VBRWxRNE9KMGlmRUxvYWgxREg4d3BVMzF6cjdEM1lzaXpaZ3B1NVRFSUdQNTRBT2hiRmVaRW1abFRVNmd3Tnc0aQpUZjZuVlFrR2F4c0p0NmdHR3N5TDhSVXV2d3BWUlIzV21wbEN0alhyeUdDZTRCL2FnQWUzRUtVaDE1SWFQdldxZGl4U2p5U3hqQkkxCmJOOElFRkhZUFptdXdoN1kxRlF1T1lRR2p1U0xzSnk5PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwyOlN1YmplY3Q+PHNhbWwyOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIiBOYW1lUXVhbGlmaWVyPSJodHRwOi8vQy1QRVBTLmdvdi54eCI+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQ8L3NhbWwyOk5hbWVJRD48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBBZGRyZXNzPSI5MS4xNDMuMTA1LjM3IiBJblJlc3BvbnNlVG89Il9mMjM1OGYyZjRkYjQ0NWJkMWFjNzVjZTQxNWQ3NmE5NSIgTm90T25PckFmdGVyPSIyMDE1LTAyLTIzVDE2OjE4OjA4LjYxMVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9sb2NhbGhvc3Q6ODQ0My9tb2EtaWQtYXV0aC9QRVBTQ29ubmVjdG9yIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTUtMDItMjNUMTY6MTM6MDguNjExWiIgTm90T25PckFmdGVyPSIyMDE1LTAyLTIzVDE2OjE4OjA4LjYxMVoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5odHRwczovL2xvY2FsaG9zdDo4NDQzL21vYS1pZC1hdXRoPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWwyOk9uZVRpbWVVc2UvPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTAyLTIzVDE2OjEzOjA4LjYxMloiPjxzYW1sMjpTdWJqZWN0TG9jYWxpdHkgQWRkcmVzcz0iOTEuMTQzLjEwNS4zNyIvPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dERlY2wvPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly93d3cuc3RvcmsuZ292LmV1LzEuMC9lSWRlbnRpZmllciIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiIHN0b3JrOkF0dHJpYnV0ZVN0YXR1cz0iQXZhaWxhYmxlIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPlNJL0FUL1E4Ny93WkcrYWYxOGZ3d1orUjJ6SlNVOG5rSGFOVWh0QW9KRTJ6RTF5SldQdjBvWjRGd2srRFJUYTZNPTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vd3d3LnN0b3JrLmdvdi5ldS8xLjAvZ2l2ZW5OYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSIgc3Rvcms6QXR0cmlidXRlU3RhdHVzPSJBdmFpbGFibGUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6YW55VHlwZSI+SmFuZXo8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3d3dy5zdG9yay5nb3YuZXUvMS4wL2RhdGVPZkJpcnRoIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSIgc3Rvcms6QXR0cmlidXRlU3RhdHVzPSJBdmFpbGFibGUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6YW55VHlwZSI+MTk5OTA2MDM8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3d3dy5zdG9yay5nb3YuZXUvMS4wL3NpZ25lZERvYyIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiIHN0b3JrOkF0dHJpYnV0ZVN0YXR1cz0iQXZhaWxhYmxlIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPjxuczI6U2lnblJlc3BvbnNlIHhtbG5zOm5zMj0idXJuOm9hc2lzOm5hbWVzOnRjOmRzczoxLjA6Y29yZTpzY2hlbWEiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6YXNzZXJ0aW9uIiB4bWxuczpuczM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIERvY1VJPSJMT0NBTC9TSS83NDljOWNiOS01YzAzLTQwY2UtYmZmOC00NTc4MDJiMzk2OTUiIFByb2ZpbGU9InVybjpvYXNpczpuYW1lczp0Yzpkc3M6MS4wOnByb2ZpbGVzOlhBZEVTOmZvcm1zOkJFUyIgUmVxdWVzdElEPSJfMWUxNjkyODliZjEwMmNlMmViYzYyMDY4Nzc4OTNjMjQiPjxuczI6UmVzdWx0PjxuczI6UmVzdWx0TWFqb3I+dXJuOm9hc2lzOm5hbWVzOnRjOmRzczoxLjA6cmVzdWx0bWFqb3I6U3VjY2VzczwvbnMyOlJlc3VsdE1ham9yPjwvbnMyOlJlc3VsdD48bnMyOk9wdGlvbmFsT3V0cHV0cz48bnMyOkRvY3VtZW50V2l0aFNpZ25hdHVyZT48bnMyOkRvY3VtZW50PjxuczI6RG9jdW1lbnRVUkw+aHR0cHM6Ly9wZXBzLXRlc3QubWp1Lmdvdi5zaS9Eb2N1bWVudFNlcnZpY2UvRG9jdW1lbnRTZXJ2aWNlPC9uczI6RG9jdW1lbnRVUkw+PC9uczI6RG9jdW1lbnQ+PC9uczI6RG9jdW1lbnRXaXRoU2lnbmF0dXJlPjwvbnMyOk9wdGlvbmFsT3V0cHV0cz48L25zMjpTaWduUmVzcG9uc2U+PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly93d3cuc3RvcmsuZ292LmV1LzEuMC9zdXJuYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSIgc3Rvcms6QXR0cmlidXRlU3RhdHVzPSJBdmFpbGFibGUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6YW55VHlwZSI+VnpvcmVjPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=
\ No newline at end of file
-- 
cgit v1.2.3


