From 1b7401488933f031a68dfe929b25db86279b52d2 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 15 Feb 2016 18:12:06 +0100
Subject: First untested part: Refactor authentication modules and process
 management to Spring

---
 .../moa/id/auth/AuthenticationServer.java          |  92 ++++++----------
 ...enCardAuthenticationSpringResourceProvider.java |  63 +++++++++++
 .../AuthenticationBlockAssertionBuilder.java       |   6 +-
 .../auth/builder/StartAuthenticationBuilder.java   |  70 ------------
 .../id/auth/modules/internal/AuthModuleImpl.java   |  44 ++++++++
 .../modules/internal/DefaultAuthModuleImpl.java    |  36 -------
 .../internal/tasks/CertificateReadRequestTask.java |  74 +++++++++----
 .../internal/tasks/CreateIdentityLinkFormTask.java |  71 ++++++------
 .../modules/internal/tasks/GetForeignIDTask.java   | 102 +++++++++++-------
 .../internal/tasks/GetMISSessionIDTask.java        | 112 ++++++++++---------
 .../tasks/InitializeBKUAuthenticationTask.java     |  60 +++++------
 .../tasks/PrepareAuthBlockSignatureTask.java       |  87 +++++++++------
 .../internal/tasks/PrepareGetMISMandateTask.java   | 100 ++++++++---------
 .../tasks/VerifyAuthenticationBlockTask.java       | 119 +++++++++++----------
 .../internal/tasks/VerifyCertificateTask.java      | 106 +++++++++++-------
 .../internal/tasks/VerifyIdentityLinkTask.java     |  75 +++++++++----
 ...tizenCardAuthProcessEngineSignalController.java |  52 +++++++++
 .../moa/id/util/CitizenCardServletUtils.java       |  10 +-
 ...iz.components.spring.api.SpringResourceProvider |   1 +
 ...t.gv.egovernment.moa.id.auth.modules.AuthModule |   2 +-
 .../internal/DefaultAuthentication.process.xml     |  22 ++--
 .../resources/moaid_citizencard_auth.beans.xml     |  47 ++++++++
 .../oauth20/protocol/OAuth20AuthAction.java        |  18 ++--
 .../oauth20/protocol/OAuth20AuthRequest.java       |   8 +-
 .../oauth20/protocol/OAuth20BaseRequest.java       |   4 +-
 .../oauth20/protocol/OAuth20Protocol.java          |  73 +++++++++++--
 .../oauth20/protocol/OAuth20TokenAction.java       |  19 ++--
 .../oauth20/protocol/OAuth20TokenRequest.java      |   6 ++
 .../moa/id/protocols/saml1/GetArtifactAction.java  |  17 +--
 .../saml1/GetAuthenticationDataService.java        |  25 +++--
 .../protocols/saml1/SAML1AuthenticationServer.java |  19 ++--
 .../moa/id/protocols/saml1/SAML1Protocol.java      |  97 ++++++++---------
 .../moa/id/auth/servlet/MonitoringServlet.java     |  27 ++---
 33 files changed, 982 insertions(+), 682 deletions(-)
 create mode 100644 id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/CitizenCardAuthenticationSpringResourceProvider.java
 delete mode 100644 id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java
 create mode 100644 id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/AuthModuleImpl.java
 delete mode 100644 id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthModuleImpl.java
 create mode 100644 id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java
 create mode 100644 id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
 create mode 100644 id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/moaid_citizencard_auth.beans.xml

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 11917d0c3..065f3866b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1,10 +1,6 @@
 package at.gv.egovernment.moa.id.auth;
 
 
-import iaik.asn1.ObjectID;
-import iaik.x509.X509Certificate;
-import iaik.x509.X509ExtensionInitException;
-
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -22,6 +18,8 @@ import javax.xml.transform.TransformerException;
 import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.xpath.XPathAPI;
 import org.opensaml.xml.util.Base64;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -29,7 +27,6 @@ import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder;
 import at.gv.egovernment.moa.id.auth.builder.BPKBuilder;
 import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder;
@@ -63,6 +60,7 @@ import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.MISMandate;
 import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -76,6 +74,9 @@ import at.gv.egovernment.moa.util.DateTimeUtils;
 import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.StringUtils;
+import iaik.asn1.ObjectID;
+import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
 
 /**
  * API for MOA ID Authentication Service.<br> {@link AuthenticationSession} is
@@ -85,24 +86,11 @@ import at.gv.egovernment.moa.util.StringUtils;
  * @version $Id: AuthenticationServer.java 1273 2012-02-27 14:50:18Z kstranacher
  *          $
  */
+@Service("CitizenCardAuthenticationServer")
 public class AuthenticationServer extends BaseAuthenticationServer {
 
-	/**
-	 * single instance
-	 */
-	private static AuthenticationServer instance;
-
-	/**
-	 * Returns the single instance of <code>AuthenticationServer</code>.
-	 *
-	 * @return the single instance of <code>AuthenticationServer</code>
-	 */
-	public static AuthenticationServer getInstance() {
-		if (instance == null)
-			instance = new AuthenticationServer();
-		return instance;
-	}
-
+	@Autowired private MOAReversionLogger revisionsLogger;
+	
 	/**
 	 * Constructor for AuthenticationServer.
 	 */
@@ -139,13 +127,14 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 	 * @param templateMandteURL  URL providing an HTML template for the HTML form generated
 	 *                           (for signing in mandates mode)
 	 * @param req                determines the protocol used
+	 * @param pendingReq 
 	 * @param sourceID
 	 * @return HTML form
 	 * @throws AuthenticationException
 	 * @see GetIdentityLinkFormBuilder
 	 * @see InfoboxReadRequestBuilder
 	 */
-	public String startAuthentication(AuthenticationSession session, HttpServletRequest req) throws WrongParametersException,
+	public String startAuthentication(AuthenticationSession session, HttpServletRequest req, IRequest pendingReq) throws WrongParametersException,
 	AuthenticationException, ConfigurationException, BuildException {
 
 		if (session == null) {
@@ -154,7 +143,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 
 		//load OnlineApplication configuration
 		OAAuthParameter oaParam =
-				AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(session.getPublicOAURLPrefix());
+				authConfig.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 		if (oaParam == null)
 			throw new AuthenticationException("auth.00", new Object[]{session.getPublicOAURLPrefix()});
 
@@ -172,7 +161,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 
 		String infoboxReadRequest = "";
 
-		String domainIdentifier = AuthConfigurationProviderFactory.getInstance().getSSOTagetIdentifier().trim();
+		String domainIdentifier = authConfig.getSSOTagetIdentifier().trim();
 		if (MiscUtil.isEmpty(domainIdentifier) && session.isSsoRequested()) {
 			//do not use SSO if no Target is set
 			Logger.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!");
@@ -209,34 +198,17 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 
 
 		String dataURL = new DataURLBuilder().buildDataURL(
-				session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, session
-				.getSessionID());
+				session.getAuthURL(), REQ_VERIFY_IDENTITY_LINK, pendingReq.getRequestID());
 
 		//removed in MOAID 2.0
 		String pushInfobox = "";
 
-		//		VerifyInfoboxParameters verifyInfoboxParameters = oaParam
-		//				.getVerifyInfoboxParameters();
-		//		if (verifyInfoboxParameters != null) {
-		//			pushInfobox = verifyInfoboxParameters.getPushInfobox();
-		//			session.setPushInfobox(pushInfobox);
-		//		}
-
-		//build CertInfo request
-		//removed in MOA-ID 2.0
-		//		String certInfoRequest = new CertInfoVerifyXMLSignatureRequestBuilder()
-		//				.build();
-		//		String certInfoDataURL = new DataURLBuilder()
-		//				.buildDataURL(session.getAuthURL(), REQ_START_AUTHENTICATION,
-		//						session.getSessionID());
-
 		//get Applet Parameters
 		String appletwidth = req.getParameter(PARAM_APPLET_WIDTH);
 		String appletheigth = req.getParameter(PARAM_APPLET_HEIGTH);
 		appletheigth = StringEscapeUtils.escapeHtml(appletheigth);
 		appletwidth = StringEscapeUtils.escapeHtml(appletwidth);
 		
-		//TODO: cleanup before MOA-ID 2.1 release
 		try {
 			String htmlForm = new GetIdentityLinkFormBuilder().build(template,
 					session.getBkuURL(), infoboxReadRequest, dataURL, null,
@@ -333,7 +305,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser(
 				domVerifyXMLSignatureResponse).parseData();
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		// validates the <VerifyXMLSignatureResponse>
@@ -349,7 +321,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		//Removed in MOA-ID 2.0
 		//verifyInfoboxes(session, infoboxReadResponseParameters, false);
 
-		MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+		revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 				pendingReq, MOAIDEventConstants.AUTHPROCESS_IDL_VALIDATED);
 		
 		return "found!";
@@ -406,7 +378,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		AuthConfiguration authConf = AuthConfigurationProviderFactory
 				.getInstance();
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		String returnvalue = getCreateXMLSignatureRequestAuthBlockOrRedirect(session,
@@ -441,7 +413,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			throw new AuthenticationException("auth.10", new Object[]{
 					GET_MIS_SESSIONID, PARAM_SESSIONID});
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		try {
@@ -480,7 +452,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 	 */
 	public String getCreateXMLSignatureRequestAuthBlockOrRedirect(
 			AuthenticationSession session, AuthConfiguration authConf,
-			OAAuthParameter oaParam, IRequest pendingReq) throws ConfigurationException,
+			IOAAuthParameters oaParam, IRequest pendingReq) throws ConfigurationException,
 			BuildException, ValidateException {
 
 		//        // check for intermediate processing of the infoboxes
@@ -488,9 +460,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		//            return "Redirect to Input Processor";
 
 		if (authConf == null)
-			authConf = AuthConfigurationProviderFactory.getInstance();
+			authConf = authConfig;
 		if (oaParam == null)
-			oaParam = AuthConfigurationProviderFactory.getInstance()
+			oaParam = authConfig
 			.getOnlineApplicationParameter(
 					session.getPublicOAURLPrefix());
 
@@ -529,7 +501,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		AuthConfiguration authConf = AuthConfigurationProviderFactory
 				.getInstance();
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		return getCreateXMLSignatureRequestForeigID(session, authConf, oaParam,
@@ -546,9 +518,9 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		//            return "Redirect to Input Processor";
 
 		if (authConf == null)
-			authConf = AuthConfigurationProviderFactory.getInstance();
+			authConf = authConfig;
 		if (oaParam == null)
-			oaParam = AuthConfigurationProviderFactory.getInstance()
+			oaParam = authConfig
 			.getOnlineApplicationParameter(
 					session.getPublicOAURLPrefix());
 
@@ -634,15 +606,11 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 	 *                                      including the <code>&lt;ReadInfoboxResponse&gt;</code>
 	 * @throws BKUException
 	 */
-	public X509Certificate getCertificate(IRequest pendingReq, String sessionID,
+	public X509Certificate getCertificate(IRequest pendingReq,
 			Map<String, String> readInfoboxResponseParameters) throws AuthenticationException,
 			BuildException, ParseException, ConfigurationException,
 			ValidateException, ServiceException, BKUException {
 
-		if (isEmpty(sessionID))
-			throw new AuthenticationException("auth.10", new Object[]{
-					REQ_VERIFY_CERTIFICATE, PARAM_SESSIONID});
-
 		String xmlReadInfoboxResponse = (String) readInfoboxResponseParameters
 				.get(PARAM_XMLRESPONSE);
 
@@ -655,7 +623,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 				xmlReadInfoboxResponse);
 		X509Certificate cert = p.parseCertificate();
 
-		MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+		revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 				pendingReq, MOAIDEventConstants.AUTHPROCESS_CERTIFICATE_VALIDATED);
 		
 		return cert;
@@ -673,7 +641,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 	 *                        to be appended to the AUTH-Block.
 	 */
 	private String buildAuthenticationBlock(AuthenticationSession session,
-			OAAuthParameter oaParam, IRequest pendingReq) throws BuildException {
+			IOAAuthParameters oaParam, IRequest pendingReq) throws BuildException {
 
 		IdentityLink identityLink = session.getIdentityLink();
 		String issuer = identityLink.getName();
@@ -1121,7 +1089,7 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 			}
 		}
 
-		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
+		OAAuthParameter oaParam = authConfig
 				.getOnlineApplicationParameter(session.getPublicOAURLPrefix());
 
 		// validates the <VerifyXMLSignatureResponse>
@@ -1163,10 +1131,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		//set QAA Level four in case of card authentifcation
 		session.setQAALevel(PVPConstants.STORK_QAA_1_4);
 		
-		MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+		revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 				pendingReq, MOAIDEventConstants.AUTHPROCESS_AUTHBLOCK_VALIDATED);
 		
-		MOAReversionLogger.getInstance().logPersonalInformationEvent(pendingReq, session.getIdentityLink() 
+		revisionsLogger.logPersonalInformationEvent(pendingReq, session.getIdentityLink() 
 				);
 	}
 
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/CitizenCardAuthenticationSpringResourceProvider.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/CitizenCardAuthenticationSpringResourceProvider.java
new file mode 100644
index 000000000..18bf5a1ba
--- /dev/null
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/CitizenCardAuthenticationSpringResourceProvider.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+
+import at.gv.egiz.components.spring.api.SpringResourceProvider;
+
+/**
+ * @author tlenz
+ *
+ */
+public class CitizenCardAuthenticationSpringResourceProvider implements SpringResourceProvider {
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad()
+	 */
+	@Override
+	public Resource[] getResourcesToLoad() {
+		ClassPathResource citizenCardAuthConfig = new ClassPathResource("/moaid_citizencard_auth.beans.xml", MOAIDAuthSpringResourceProvider.class);					
+		
+		return new Resource[] {citizenCardAuthConfig};	
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan()
+	 */
+	@Override
+	public String[] getPackagesToScan() {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName()
+	 */
+	@Override
+	public String getName() {
+		return "MOA-ID-CitizenCardAuthentication SpringResourceProvider";
+	}
+
+}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
index 760d28d5b..79f407ca3 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java
@@ -175,7 +175,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
     String gebDat,
     List<ExtendedSAMLAttribute> extendedSAMLAttributes,
     AuthenticationSession session,
-    OAAuthParameter oaParam)
+    IOAAuthParameters oaParam2)
   throws BuildException
   
   {
@@ -193,7 +193,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
          
          //adding type of wbPK domain identifier        
         ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute = 
-             new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
+             new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam2.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
             
         extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
          
@@ -255,7 +255,7 @@ public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertion
     }
     
     //adding friendly name of OA    
-    String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName(); 
+    String oaFriendlyName = StringUtils.isEmpty(oaParam2.getFriendlyName()) ? "" : oaParam2.getFriendlyName(); 
     