From cfbd74f21130b97c0ae20c63ce4d7c4429c1e78b Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 26 Feb 2015 08:52:59 +0100
Subject: Fix errorhandling in STORK 2 PepsConnectorTask

---
 .../moa/id/auth/modules/stork/tasks/PepsConnectorTask.java   | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 1a18f8198..59f54f957 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -319,8 +319,18 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			// extract signed doc element and citizen signature
 			String citizenSignature = null;
 			try {
-				String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0); // TODO ERROR HANDLING
 
+				if (authnResponse.getPersonalAttributeList().get("signedDoc") == null 
+						|| authnResponse.getPersonalAttributeList().get("signedDoc").getValue() == null
+						|| authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0) == null) {
+					Logger.info("STORK Response include NO signedDoc attribute!");
+					throw new STORKException("STORK Response include NO signedDoc attribute.");
+					
+				}
+				
+				String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
+					
+									
 				Logger.debug("signatureInfo:" + signatureInfo);
 
 				SignResponse dssSignResponse = (SignResponse) ApiUtils.unmarshal(new StreamSource(
-- 
cgit v1.2.3


From 12c3c34ea26ff20e39c9b67f698e9c8b99ef11ee Mon Sep 17 00:00:00 2001
From: Florian Reimair <florian.reimair@iaik.tugraz.at>
Date: Fri, 13 Mar 2015 15:38:31 +0100
Subject: STORK PEPS-conform logging

---
 .../moa/id/auth/AuthenticationServer.java          | 24 ++++++++++++++++++++++
 .../moa/id/auth/servlet/PEPSConnectorServlet.java  | 20 ++++++++++++++++++
 .../modules/stork/tasks/PepsConnectorTask.java     | 20 ++++++++++++++++++
 3 files changed, 64 insertions(+)

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index fd7c7f237..c4d6859db 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -11,9 +11,11 @@ import java.io.InputStream;
 import java.io.StringWriter;
 import java.io.UnsupportedEncodingException;
 import java.math.BigInteger;
+import java.net.URL;
 import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.security.cert.CertificateException;
+import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 //import java.security.cert.CertificateFactory;
 import java.util.Calendar;
@@ -1845,6 +1847,17 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		//send
 		moasession.setStorkAuthnRequest(authnRequest);
 
+		// do PEPS-conform logging for easier evaluation
+		try {
+			// 2015-03-12 16:44:27.144#S-PEPS receives request from SP#spurl#spepsurl#spapp#spdomain#citizen country#qaa#msghash#msg_id id1#
+			Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS receives request from SP#" + 
+					moasession.getPublicOAURLPrefix() + "#" + issuerValue + "#" + spApplication + "#" + 
+					new URL(moasession.getPublicOAURLPrefix()).getHost() + "#" + moasession.getCcc() + "#" + oaParam.getQaaLevel() +
+					"#_hash_#" + moasession.getProcessInstanceId() + "#");
+		} catch (Exception e1) {
+			Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+		}
+
 		AuthenticationSessionStoreage.changeSessionID(moasession, authnRequest.getSamlId());
 