     ExtendedSAMLAttribute oaFriendlyNameAttribute = 
          new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java
deleted file mode 100644
index 5c1b12e0d..000000000
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/StartAuthenticationBuilder.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- * 
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- * 
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-package at.gv.egovernment.moa.id.auth.builder;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import at.gv.egovernment.moa.id.auth.AuthenticationServer;
-import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
-import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
-import at.gv.egovernment.moa.logging.Logger;
-
-public class StartAuthenticationBuilder {
-
-	private static StartAuthenticationBuilder instance = null;
-	
-	public static StartAuthenticationBuilder getInstance() {
-		if (instance == null) {
-			instance = new StartAuthenticationBuilder();
-		}
-		return instance;
-	}
-	
-	
-	/**
-	 * Depending on the selected citizen's country ({@code moasession.ccc}):
-	 * <ul>
-	 * <li><strong>Either</strong> creates an "IdentityLinkForm" with embedded {@code InfoBoxReadRequest} to be submitted to a citizen card
-	 * environment for reading the subject's IdentityLink</li>
-	 * </ul>
-	 * 
-	 * @return The IdentityLinkForm.
-	 */
-	public String build(AuthenticationSession moasession, HttpServletRequest req,
-			HttpServletResponse resp) throws WrongParametersException, MOAIDException {
-		
-		if (moasession == null) {
-			throw new AuthenticationException("auth.18", new Object[] { });
-		}
-		  
-    	//normal MOA-ID authentication
-    	Logger.debug("Starting normal MOA-ID authentication");
-	    			    	    	
-    	String getIdentityLinkForm = AuthenticationServer.getInstance().startAuthentication(moasession, req);	   
-
-    	return getIdentityLinkForm;
-	}
-}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/AuthModuleImpl.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/AuthModuleImpl.java
new file mode 100644
index 000000000..29118ac17
--- /dev/null
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/AuthModuleImpl.java
@@ -0,0 +1,44 @@
+package at.gv.egovernment.moa.id.auth.modules.internal;
+
+
+import org.apache.commons.lang3.StringUtils;
+
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.modules.AuthModule;
+import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+
+/**
+ * Module descriptor
+ */
+public class AuthModuleImpl implements AuthModule {
+
+	@Override
+	public int getPriority() {
+		return 0;
+	}
+
+	@Override
+	public String selectProcess(ExecutionContext context) {		
+		//select process if BKU is selected and it is no STORK authentication
+		
+		boolean performBKUSelection = false;
+		Object performBKUSelectionObj = context.get("performBKUSelection");
+		if (performBKUSelectionObj != null && performBKUSelectionObj instanceof Boolean)
+			performBKUSelection = (boolean) performBKUSelectionObj;
+		
+		if (StringUtils.isBlank((String) context.get("ccc")) && 
+				StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)) &&
+				 	!performBKUSelection)
+			return "DefaultAuthentication";
+		
+		else
+			return null;
+		
+	}
+
+	@Override
+	public String[] getProcessDefinitions() {
+		return new String[] { "classpath:at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml" };
+	}
+
+}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthModuleImpl.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthModuleImpl.java
deleted file mode 100644
index cac7359c7..000000000
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthModuleImpl.java
+++ /dev/null
@@ -1,36 +0,0 @@
-package at.gv.egovernment.moa.id.auth.modules.internal;
-
-import org.apache.commons.lang3.StringUtils;
-
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
-import at.gv.egovernment.moa.id.auth.modules.AuthModule;
-import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-
-/**
- * Module descriptor
- */
-public class DefaultAuthModuleImpl implements AuthModule {
-
-	@Override
-	public int getPriority() {
-		return 0;
-	}
-
-	@Override
-	public String selectProcess(ExecutionContext context) {		
-		//select process if BKU is selected and it is no STORK authentication
-		if (StringUtils.isBlank((String) context.get("ccc")) && 
-				StringUtils.isNotBlank((String) context.get(MOAIDAuthConstants.PARAM_BKU)))
-			return "DefaultAuthentication";
-		
-		else
-			return null;
-		
-	}
-
-	@Override
-	public String[] getProcessDefinitions() {
-		return new String[] { "classpath:at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml" };
-	}
-
-}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java
index 7e1bf1fc7..6ff0177ac 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java
@@ -1,6 +1,7 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.REQ_VERIFY_CERTIFICATE;
 
 import java.io.IOException;
 
@@ -9,22 +10,24 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.CitizenCardServletUtils;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Creates {@code InfoBoxReadRequest} in order to read the subject's certificates.<p/>
@@ -46,44 +49,69 @@ import at.gv.egovernment.moa.logging.Logger;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("CertificateReadRequestTask")
 public class CertificateReadRequestTask extends AbstractAuthServletTask {
 
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
-
-		// TODO[branch]: Foreign citizen or mandate mode; respond with IRR for certificates, dataURL = "/VerifyCertificate"
-		Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");
-
-		setNoCachingHeaders(resp);		
+		Logger.debug("Send InfoboxReadRequest to BKU to get signer certificate.");
+					
 		try {
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
+			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+			}
+			
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
 		
-			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
 			
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
-				throw new WrongParametersException("CertificateReadRequestTask", PARAM_SESSIONID, "auth.12");
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
 			}
-
-			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
-
-			boolean useMandate = session.getUseMandate();
+		
+			boolean useMandate = moasession.getUseMandate();
 			boolean identityLinkAvailable = BooleanUtils.isTrue((Boolean) executionContext.get("identityLinkAvailable"));
 			
 			if (!identityLinkAvailable && useMandate) {
 				Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
 				throw new AuthenticationException("auth.13", null);
 			}
-
-			// change MOASessionID
-			AuthenticationSessionStoreage.changeSessionID(session);
 			
 			// create the InfoboxReadRequest to get the certificate
 			String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
 
 			// build dataurl (to the VerifyCertificateSerlvet)
-			String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,
-					session.getSessionID());
+			String dataurl = new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), REQ_VERIFY_CERTIFICATE,
+					pendingReq.getRequestID());
 
 			CitizenCardServletUtils.writeCreateXMLSignatureRequest(resp, infoboxReadRequest,
 					AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java
index 307074ee2..ef17700d3 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java
@@ -1,33 +1,28 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID;
-
 import java.io.PrintWriter;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
-import at.gv.egovernment.moa.id.auth.builder.StartAuthenticationBuilder;
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-import at.gv.egovernment.moa.id.auth.servlet.GenerateIFrameTemplateServlet;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.StringUtils;
 
 /**
@@ -62,46 +57,60 @@ import at.gv.egovernment.moa.util.StringUtils;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("CreateIdentityLinkFormTask")
 public class CreateIdentityLinkFormTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
-			throws TaskExecutionException {
-
-		String moasessionid = StringEscapeUtils.escapeHtml(ObjectUtils.defaultIfNull(req.getParameter(PARAM_SESSIONID), (String) executionContext.get(PARAM_SESSIONID)));
-		AuthenticationSession moasession = null;
+			throws TaskExecutionException {		
 		try {
 			
-			if (MiscUtil.isEmpty(moasessionid)) {
-				Logger.warn("MOASessionID is empty.");
-				throw new MOAIDException("auth.18", new Object[] {});
+			IRequest pendingReq = requestStoreage.getPendingRequest(
+					(String) executionContext.get(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID));	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + executionContext.get("pendingRequestID") + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{executionContext.get("pendingRequestID")});
+				
 			}
 			
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+			
+			AuthenticationSession moasession = null;;
 			try {			
-				moasession = AuthenticationSessionStoreage.getSession(moasessionid);
-
-				AuthenticationSessionStoreage.changeSessionID(moasession);
-				executionContext.remove(PARAM_SESSIONID);
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
 			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
 			} catch (MOADatabaseException e) {
-				Logger.info("MOASession with SessionID=" + moasessionid + " is not found in Database");
-				throw new MOAIDException("init.04", new Object[] { moasessionid });
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
 
 			} catch (Throwable e) {
 				Logger.info("No HTTP Session found!");
 				throw new MOAIDException("auth.18", new Object[] {});
 			}
+			
+			
+	
+			
+			
+	    	//normal MOA-ID authentication
+	    	Logger.debug("Starting normal MOA-ID authentication");		    			    	    	
+	    	String getIdentityLinkForm = authServer.startAuthentication(moasession, req, pendingReq);	   
 
-			StartAuthenticationBuilder startauth = StartAuthenticationBuilder.getInstance();
-			String getIdentityLinkForm = startauth.build(moasession, req, resp);
-
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));
 			
 			if (BooleanUtils.isTrue((Boolean) executionContext.get("useMandate")))
-				MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATES_REQUESTED);			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_URL, moasession.getBkuURL());
 			
 			if (!StringUtils.isEmpty(getIdentityLinkForm)) {
@@ -109,7 +118,7 @@ public class CreateIdentityLinkFormTask extends AbstractAuthServletTask {
 				PrintWriter out = new PrintWriter(resp.getOutputStream());
 				out.print(getIdentityLinkForm);
 				out.flush();
-				Logger.debug("Finished GET " + GenerateIFrameTemplateServlet.class);
+				Logger.debug("Finished GET " + CreateIdentityLinkFormTask.class);
 			}
 			
 		} catch (WrongParametersException ex) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java
index b729f26e1..5c88afc56 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java
@@ -1,6 +1,8 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_XMLRESPONSE;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.REQ_VERIFY_AUTH_BLOCK;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -13,12 +15,15 @@ import javax.xml.transform.TransformerException;
 
 import org.apache.commons.fileupload.FileUploadException;
 import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
-import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
 import at.gv.egovernment.moa.id.auth.data.IdentityLink;
@@ -33,14 +38,12 @@ import at.gv.egovernment.moa.id.client.SZRGWClientException;
 import at.gv.egovernment.moa.id.client.utils.SZRGWClientUtils;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.ModulUtils;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse;
 