 
@@ -1877,6 +1890,17 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		}
 
 		Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination());
+
+		// do PEPS-conform logging for easier evaluation
+		try {
+			// 2015-03-12 16:44:27.144#S-PEPS generates request to C-PEPS#spepsurl#cpepsurl#spapp#spdomain#citizen country#qaa#msghash#msg_id id1#id2#
+			Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS generates request to C-PEPS#" + 
+					issuerValue + "#" + destination + "#" + spApplication + "#" + 
+					new URL(moasession.getPublicOAURLPrefix()).getHost() + "#" + moasession.getCcc() + "#" + oaParam.getQaaLevel() +
+					"#_hash_#" + moasession.getProcessInstanceId() + "#" + authnRequest.getSamlId() + "#");
+		} catch (Exception e1) {
+			Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+		}
 	}
 
 	private static String generateDssSignRequest(String text, String mimeType, String citizenCountry) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
index 7357818c8..24daa76a3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/PEPSConnectorServlet.java
@@ -28,8 +28,10 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.StringWriter;
 import java.net.URL;
+import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Date;
 import java.util.List;
 import java.util.Properties;
 
@@ -201,6 +203,15 @@ public class PEPSConnectorServlet extends AuthServlet {
 			Logger.debug("STORK response: ");
 			Logger.debug(authnResponse.toString());
 			
+			// do PEPS-conform logging for easier evaluation
+			try {
+				// 2015-03-12 16:44:27.144#S-PEPS receives response from C-PEPS#orig_msg_id id2 (in response to)#orig_msg_id id1 (in response to)#status#msghash#msg_id id3#
+				Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS receives response from C-PEPS#" + 
+						authnResponse.getInResponseTo() + "#NA#" + authnResponse.getMessage() + "#_hash_#" + authnResponse.getSamlId() + "#");
+			} catch (Exception e1) {
+				Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+			}
+
 			Logger.debug("Trying to find MOA Session-ID ...");			
 		    //String moaSessionID = request.getParameter(PARAM_SESSIONID);
 			//first use SAML2 relayState 
@@ -554,6 +565,15 @@ public class PEPSConnectorServlet extends AuthServlet {
 			// stork did the authentication step
 			moaSession.setAuthenticated(true);
 			
+			// do PEPS-conform logging for easier evaluation
+			try {
+				// 2015-03-12 16:44:27.144#S-PEPS generates response to SP#orig_msg_id id1 (in response to)#status#msghash#msg_id id4#
+				Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS generates response to SP#" + 
+						"#NA#" + authnResponse.getMessage() + "#_hash_#" + moaSession.getProcessInstanceId() + "#");
+			} catch (Exception e1) {
+				Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+			}
+
 //			//TODO: found better solution, but QAA Level in response could be not supported yet
 //			try {
 //
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 59f54f957..d233f88c4 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -6,8 +6,10 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.StringWriter;
 import java.net.URL;
+import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Date;
 import java.util.List;
 import java.util.Properties;
 
@@ -170,6 +172,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			Logger.debug("STORK response: ");
 			Logger.debug(authnResponse.toString());
 
+			// do PEPS-conform logging for easier evaluation
+			try {
+				// 2015-03-12 16:44:27.144#S-PEPS receives response from C-PEPS#orig_msg_id id2 (in response to)#orig_msg_id id1 (in response to)#status#msghash#msg_id id3#
+				Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS receives response from C-PEPS#" + 
+						authnResponse.getInResponseTo() + "#NA#" + authnResponse.getMessage() + "#_hash_#" + authnResponse.getSamlId() + "#");
+			} catch (Exception e1) {
+				Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+			}
+
 			Logger.debug("Trying to find MOA Session-ID ...");
 			// String moaSessionID = request.getParameter(PARAM_SESSIONID);
 			// first use SAML2 relayState
@@ -549,6 +560,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			// stork did the authentication step
 			moaSession.setAuthenticated(true);
 