 /**
@@ -68,16 +71,17 @@ import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("GetForeignIDTask")
 public class GetForeignIDTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 
 		Logger.debug("POST GetForeignIDServlet");
 
-		setNoCachingHeaders(resp);
-
 		Map<String, String> parameters;
 
 		try {
@@ -88,30 +92,53 @@ public class GetForeignIDTask extends AbstractAuthServletTask {
 			throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", new IOException(e.getMessage()));
 		}
 		
-		String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
-		String pendingRequestID = null;
-		String redirectURL = null;
-		AuthenticationSession session = null;
 		try {
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
-				throw new WrongParametersException("GetForeignID", PARAM_SESSIONID, "auth.12");
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
+			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
 			}
+			
 			String xmlCreateXMLSignatureResponse = (String) parameters.get(PARAM_XMLRESPONSE);
 			if (!ParamValidatorUtils.isValidXMLDocument(xmlCreateXMLSignatureResponse)) {
 				throw new WrongParametersException("GetForeignID", PARAM_XMLRESPONSE, "auth.12");
 			}
-			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
-			session = AuthenticationServer.getSession(sessionID);
-
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
-					pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_DATAURL_IP, req.getRemoteHost());
 			
-			// change MOASessionID
-			sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
 
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
+			
+			
 			Logger.debug(xmlCreateXMLSignatureResponse);
 
 			CreateXMLSignatureResponse csresp = new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureResponse)
@@ -119,7 +146,7 @@ public class GetForeignIDTask extends AbstractAuthServletTask {
 
 			try {
 				String serializedAssertion = DOMUtils.serializeNode(csresp.getDsigSignature());
-				session.setAuthBlock(serializedAssertion);
+				moasession.setAuthBlock(serializedAssertion);
 
 			} catch (TransformerException e) {
 				throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE });
@@ -132,13 +159,14 @@ public class GetForeignIDTask extends AbstractAuthServletTask {
 			Element signature = csresp.getDsigSignature();
 
 			try {
-				session.setSignerCertificate(AuthenticationServer.getCertificateFromXML(signature));
+				moasession.setSignerCertificate(AuthenticationServer.getCertificateFromXML(signature));
+				
 			} catch (CertificateException e) {
 				Logger.error("Could not extract certificate from CreateXMLSignatureResponse");
 				throw new MOAIDException("auth.14", null);
 			}
 
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_FOREIGN_SZRGW_CONNECTED);
 			
 			// make SZR request to the identity link
@@ -152,30 +180,24 @@ public class GetForeignIDTask extends AbstractAuthServletTask {
 				IdentityLinkAssertionParser ilParser = new IdentityLinkAssertionParser(new ByteArrayInputStream(
 						response.getIdentityLink()));
 				IdentityLink identitylink = ilParser.parseIdentityLink();
-				session.setIdentityLink(identitylink);
+				moasession.setIdentityLink(identitylink);
 
 				// set QAA Level four in case of card authentifcation
-				session.setQAALevel(PVPConstants.STORK_QAA_1_4);
-
-				AuthenticationServer.getInstance().getForeignAuthenticationData(session);
-
-				// session is implicit stored in changeSessionID!!!!
-				String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
+				moasession.setQAALevel(PVPConstants.STORK_QAA_1_4);
 
-				Logger.info("Changed MOASession " + sessionID + " to Session " + newMOASessionID);
-				Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
+				authServer.getForeignAuthenticationData(moasession);
 				
-				MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_FOREIGN_SZRGW_RECEIVED);
 				
 				try {
-					AuthenticationSessionStoreage.storeSession(session);
+					authenticatedSessionStorage.storeSession(moasession);
+					
 				} catch (MOADatabaseException e) {
 					throw new MOAIDException("Session store error", null);
 				}
 
-				//put session to context 
-				executionContext.put(PARAM_SESSIONID, session.getSessionID());
+ 
 			}
 
 		} catch (MOAIDException ex) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java
index d85681b40..938b4ce77 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java
@@ -1,7 +1,7 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
-import iaik.pki.PKIException;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.GET_MIS_SESSIONID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
 
 import java.security.GeneralSecurityException;
 import java.util.List;
@@ -12,34 +12,31 @@ import javax.servlet.http.HttpServletResponse;
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
-import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.ConnectionParameter;
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.data.MISMandate;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.ModulUtils;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.pki.PKIException;
 
 /**
  * Retrieves a mandate from the online mandate issuing service.<p/>
@@ -64,45 +61,64 @@ import at.gv.egovernment.moa.util.DOMUtils;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("GetMISSessionIDTask")
 public class GetMISSessionIDTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 		
 		Logger.debug("POST GetMISSessionIDServlet");
 
-		String sessionID = req.getParameter(PARAM_SESSIONID);
-
-		// escape parameter strings
-		sessionID = StringEscapeUtils.escapeHtml(sessionID);
-
-		AuthenticationSession session = null;
-		String pendingRequestID = null;
 		try {
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID))
-				throw new WrongParametersException("VerifyCertificate",
-						PARAM_SESSIONID, "auth.12");
-
-			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
 			
-			session = AuthenticationServer.getSession(sessionID);
-
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+			}
 			
-			//change MOASessionID
-		    sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
 			
-			String misSessionID = session.getMISSessionID();
+			String misSessionID = moasession.getMISSessionID();
 
-			AuthConfiguration authConf = AuthConfigurationProviderFactory
-					.getInstance();
-			ConnectionParameter connectionParameters = authConf
+			ConnectionParameter connectionParameters = authConfig
 					.getOnlineMandatesConnectionParameter();
 			SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(
-					AuthConfigurationProviderFactory.getInstance(),
+					authConfig,
 					connectionParameters);
 
 			List<MISMandate> list = MISSimpleClient.sendGetMandatesRequest(
@@ -113,7 +129,7 @@ public class GetMISSessionIDTask extends AbstractAuthServletTask {
 				throw new AuthenticationException("auth.15", null);
 			}
 
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_RECEIVED);
 
 			
@@ -136,25 +152,17 @@ public class GetMISSessionIDTask extends AbstractAuthServletTask {
 					null, null).getDocumentElement();
 			
 			// extract RepresentationType
-			AuthenticationServer.getInstance().verifyMandate(session, mandate);
+			authServer.verifyMandate(moasession, mandate);
 			
-			session.setMISMandate(mandate);
+			moasession.setMISMandate(mandate);
 			
 			//log mandate specific set of events
-			MOAReversionLogger.getInstance().logMandateEventSet(pendingReq, mandate);
-						
-			String oldsessionID = session.getSessionID();
-			
-			//Session is implicite stored in changeSessionID!!!
-			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			revisionsLogger.logMandateEventSet(pendingReq, mandate);
+									
+			//Stor MOAsession
+			authenticatedSessionStorage.storeSession(moasession);
 			
-			Logger.info("Changed MOASession " + oldsessionID + " to Session " + newMOASessionID);
-			Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
-
-			//put session to context 
-			executionContext.put(PARAM_SESSIONID, session.getSessionID());
 			
-
 		} catch (MOAIDException ex) {
 			throw new TaskExecutionException(ex.getMessage(), ex);
 			
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
index 1dd4780f7..86d8de047 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java
@@ -27,8 +27,9 @@ import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.stereotype.Service;
+
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
@@ -37,12 +38,9 @@ import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
@@ -51,6 +49,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
  * @author tlenz
  *
  */
+@Service("InitializeBKUAuthenticationTask")
 public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 
 	/* (non-Javadoc)
@@ -62,19 +61,22 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 			throws TaskExecutionException {
 		
 		try {
-	    	String moasessionid = (String) executionContext.get(MOAIDAuthConstants.PARAM_SESSIONID);	    	
-			String pendingRequestID = (String) executionContext.get("pendingRequestID");
-
-			//load pending request
-			IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID);				
+			IRequest pendingReq = requestStoreage.getPendingRequest(
+					(String) executionContext.get(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID));	
+		
 			if (pendingReq == null) {
-				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
-				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				Logger.info("No PendingRequest with Id: " + executionContext.get("pendingRequestID") + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{executionContext.get("pendingRequestID")});
 				