+			// do PEPS-conform logging for easier evaluation
+			try {
+				// 2015-03-12 16:44:27.144#S-PEPS generates response to SP#orig_msg_id id1 (in response to)#status#msghash#msg_id id4#
+				Logger.info(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS").format(new Date()) + "#S-PEPS generates response to SP#" + 
+						"#" + moaSession.getProcessInstanceId() + "#" + authnResponse.getMessage() + "#_hash_#" + moaSession.getProcessInstanceId() + "#");
+			} catch (Exception e1) {
+				Logger.info("STORK PEPS conform logging failed because of: " + e1.getMessage());
+			}
+
 			// TODO: found better solution, but QAA Level in STORK response is not be supported yet
 //			try {
 //
-- 
cgit v1.2.3


From 9ac6c3342ba7afdd75838230d13ceda70614cedc Mon Sep 17 00:00:00 2001
From: Florian Reimair <florian.reimair@iaik.tugraz.at>
Date: Fri, 13 Mar 2015 16:03:33 +0100
Subject: added fakeidl no-signature option config

---
 .../moa/id/config/auth/AuthConfigurationProvider.java          | 10 ++++++++++
 .../moa/id/auth/modules/stork/tasks/PepsConnectorTask.java     |  8 ++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
index c746c0888..d33a9ea92 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java
@@ -1042,6 +1042,16 @@ public class AuthConfigurationProvider extends ConfigurationProvider {
 		  return null;
   }
 
+  /**
+   * Gets the countries for which it is configured to require no signature
+   *
+   * @return the stork no signature countries
+   */
+  public List<String> getStorkNoSignatureCountries() {
+	  String prop = props.getProperty("stork.fakeIdL.noSignatureCountries", "");
+	  return Arrays.asList(prop.replaceAll(" ", "").split(","));
+  }
+
   public boolean isMonitoringActive() {
 	  String prop = props.getProperty("configuration.monitoring.active", "false");
 	  return Boolean.valueOf(prop);
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index d233f88c4..3d787f371 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -326,9 +326,13 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 
 			// ////////////////////////////////////////////////////////////////////////
 
+			AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
+			String citizenSignature = null;
+			if(config.isStorkFakeIdLActive() && config.getStorkNoSignatureCountries().contains(storkAuthnRequest.getCitizenCountryCode()) && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {
+				Logger.debug("signedDoc extraction skipped due to configuration");
+			} else {
 			Logger.debug("Starting extraction of signedDoc attribute");
 			// extract signed doc element and citizen signature
-			String citizenSignature = null;
 			try {
 
 				if (authnResponse.getPersonalAttributeList().get("signedDoc") == null 
@@ -409,6 +413,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 				Logger.error("Could not extract citizen signature from C-PEPS", e);
 				throw new MOAIDException("stork.09", null);
 			}
+			}
 			Logger.debug("Foregin Citizen signature successfully extracted from STORK Assertion (signedDoc)");
 			Logger.debug("Citizen signature will be verified by SZR Gateway!");
 
@@ -441,7 +446,6 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			IdentityLink identityLink = null;
 			executionContext.put("identityLinkAvailable", false);
 			try {
-				AuthConfigurationProvider config = AuthConfigurationProvider.getInstance();
 				if(config.isStorkFakeIdLActive() && config.getStorkFakeIdLCountries().contains(storkAuthnRequest.getCitizenCountryCode())) {
 					// create fake IdL
 					// - fetch IdL template from resources
-- 
cgit v1.2.3


From c0613b08431899c6d97affc570a237b81dfcda80 Mon Sep 17 00:00:00 2001
From: Florian Reimair <florian.reimair@iaik.tugraz.at>
Date: Fri, 13 Mar 2015 16:04:09 +0100
Subject: fixed date format issue with fakeIdL creation

---
 .../gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java   | 2 +-
 .../egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java  | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 82e079459..cd751ce7f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -906,7 +906,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
 				}
 				
 			} catch (Exception e) {
-				Logger.error("Failed to extract country code from certificate", e);
+				Logger.error("Failed to extract country code from certificate with message: " + e.getMessage());
 				