 			}
-	    	
+				    	
 			//load MOASession object
-			AuthenticationSession moasession = AuthenticationSessionStoreage.getSession(moasessionid);
+			AuthenticationSession moasession = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			if (moasession == null) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+				
+			}
 			
 			boolean isLegacyRequest = false;
 			Object isLegacyRequestObj = executionContext.get("isLegacyRequest");
@@ -83,8 +85,8 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 
 			if (isLegacyRequest) {
 				//parse request parameter into MOASession
-			    Logger.info("Start Authentication Module: " + moasession.getModul() 
-			    		+ " Action: " + moasession.getAction());
+			    Logger.info("Start Authentication Module: " + pendingReq.requestedModule() 
+			    		+ " Action: " + pendingReq.requestedAction());
 
 				StartAuthentificationParameterParser.parse(executionContext, request, moasession, pendingReq);
 												
@@ -92,12 +94,9 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 		    	String bkuid = (String) executionContext.get(MOAIDAuthConstants.PARAM_BKU);
 		    	String useMandate = (String) executionContext.get(MOAIDAuthConstants.PARAM_USEMANDATE);
 				String ccc = (String) executionContext.get(MOAIDAuthConstants.PARAM_CCC);
-							
-				//remove MOASessionID from executionContext because it is not needed any more
-	
-				
-		    	if (MiscUtil.isEmpty(bkuid) || MiscUtil.isEmpty(moasessionid)) {
-		    		Logger.warn("MOASessionID or BKU-type is empty. Maybe an old BKU-selection template is in use.");
+												
+		    	if (MiscUtil.isEmpty(bkuid)) {
+		    		Logger.warn("BKU-type is empty. Maybe an old BKU-selection template is in use.");
 		    		throw new MOAIDException("auth.23", new Object[] {});
 		    	}
 								
@@ -108,21 +107,21 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 					throw new AuthenticationException("auth.00", new Object[] { moasession.getOAURLRequested() });
 				
 				else {
-					MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+					revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 							pendingReq, MOAIDEventConstants.AUTHPROCESS_BKUTYPE_SELECTED, bkuid);
 					
 			    	//get Target from config or from request in case of SAML 1				
 					String target = null;
-					if (MiscUtil.isNotEmpty(pendingReq.getTarget()) && 
-							pendingReq.requestedModule().equals("id_saml1"))
-						target = pendingReq.getTarget();
+					if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) && 
+							pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol"))
+						target = pendingReq.getGenericData("target", String.class);
 					else
 						target = oaParam.getTarget();
 									
 			    	String bkuURL = oaParam.getBKUURL(bkuid);
 			    	if (MiscUtil.isEmpty(bkuURL)) {
 			    		Logger.info("No OA specific BKU defined. Use BKU from default configuration");
-			    		bkuURL = AuthConfigurationProviderFactory.getInstance().getDefaultBKUURL(bkuid);
+			    		bkuURL = authConfig.getDefaultBKUURL(bkuid);
 			    	}
 			    	
 			    	//search for OA specific template
@@ -133,13 +132,13 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 			    		templateURL = oaTemplateURLList.get(0);
 			    		
 			    	} else {		    	
-			    		templateURL = AuthConfigurationProviderFactory.getInstance().getSLRequestTemplates(bkuid);
+			    		templateURL = authConfig.getSLRequestTemplates(bkuid);
 			    	}
 			    	
 			    	//make url absolut if it is a local url
 		    		if (MiscUtil.isNotEmpty(templateURL))
 		    			templateURL = FileUtils.makeAbsoluteURL(templateURL, 
-		    					AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir());
+		    					authConfig.getRootConfigFileDir());
 			    	
 			    	if (oaParam.isOnlyMandateAllowed()) 
 			    		useMandate = "true";
@@ -155,8 +154,6 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 			    											   templateURL,
 			    											   useMandate,
 			    											   ccc, 
-			    											   moasession.getModul(),
-			    											   moasession.getAction(),
 			    											   request,
 			    											   pendingReq);
 				}
@@ -166,7 +163,8 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask {
 			
 			// make sure moa session has been persisted before running the process
 			try {
-				AuthenticationSessionStoreage.storeSession(moasession);
+				authenticatedSessionStorage.storeSession(moasession);
+				
 			} catch (MOADatabaseException e) {
 				Logger.error("Database Error! MOASession is not stored!");
 				throw new MOAIDException("init.04", new Object[] {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java
index 49888c136..1c5f3c202 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java
@@ -1,29 +1,29 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.CitizenCardServletUtils;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Creates {@code CreateXMLSignatureRequest} for auth block signature.<p/>
@@ -45,47 +45,68 @@ import at.gv.egovernment.moa.logging.Logger;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("PrepareAuthBlockSignatureTask")
 public class PrepareAuthBlockSignatureTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet
 
-		Logger.debug("Process IdentityLink");
-
-		setNoCachingHeaders(resp);
+		Logger.debug("Process CreateAuthBlock Task");
 		
-		String pendingRequestID = null;
-
 		try {
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
 			
-			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+			}
 			
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
-				throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
 			}
-
-			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));	
 						
-			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
-
-			// change MOASessionID
-			sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
 				
-			OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(
-					session.getPublicOAURLPrefix());
-			AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
+			
+							
+			IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
 
-			String createXMLSignatureRequest = AuthenticationServer.getInstance()
-					.getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam, pendingReq);
+			String createXMLSignatureRequest = authServer
+					.getCreateXMLSignatureRequestAuthBlockOrRedirect(moasession, authConfig, oaParam, pendingReq);
 
-			AuthenticationSessionStoreage.storeSession(session);
+			authenticatedSessionStorage.storeSession(moasession);
 			
-			CitizenCardServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session,
+			CitizenCardServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, pendingReq,
 					createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT,
 					"VerifyIdentityLink");
 
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
index 099bc085c..3d8b94239 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java
@@ -23,17 +23,21 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
 import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.GET_MIS_SESSIONID;
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
 
 import java.util.List;
 
 import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.stereotype.Service;
 import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
@@ -44,14 +48,9 @@ import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.ConnectionParameter;
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.SSLUtils;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISSessionId;
 import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
@@ -63,6 +62,7 @@ import at.gv.egovernment.moa.util.MiscUtil;
  * @author tlenz
  *
  */
+@Service("PrepareGetMISMandateTask")
 public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 
 	/* (non-Javadoc)
@@ -75,62 +75,66 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 
 		//mandate Mode
 		try {
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));	
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							request.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
 			
-			//get Session from context
-			String moasessionid = (String) executionContext.get(PARAM_SESSIONID);
-			AuthenticationSession session = null;				
-			if (MiscUtil.isEmpty(moasessionid)) {
-				Logger.warn("MOASessionID is empty.");
-				throw new MOAIDException("auth.18", new Object[] {});
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
 			}
+			
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
 				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
 			try {			
-				session = AuthenticationSessionStoreage.getSession(moasessionid);
-				AuthenticationSessionStoreage.changeSessionID(session);
-								
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
 			} catch (MOADatabaseException e) {
-				Logger.info("MOASession with SessionID=" + moasessionid + " is not found in Database");
-				throw new MOAIDException("init.04", new Object[] { moasessionid });
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
 
 			} catch (Throwable e) {
 				Logger.info("No HTTP Session found!");
 				throw new MOAIDException("auth.18", new Object[] {});
-				
-			} finally {
-				executionContext.remove(PARAM_SESSIONID);
-				
 			}
-
 			
-		  AuthConfiguration authConf= AuthConfigurationProviderFactory.getInstance();
-			ConnectionParameter connectionParameters = authConf.getOnlineMandatesConnectionParameter();	
-			SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(AuthConfigurationProviderFactory.getInstance(), connectionParameters);
+			ConnectionParameter connectionParameters = authConfig.getOnlineMandatesConnectionParameter();	
+			SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(authConfig, connectionParameters);
 			
 			// get identitity link as byte[]
-			Element elem = session.getIdentityLink().getSamlAssertion();
+			Element elem = moasession.getIdentityLink().getSamlAssertion();
 			String s = DOMUtils.serializeNode(elem);
 			
 			//System.out.println("IDL: " + s);
 			
 			byte[] idl = s.getBytes("UTF-8");
-			
-			// redirect url
-			// build redirect(to the GetMISSessionIdSerlvet)
-			
-			//change MOASessionID before MIS request
-			String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
-			
+						
 	        String redirectURL = new DataURLBuilder().buildDataURL(
-			    session.getAuthURL(),
+			    pendingReq.getAuthURL(),
 			    GET_MIS_SESSIONID,
-			    newMOASessionID);
+			    pendingReq.getRequestID());
 			
-	        String oaURL = session.getOAURLRequested();
+	        String oaURL = pendingReq.getOAURL();
 	        IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
 	        if (oaParam == null) {
-	        	oaParam = authConf.getOnlineApplicationParameter(oaURL);
+	        	oaParam = authConfig.getOnlineApplicationParameter(oaURL);
 	        	Logger.info("No Service info in PendingRequest --> load service info from configuration");
 	        	
 	        }
@@ -143,9 +147,9 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 	        }
 	        
 	        String oaFriendlyName = oaParam.getFriendlyName();
-	        String mandateReferenceValue = session.getMandateReferenceValue();
-	        byte[] cert = session.getEncodedSignerCertificate();
-	        byte[] authBlock = session.getAuthBlock().getBytes("UTF-8");
+	        String mandateReferenceValue = moasession.getMandateReferenceValue();
+	        byte[] cert = moasession.getEncodedSignerCertificate();
+	        byte[] authBlock = moasession.getAuthBlock().getBytes("UTF-8");
 	        
 	        //TODO: check in case of SSO!!!
 	        String targetType = null;  
@@ -154,13 +158,13 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 	        	if (id.startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_))
 	        		targetType = id;
 	        	else
-	        		targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_+session.getDomainIdentifier();
+	        		targetType = AuthenticationSession.REGISTERANDORDNR_PREFIX_ + moasession.getDomainIdentifier();
 	        	
 	        } else {
 	        	targetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget();
 	        }
 	        
-	        MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+	        revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_SERVICE_REQUESTED, mandateReferenceValue);
 	        
 	        MISSessionId misSessionID = MISSimpleClient.sendSessionIdRequest(
@@ -181,17 +185,17 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask {
 	        }
 	        
 	        String redirectMISGUI = misSessionID.getRedirectURL();
-	        session.setMISSessionID(misSessionID.getSessiondId());
+	        moasession.setMISSessionID(misSessionID.getSessiondId());
 		
 			try {
-				AuthenticationSessionStoreage.storeSession(session);
+				authenticatedSessionStorage.storeSession(moasession);
 				
 			} catch (MOADatabaseException | BuildException e) {
 				throw new MOAIDException("Session store error", null);
 				
 			}
 	        			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATE_REDIRECT);
 			
 	        response.setStatus(302);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
index 35104bf3e..78be6c8c8 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java
@@ -1,50 +1,35 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
-import iaik.pki.PKIException;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_XMLRESPONSE;
 
 import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.util.List;
 import java.util.Map;
 
-import javax.net.ssl.SSLSocketFactory;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.xml.transform.TransformerException;
 
 import org.apache.commons.fileupload.FileUploadException;
 import org.apache.commons.lang.StringEscapeUtils;
-import org.w3c.dom.Element;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
-import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
-import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
-import at.gv.egovernment.moa.id.config.ConnectionParameter;
-import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.ModulUtils;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
-import at.gv.egovernment.moa.id.util.SSLUtils;
-import at.gv.egovernment.moa.id.util.client.mis.simple.MISSessionId;
-import at.gv.egovernment.moa.id.util.client.mis.simple.MISSimpleClient;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Verifies the signed authentication block (provided as {@code CreateXMLSignatureResponse}).<p/>
@@ -79,62 +64,84 @@ import at.gv.egovernment.moa.util.DOMUtils;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("VerifyAuthenticationBlockTask")
 public class VerifyAuthenticationBlockTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
-
-		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyAuthenticationBlockServlet
 		
 		Logger.debug("POST VerifyAuthenticationBlock");
 		
-		String pendingRequestID = null;		
-		
 	    Map<String, String> parameters;
 	    try 
 	    {
 	      parameters = getParameters(req);
 	      
-	    } catch (FileUploadException | IOException e) 
-	    {
+	    } catch (FileUploadException | IOException e) {
 	      Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
 	      throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", new IOException(e.getMessage()));
-	    }
 	      
-			String sessionID = req.getParameter(PARAM_SESSIONID);
-			String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
-
-			// escape parameter strings
-			sessionID = StringEscapeUtils.escapeHtml(sessionID);
-			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
-		   		
+	    }
+	    
+	    String createXMLSignatureResponse = (String)parameters.get(PARAM_XMLRESPONSE);
+	    		
 			String redirectURL = null;
 			try {
-	         // check parameter
-	         if (!ParamValidatorUtils.isValidSessionID(sessionID))
-	            throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_SESSIONID, "auth.12");
-	         if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
-	            throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_XMLRESPONSE, "auth.12");
+			    String pendingRequestID = StringEscapeUtils.escapeHtml(
+						ObjectUtils.defaultIfNull(
+								req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+								(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
+				
+				if (MiscUtil.isEmpty(pendingRequestID)) {				
+					Logger.info("No PendingRequestID received");
+					throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+				}
+				
+				if (!ParamValidatorUtils.isValidXMLDocument(createXMLSignatureResponse))
+					throw new WrongParametersException("VerifyAuthenticationBlock", PARAM_XMLRESPONSE, "auth.12");
+				
+				IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+			
+				if (pendingReq == null) {
+					Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+					throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+					
+				}
+							
+				//change pending-request ID
+				String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+				executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+										
+				AuthenticationSession moasession = null;;
+				try {			
+					moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+				
+					if (moasession == null) {
+						Logger.warn("MOASessionID is empty.");
+						throw new MOAIDException("auth.18", new Object[] {});
+					}
+					
+				} catch (MOADatabaseException e) {
+					Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+					throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
 
-				AuthenticationSession session = AuthenticationServer.getSession(sessionID);
+				} catch (Throwable e) {
+					Logger.info("No HTTP Session found!");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}				
+											
 
-				IRequest pendingReq = RequestStorage.getPendingRequest(
-						(String) executionContext.get("pendingRequestID"));			
-				MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_DATAURL_IP, req.getRemoteHost());
-								
-				//change MOASessionID
-			    sessionID = AuthenticationSessionStoreage.changeSessionID(session);
-				
-				AuthenticationServer.getInstance().verifyAuthenticationBlock(pendingReq, session, createXMLSignatureResponse);
+												
+				authServer.verifyAuthenticationBlock(pendingReq, moasession, createXMLSignatureResponse);
 				
 				//store all changes in session DAO
-				AuthenticationSessionStoreage.storeSession(session);
-				
-				//put session to context 
-				executionContext.put(PARAM_SESSIONID, session.getSessionID());
-				
+				authenticatedSessionStorage.storeSession(moasession);
+								
 			}
 	    
 			catch (MOAIDException ex) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java
index 2734d1027..5c9a069ee 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java
@@ -1,7 +1,7 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
-import iaik.x509.X509Certificate;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.REQ_GET_FOREIGN_ID;
 
 import java.io.IOException;
 import java.util.Map;
@@ -11,28 +11,28 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.fileupload.FileUploadException;
 import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.ObjectUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.CitizenCardServletUtils;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
-import at.gv.egovernment.moa.id.util.ServletUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.spss.util.CertificateUtils;
+import at.gv.egovernment.moa.util.MiscUtil;
+import iaik.x509.X509Certificate;
 
 /**
  * Parses the certificate from {@code InfoBoxReadResponse} (via POST parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}), creates the auth block to be signed and returns a {@code CreateXMLSignatureRequest} for auth block signature.<p/>
@@ -59,15 +59,18 @@ import at.gv.egovernment.moa.spss.util.CertificateUtils;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("VerifyCertificateTask")
 public class VerifyCertificateTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 
 		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet
 