 			}
 			
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 3d787f371..6e0bd19ff 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -30,6 +30,7 @@ import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.opensaml.saml2.core.StatusCode;
+import org.springframework.format.datetime.DateFormatter;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
@@ -482,6 +483,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			        if(!STORKResponseProcessor.hasAttribute("dateOfBirth", attributeList))
 			        	throw new STORKException("dateOfBirth is missing");
 					String dateOfBirth = STORKResponseProcessor.getAttributeValue("dateOfBirth", attributeList, false);
+					dateOfBirth = new SimpleDateFormat("yyyy-MM-dd").format(new SimpleDateFormat("yyyyMMdd").parse(dateOfBirth));
 					prDateOfBirth.getFirstChild().setNodeValue(dateOfBirth);
 
 		            identityLink = new IdentityLinkAssertionParser(idlassertion).parseIdentityLink();
-- 
cgit v1.2.3


From 945c4d28535724f0a54d220f9eb0ebd25b8227c4 Mon Sep 17 00:00:00 2001
From: Florian Reimair <florian.reimair@iaik.tugraz.at>
Date: Tue, 14 Apr 2015 13:58:27 +0200
Subject: respect multi-part stork responses

---
 ...onnectorHandleResponseWithoutSignatureTask.java | 18 +++++++++++------
 .../modules/stork/tasks/PepsConnectorTask.java     | 23 ++++++++++++++--------
 2 files changed, 27 insertions(+), 14 deletions(-)

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
index 3338804b4..e2c3880ac 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
@@ -136,7 +136,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 			try {
 				// validate SAML Token
 				Logger.debug("Starting validation of SAML response");
-				authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());
+				authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost());
 				Logger.info("SAML response succesfully verified!");
 			} catch (STORKSAMLEngineException e) {
 				Logger.error("Failed to verify STORK SAML Response", e);
@@ -211,10 +211,16 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 
 			Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
 
-			// //////////// incorporate gender from parameters if not in stork response
 
-			IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList();
+			// first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled
+			// with ALL attributes when there is more than one assertion in the SAML2 STORK message.  
+			IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList();
+
+			// if the list is empty, there was just one assertion... probably
+			if(attributeList.isEmpty())
+				attributeList = authnResponse.getPersonalAttributeList();
 
+			// //////////// incorporate gender from parameters if not in stork response
 			// but first, check if we have a representation case
 			if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList)
 					|| STORKResponseProcessor.hasAttribute("representative", attributeList)
@@ -233,7 +239,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 						tmp.add(gendervalue);
 						gender.setValue(tmp);
 
-						authnResponse.getPersonalAttributeList().add(gender);
+						attributeList.add(gender);
 					}
 				}
 			}
@@ -246,7 +252,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 			// extract signed doc element and citizen signature
 			String citizenSignature = null;
 			try {
-				PersonalAttribute signedDoc = authnResponse.getPersonalAttributeList().get("signedDoc");
+				PersonalAttribute signedDoc = attributeList.get("signedDoc");
 				String signatureInfo = null;
 				// FIXME: Remove nonsense code (signedDoc attribute... (throw Exception for "should not occur" situations)), adjust error messages in order to reflect the true problem...
 				if (signedDoc != null) {
@@ -259,7 +265,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 					// store authnResponse
 
 					// moaSession.setAuthnResponse(authnResponse);//not serializable
-					moaSession.setAuthnResponseGetPersonalAttributeList(authnResponse.getPersonalAttributeList());
+					moaSession.setAuthnResponseGetPersonalAttributeList(attributeList);
 
 					String authnContextClassRef = null;
 					try {
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 6e0bd19ff..9df0ff37b 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -162,7 +162,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			try {
 				// validate SAML Token
 				Logger.debug("Starting validation of SAML response");
-				authnResponse = engine.validateSTORKAuthnResponse(decSamlToken, (String) request.getRemoteHost());
+				authnResponse = engine.validateSTORKAuthnResponseWithQuery(decSamlToken, (String) request.getRemoteHost());
 				Logger.info("SAML response succesfully verified!");
 			} catch (STORKSAMLEngineException e) {
 				Logger.error("Failed to verify STORK SAML Response", e);
@@ -297,9 +297,16 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			
 			Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
 
-			// //////////// incorporate gender from parameters if not in stork response
 
-			IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList();
+			// first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled
+			// with ALL attributes when there is more than one assertion in the SAML2 STORK message.  
+			IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList();
+
+			// if the list is empty, there was just one assertion... probably
+			if(attributeList.isEmpty())
+				attributeList = authnResponse.getPersonalAttributeList();
+
+			// //////////// incorporate gender from parameters if not in stork response
 
 			// but first, check if we have a representation case
 			if (STORKResponseProcessor.hasAttribute("mandateContent", attributeList)
@@ -320,7 +327,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 						tmp.add(gendervalue);
 						gender.setValue(tmp);
 
-						authnResponse.getPersonalAttributeList().add(gender);
+						attributeList.add(gender);
 					}
 				}
 			}
@@ -336,15 +343,15 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			// extract signed doc element and citizen signature
 			try {
 
-				if (authnResponse.getPersonalAttributeList().get("signedDoc") == null 
-						|| authnResponse.getPersonalAttributeList().get("signedDoc").getValue() == null
-						|| authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0) == null) {
+				if (attributeList.get("signedDoc") == null 
+						|| attributeList.get("signedDoc").getValue() == null
+						|| attributeList.get("signedDoc").getValue().get(0) == null) {
 					Logger.info("STORK Response include NO signedDoc attribute!");
 					throw new STORKException("STORK Response include NO signedDoc attribute.");
 					
 				}
 				
-				String signatureInfo = authnResponse.getPersonalAttributeList().get("signedDoc").getValue().get(0);
+				String signatureInfo = attributeList.get("signedDoc").getValue().get(0);
 					
 									
 				Logger.debug("signatureInfo:" + signatureInfo);
-- 
cgit v1.2.3


From bc41be7e1478e4b213c0357135a24572fce5f21d Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 20 Apr 2015 13:52:25 +0200
Subject: update STORK authentication module

---
 .../modules/stork/tasks/CreateStorkAuthRequestFormTask.java  |  8 +++++---
 .../tasks/PepsConnectorHandleLocalSignResponseTask.java      | 12 +++++++-----
 .../PepsConnectorHandleResponseWithoutSignatureTask.java     | 12 +++++++-----
 .../moa/id/auth/modules/stork/tasks/PepsConnectorTask.java   |  8 +++++---
 4 files changed, 24 insertions(+), 16 deletions(-)

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java
index f8cc17b93..021ee62cf 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/CreateStorkAuthRequestFormTask.java
@@ -15,6 +15,7 @@ import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.stork.CPEPS;
@@ -63,7 +64,7 @@ public class CreateStorkAuthRequestFormTask extends AbstractAuthServletTask {
 
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
-			throws Exception {
+			throws TaskExecutionException {
 
 		String pendingRequestID = null;
 		String sessionID = null;
@@ -97,11 +98,12 @@ public class CreateStorkAuthRequestFormTask extends AbstractAuthServletTask {
 			AuthenticationServer.startSTORKAuthentication(req, resp, moasession);
 
 		} catch (MOAIDException ex) {
-			handleError(null, ex, req, resp, pendingRequestID);
+			throw new TaskExecutionException(ex.getMessage(), ex);
 
 		} catch (Exception e) {
 			Logger.error("CreateStorkAuthRequestFormTask has an interal Error.", e);
-			throw new MOAIDException("Internal error.", new Object[] { sessionID }, e);
+			throw new TaskExecutionException("CreateStorkAuthRequestFormTask has an interal Error.", e);
+			
 		}
 
 		finally {
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java
index 077bb2dee..1ae66f24e 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleLocalSignResponseTask.java
@@ -22,6 +22,7 @@ import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.stork.STORKException;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
 import at.gv.egovernment.moa.id.moduls.ModulUtils;
@@ -79,7 +80,7 @@ public class PepsConnectorHandleLocalSignResponseTask extends AbstractPepsConnec
 