-		Logger.debug("POST VerifyCertificateServlet");
+		Logger.debug("Reveive VerifyCertificate Response");
 				
 		Map<String, String> parameters;
 	    try 
@@ -78,48 +81,73 @@ public class VerifyCertificateTask extends AbstractAuthServletTask {
 	      Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
 	      throw new TaskExecutionException("Parsing mulitpart/form-data request parameters failed", new IOException(e.getMessage()));
 	     }
-	    String sessionID = req.getParameter(PARAM_SESSIONID);
-	    
-	    // escape parameter strings
-		sessionID = StringEscapeUtils.escapeHtml(sessionID);
 				
-	    AuthenticationSession session = null;
 	    try {
-	       // check parameter
-	       if (!ParamValidatorUtils.isValidSessionID(sessionID))
-	          throw new WrongParametersException("VerifyCertificate", PARAM_SESSIONID, "auth.12");
-	       
-	    	session = AuthenticationServer.getSession(sessionID);
-	    	
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			String pendingRequestID = StringEscapeUtils.escapeHtml(
+					ObjectUtils.defaultIfNull(
+							req.getParameter(PARAM_TARGET_PENDINGREQUESTID), 
+							(String) executionContext.get(PARAM_TARGET_PENDINGREQUESTID)));
+			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
+			}
+			
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
+			
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_DATAURL_IP, req.getRemoteHost());
 	    		    	
-	        //change MOASessionID
-	        sessionID = AuthenticationSessionStoreage.changeSessionID(session);
 	    	
-    		X509Certificate cert = AuthenticationServer.getInstance().getCertificate(pendingReq, sessionID, parameters);
+    		X509Certificate cert = authServer.getCertificate(pendingReq, parameters);
     		if (cert == null) {
     			Logger.error("Certificate could not be read.");
     			throw new AuthenticationException("auth.14", null);    		
     		}
     		
-	    	boolean useMandate = session.getUseMandate();
+	    	boolean useMandate = moasession.getUseMandate();
 	    	
 	    	if (useMandate) {
 
 	    		// verify certificate for OrganWalter
-	    		String createXMLSignatureRequestOrRedirect = AuthenticationServer.getInstance().verifyCertificate(session, cert, pendingReq);
+	    		String createXMLSignatureRequestOrRedirect = authServer.verifyCertificate(moasession, cert, pendingReq);
 	    		
 		    	try {
-					AuthenticationSessionStoreage.storeSession(session);
+					authenticatedSessionStorage.storeSession(moasession);
+					
 				} catch (MOADatabaseException e) {
 					throw new MOAIDException("session store error", null);
 				}
 	    		
-		    	// TODO[branch]: Mandate; respond with CXSR for authblock signature, dataURL "/VerifyAuthBlock"
-		    	CitizenCardServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
+		    	CitizenCardServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, pendingReq, createXMLSignatureRequestOrRedirect, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyCertificate");
 	    		
 	    	}
 	    	else {
@@ -133,24 +161,24 @@ public class VerifyCertificateTask extends AbstractAuthServletTask {
 	    		}
 	    		
 	    		// Foreign Identities Modus	
-	    		MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+	    		revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_FOREIGN_FOUND);
 	    		
-		    	String createXMLSignatureRequest = AuthenticationServer.getInstance().createXMLSignatureRequestForeignID(session, cert);
+		    	String createXMLSignatureRequest = authServer.createXMLSignatureRequestForeignID(moasession, cert);
 		      // build dataurl (to the GetForeignIDSerlvet)
 		    	String dataurl =
 	             new DataURLBuilder().buildDataURL(
-	               session.getAuthURL(),
+	               pendingReq.getAuthURL(),
 	               REQ_GET_FOREIGN_ID,
-	               session.getSessionID());
+	               pendingReq.getRequestID());
 	       
-		    	try {
-					AuthenticationSessionStoreage.storeSession(session);
+		    	try {		    		
+					authenticatedSessionStorage.storeSession(moasession);
+					
 				} catch (MOADatabaseException e) {
 					throw new MOAIDException("session store error", null);
 				}
 		    	
-	    		// TODO[branch]: Foreign citizen; respond with CXSR for authblock signature, dataURL "/GetForeignID"
 		    	CitizenCardServletUtils.writeCreateXMLSignatureRequest(resp, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
 		    	
 		    	Logger.debug("Send CreateXMLSignatureRequest to BKU");
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java
index 50ef11f27..2c23254e4 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java
@@ -1,6 +1,6 @@
 package at.gv.egovernment.moa.id.auth.modules.internal.tasks;
 
-import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID;
 
 import java.io.IOException;
 import java.util.Map;
@@ -9,23 +9,23 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringEscapeUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.ParseException;
-import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
-
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.moduls.RequestStorage;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
-import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
-import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * Verifies the identity link.<p/>
@@ -51,17 +51,16 @@ import at.gv.egovernment.moa.logging.Logger;
  * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
  *
  */
+@Service("VerifyIdentityLinkTask")
 public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
 
+	@Autowired @Qualifier("CitizenCardAuthenticationServer") private AuthenticationServer authServer;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
 			throws TaskExecutionException {
 
-		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet
-
-		Logger.debug("POST VerifyIdentityLink");
-
-		setNoCachingHeaders(resp);
+		Logger.debug("Receive VerifyIdentityLink Response");
 		
 		Map<String, String> parameters;
 
@@ -74,20 +73,50 @@ public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
 		
 		try {
 			
-			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
-			// check parameter
-			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
-				throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
+			String pendingRequestID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_TARGET_PENDINGREQUESTID));
+			
+			if (MiscUtil.isEmpty(pendingRequestID)) {				
+				Logger.info("No PendingRequestID received");
+				throw new MOAIDException("auth.10", new Object[]{"VerifyIdentityLink", "pendingRequestID"});
 			}
-			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
-
-			IRequest pendingReq = RequestStorage.getPendingRequest(
-					(String) executionContext.get("pendingRequestID"));			
-			MOAReversionLogger.getInstance().logEvent(pendingReq.getOnlineApplicationConfiguration(), 
+			
+			IRequest pendingReq = requestStoreage.getPendingRequest(pendingRequestID);	
+		
+			if (pendingReq == null) {
+				Logger.info("No PendingRequest with Id: " + pendingRequestID + " Maybe, a transaction timeout occure.");
+				throw new MOAIDException("auth.28", new Object[]{pendingRequestID});
+				
+			}
+						
+			//change pending-request ID
+			String newPendingRequestID = requestStoreage.changePendingRequestID(pendingReq);
+			executionContext.put(MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID, newPendingRequestID);
+									
+			AuthenticationSession moasession = null;;
+			try {			
+				moasession  = authenticatedSessionStorage.getSession(pendingReq.getMOASessionIdentifier());
+			
+				if (moasession == null) {
+					Logger.warn("MOASessionID is empty.");
+					throw new MOAIDException("auth.18", new Object[] {});
+				}
+				
+			} catch (MOADatabaseException e) {
+				Logger.info("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + " is not found in Database");
+				throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() });
+
+			} catch (Throwable e) {
+				Logger.info("No HTTP Session found!");
+				throw new MOAIDException("auth.18", new Object[] {});
+			}
+			
+		
+			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_DATAURL_IP, req.getRemoteHost());
 			
-			boolean identityLinkAvailable = AuthenticationServer.getInstance().verifyIdentityLink(pendingReq, session, parameters) != null;
-			AuthenticationSessionStoreage.storeSession(session);
+			boolean identityLinkAvailable = authServer.verifyIdentityLink(pendingReq, moasession, parameters) != null;
+			
+			authenticatedSessionStorage.storeSession(moasession);
 
 			executionContext.put("identityLinkAvailable", identityLinkAvailable);
 