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
-			throws Exception {
+			throws TaskExecutionException {
 		String moaSessionID = request.getParameter("moaSessionID");
 		String signResponse = request.getParameter("signresponse");
 		Logger.info("moaSessionID:" + moaSessionID);
@@ -90,13 +91,13 @@ public class PepsConnectorHandleLocalSignResponseTask extends AbstractPepsConnec
 			handleSignResponse(executionContext, request, response);
 		} else {
 			// should not occur
-			throw new IOException("should not occur");
+			throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", null);
 		}
 		return;
 	}
 
 	private void handleSignResponse(ExecutionContext executionContext, HttpServletRequest request,
-			HttpServletResponse response) {
+			HttpServletResponse response) throws TaskExecutionException {
 		Logger.info("handleSignResponse started");
 		String moaSessionID = request.getParameter("moaSessionID");
 		String signResponse = request.getParameter("signresponse");
@@ -199,13 +200,14 @@ public class PepsConnectorHandleLocalSignResponseTask extends AbstractPepsConnec
 			Logger.info("REDIRECT TO: " + redirectURL);
 
 		} catch (AuthenticationException e) {
-			handleError(null, e, request, response, pendingRequestID);
+			throw new TaskExecutionException(e.getMessage(), e);
 
 		} catch (MOAIDException e) {
-			handleError(null, e, request, response, pendingRequestID);
+			throw new TaskExecutionException(e.getMessage(), e);
 
 		} catch (Exception e) {
 			Logger.error("PEPSConnector has an interal Error.", e);
+			throw new TaskExecutionException(e.getMessage(), e);
 		}
 
 		finally {
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
index e2c3880ac..08da21460 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
@@ -25,6 +25,7 @@ import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorWithLocalSigningServlet;
 import at.gv.egovernment.moa.id.auth.stork.STORKException;
 import at.gv.egovernment.moa.id.auth.stork.STORKResponseProcessor;
@@ -83,7 +84,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
-			throws Exception {
+			throws TaskExecutionException {
 		String moaSessionID = request.getParameter("moaSessionID");
 		String signResponse = request.getParameter("signresponse");
 		Logger.info("moaSessionID:" + moaSessionID);
@@ -95,13 +96,13 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 
 		} else {
 			// should not occur
-			throw new IOException("should not occur");
+			throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", null);
 		}
 		return;
 	}
 
 	private void handleSAMLResponse(ExecutionContext executionContext, HttpServletRequest request,
-			HttpServletResponse response) {
+			HttpServletResponse response) throws TaskExecutionException {
 		Logger.info("handleSAMLResponse started");
 		String pendingRequestID = null;
 
@@ -399,13 +400,14 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 			Logger.info("REDIRECT TO: " + redirectURL);
 
 		} catch (AuthenticationException e) {
-			handleError(null, e, request, response, pendingRequestID);
+			throw new TaskExecutionException(e.getMessage(), e);
 
 		} catch (MOAIDException e) {
-			handleError(null, e, request, response, pendingRequestID);
+			throw new TaskExecutionException(e.getMessage(), e);
 
 		} catch (Exception e) {
 			Logger.error("PEPSConnector has an interal Error.", e);
+			throw new TaskExecutionException(e.getMessage(), e);
 		}
 
 		finally {
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 9df0ff37b..81c7c3a7b 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -41,6 +41,7 @@ import at.gv.egovernment.moa.id.auth.data.IdentityLink;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
+import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
 import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet;
 import at.gv.egovernment.moa.id.auth.stork.STORKException;
@@ -128,7 +129,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response)
-			throws Exception {
+			throws TaskExecutionException {
 		String pendingRequestID = null;
 
 		setNoCachingHeaders(response);
@@ -613,13 +614,14 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			Logger.info("REDIRECT TO: " + redirectURL);
 
 		} catch (AuthenticationException e) {
-			handleError(null, e, request, response, pendingRequestID);
+			throw new TaskExecutionException(e.getMessage(), e);
 
 		} catch (MOAIDException e) {
-			handleError(null, e, request, response, pendingRequestID);
+			throw new TaskExecutionException(e.getMessage(), e);
 
 		} catch (Exception e) {
 			Logger.error("PEPSConnector has an interal Error.", e);
+			throw new TaskExecutionException(e.getMessage(), e);
 		}
 
 		finally {
-- 
cgit v1.2.3


From 7d8b6f80bb6faf33c4a19aac2d23784a8dbbddc2 Mon Sep 17 00:00:00 2001
From: Florian Reimair <florian.reimair@iaik.tugraz.at>
Date: Tue, 5 May 2015 13:01:43 +0200
Subject: refactored some code regarding multi-part SAML responses

---
 .../stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java  | 2 +-
 .../moa/id/auth/modules/stork/tasks/PepsConnectorTask.java            | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
index 08da21460..aff69aa9c 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorHandleResponseWithoutSignatureTask.java
@@ -342,7 +342,7 @@ public class PepsConnectorHandleResponseWithoutSignatureTask extends AbstractPep
 
 			// FIXME: Same here; we do not have the citizen's signature, so this code might be regarded as dead code.
 			try {
-				SZRGInsertion(moaSession, authnResponse.getPersonalAttributeList(), authnResponse.getAssertions()
+				SZRGInsertion(moaSession, attributeList, authnResponse.getAssertions()
 						.get(0).getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef()
 						.getAuthnContextClassRef(), citizenSignature);
 			} catch (STORKException e) {
diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 81c7c3a7b..6eabc0538 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -506,7 +506,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 					Logger.debug("Starting connecting SZR Gateway");
 				
 					identityLink = STORKResponseProcessor.connectToSZRGateway(
-							authnResponse.getPersonalAttributeList(),
+							attributeList,
 							oaParam.getFriendlyName(), 
 							targetType, 
 							null, 
@@ -560,7 +560,7 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			moaSession.setIdentityLink(identityLink);
 
 			Logger.debug("Adding addtional STORK attributes to MOA session");
-			moaSession.setStorkAttributes(authnResponse.getPersonalAttributeList());
+			moaSession.setStorkAttributes(attributeList);
 
 			Logger.debug("Add full STORK AuthnResponse to MOA session");
 			moaSession.setStorkAuthnResponse(request.getParameter("SAMLResponse"));
-- 
cgit v1.2.3


From b92da70a3071e1dbf910ee38ff4efbe61ecc8be6 Mon Sep 17 00:00:00 2001
From: Florian Reimair <florian.reimair@iaik.tugraz.at>
Date: Tue, 30 Jun 2015 13:55:17 +0200
Subject: handle multiple assertions with equal attributes

---
 .../modules/stork/tasks/PepsConnectorTask.java     | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

(limited to 'id/server/modules/module-stork/src/main/java')

diff --git a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
index 6eabc0538..b89571fde 100644
--- a/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
+++ b/id/server/modules/module-stork/src/main/java/at/gv/egovernment/moa/id/auth/modules/stork/tasks/PepsConnectorTask.java
@@ -298,14 +298,20 @@ public class PepsConnectorTask extends AbstractAuthServletTask {
 			
 			Logger.debug("Found a preceeding STORK AuthnRequest to this MOA session: " + moaSessionID);
 
-
-			// first, try to fetch the attributes from the list of total attributes. Note that this very list is only filled
-			// with ALL attributes when there is more than one assertion in the SAML2 STORK message.  
-			IPersonalAttributeList attributeList = authnResponse.getTotalPersonalAttributeList();
-
-			// if the list is empty, there was just one assertion... probably
-			if(attributeList.isEmpty())
-				attributeList = authnResponse.getPersonalAttributeList();
+			// fetch attribute list from response
+			IPersonalAttributeList attributeList = authnResponse.getPersonalAttributeList();
+			if(authnResponse.getAssertions().size() > 1) {
+				for(IPersonalAttributeList currentList : authnResponse.getPersonalAttributeLists()) {
+					for(PersonalAttribute currentAttribute : currentList.values()) {
+						if(!attributeList.containsKey(currentAttribute.getName()))
+							attributeList.add((PersonalAttribute) currentAttribute.clone());
+						else {
+							if(!attributeList.get(currentAttribute.getName()).getValue().equals(currentAttribute.getValue()))
+								throw new TaskExecutionException("data integrity failure", new Exception("data integrity failure: found non-matching values in multiple attributes of type " + currentAttribute.getName()));
+						}
+					}
+				}
+			}
 
 			// //////////// incorporate gender from parameters if not in stork response
 
-- 
cgit v1.2.3