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java
new file mode 100644
index 000000000..139be49fe
--- /dev/null
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/servlet/CitizenCardAuthProcessEngineSignalController.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.auth.servlet;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+/**
+ * @author tlenz
+ *
+ */
+@Controller
+public class CitizenCardAuthProcessEngineSignalController extends AbstractProcessEngineSignalController {
+
+	@RequestMapping(value = {"/GetMISSessionID", 
+			 				 "/GetForeignID",
+			 				 "/VerifyAuthBlock",
+			 				 "/VerifyCertificate",
+			 				 "/VerifyIdentityLink"
+           					}, 
+					method = {RequestMethod.POST, RequestMethod.GET})
+	public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+		signalProcessManagement(req, resp);
+
+}
+}
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java
index 276d6a105..36bab9355 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java
@@ -53,13 +53,13 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.net.URLEncoder;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.logging.Logger;
 
 /**
@@ -73,21 +73,21 @@ public class CitizenCardServletUtils extends ServletUtils{
    * depending on the requests starting text.
    * 
    * @param resp The httpServletResponse
-   * @param session The current AuthenticationSession
+   * @param pendingReq The current AuthenticationSession
    * @param createXMLSignatureRequestOrRedirect The request
    * @param servletGoal The servlet to which the redirect should happen
    * @param servletName The servlet name for debug purposes
    * @throws MOAIDException
    * @throws IOException
    */
-  public static void writeCreateXMLSignatureRequestOrRedirect(HttpServletResponse resp, AuthenticationSession session, String createXMLSignatureRequestOrRedirect, String servletGoal, String servletName) 
+  public static void writeCreateXMLSignatureRequestOrRedirect(HttpServletResponse resp, IRequest pendingReq, String createXMLSignatureRequestOrRedirect, String servletGoal, String servletName) 
   throws MOAIDException,
          IOException
   { 
     if (!createXMLSignatureRequestOrRedirect.startsWith("Redirect")) {
       resp.setStatus(307);
       String dataURL = new DataURLBuilder().buildDataURL(
-        session.getAuthURL(), MOAIDAuthConstants.REQ_VERIFY_AUTH_BLOCK, session.getSessionID());
+        pendingReq.getAuthURL(), MOAIDAuthConstants.REQ_VERIFY_AUTH_BLOCK, pendingReq.getRequestID());
       resp.addHeader("Location", dataURL);
       
       //TODO test impact of explicit setting charset with older versions of BKUs (HotSign)
@@ -100,7 +100,7 @@ public class CitizenCardServletUtils extends ServletUtils{
       Logger.debug("Finished POST " + servletName);
       
     } else {
-      String redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(), servletGoal, session.getSessionID());
+      String redirectURL = new DataURLBuilder().buildDataURL(pendingReq.getAuthURL(), servletGoal, pendingReq.getRequestID());
       resp.setContentType("text/html");
       resp.setStatus(302);
       resp.addHeader("Location", redirectURL);
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
new file mode 100644
index 000000000..2ca8587b6
--- /dev/null
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.auth.CitizenCardAuthenticationSpringResourceProvider
\ No newline at end of file
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.auth.modules.AuthModule b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.auth.modules.AuthModule
index 865096055..02b4e5d7c 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.auth.modules.AuthModule
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.auth.modules.AuthModule
@@ -1,2 +1,2 @@
 # The default moaid process
-at.gv.egovernment.moa.id.auth.modules.internal.DefaultAuthModuleImpl
+at.gv.egovernment.moa.id.auth.modules.internal.AuthModuleImpl
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml
index 6bbaf6ece..74792ed72 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml
@@ -5,17 +5,17 @@
 	- National authentication with Austrian Citizen Card and mobile signature with our without mandate.
 	- Legacy authentication for foreign citizens using MOCCA supported signature cards.
 -->
-	<pd:Task id="initializeBKUAuthentication" class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.InitializeBKUAuthenticationTask" />
-	<pd:Task id="createIdentityLinkForm"    class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.CreateIdentityLinkFormTask" />
-	<pd:Task id="verifyIdentityLink"        class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.VerifyIdentityLinkTask"        async="true" />
-	<pd:Task id="verifyAuthBlock"           class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.VerifyAuthenticationBlockTask" async="true" />
-	<pd:Task id="verifyCertificate"         class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.VerifyCertificateTask"         async="true" />
-	<pd:Task id="getMISMandate"           class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.GetMISSessionIDTask"           async="true" />
-	<pd:Task id="certificateReadRequest"    class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.CertificateReadRequestTask" />
-	<pd:Task id="prepareAuthBlockSignature" class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.PrepareAuthBlockSignatureTask" />
-	<pd:Task id="prepareGetMISMandate" 			class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.PrepareGetMISMandateTask" />
-	<pd:Task id="finalizeAuthentication" 		class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.FinalizeAuthenticationTask" />
-	<pd:Task id="getForeignID"              class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.GetForeignIDTask"              async="true" />
+	<pd:Task id="initializeBKUAuthentication" class="InitializeBKUAuthenticationTask" />
+	<pd:Task id="createIdentityLinkForm"    class="CreateIdentityLinkFormTask" />
+	<pd:Task id="verifyIdentityLink"        class="VerifyIdentityLinkTask"        async="true" />
+	<pd:Task id="verifyAuthBlock"           class="VerifyAuthenticationBlockTask" async="true" />
+	<pd:Task id="verifyCertificate"         class="VerifyCertificateTask"         async="true" />
+	<pd:Task id="getMISMandate"           	class="GetMISSessionIDTask"           async="true" />
+	<pd:Task id="certificateReadRequest"    class="CertificateReadRequestTask" />
+	<pd:Task id="prepareAuthBlockSignature" class="PrepareAuthBlockSignatureTask" />
+	<pd:Task id="prepareGetMISMandate" 			class="PrepareGetMISMandateTask" />
+	<pd:Task id="finalizeAuthentication" 		class="FinalizeAuthenticationTask" />
+	<pd:Task id="getForeignID"              class="GetForeignIDTask"              async="true" />
 
 	<!-- Process is triggered either by GenerateIFrameTemplateServlet (upon bku selection) or by AuthenticationManager (upon legacy authentication start using legacy parameters. -->
 	<pd:StartEvent id="start" />
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/moaid_citizencard_auth.beans.xml b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/moaid_citizencard_auth.beans.xml
new file mode 100644
index 000000000..dcea83b8a
--- /dev/null
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/moaid_citizencard_auth.beans.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:aop="http://www.springframework.org/schema/aop"
+	xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
+ 
+	<bean id="CitizenCardAuthenticationServer" 
+				class="at.gv.egovernment.moa.id.auth.AuthenticationServer"/>
+							
+				
+<!-- Authentication Process Tasks -->
+	<bean id="InitializeBKUAuthenticationTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.InitializeBKUAuthenticationTask"/>
+
+	<bean id="CreateIdentityLinkFormTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.CreateIdentityLinkFormTask"/>
+				
+	<bean id="VerifyIdentityLinkTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.VerifyIdentityLinkTask"/>				
+
+	<bean id="CertificateReadRequestTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.CertificateReadRequestTask"/>
+
+	<bean id="VerifyCertificateTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.VerifyCertificateTask"/>
+				
+	<bean id="PrepareAuthBlockSignatureTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.PrepareAuthBlockSignatureTask"/>
+				
+	<bean id="VerifyAuthenticationBlockTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.VerifyAuthenticationBlockTask"/>
+				
+	<bean id="PrepareGetMISMandateTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.PrepareGetMISMandateTask"/>
+				
+	<bean id="GetMISSessionIDTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.GetMISSessionIDTask"/>
+				
+	<bean id="GetForeignIDTask" 
+				class="at.gv.egovernment.moa.id.auth.modules.internal.tasks.GetForeignIDTask"/>
+																																					
+</beans>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index 88e26da76..fcde874b4 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -30,6 +30,9 @@ import java.util.UUID;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -51,20 +54,23 @@ import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorE
 import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil;
 import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken;
 import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;
-import at.gv.egovernment.moa.id.storage.AssertionStorage;
+import at.gv.egovernment.moa.id.storage.ITransactionStorage;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.util.MiscUtil;
 
+@Service("OAuth20AuthAction")
 class OAuth20AuthAction implements IAction {
 	
+	@Autowired protected MOAReversionLogger revisionsLogger;
+	@Autowired protected ITransactionStorage transactionStorage;
+	
 	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp,
 			IAuthData authData) throws MOAIDException {
 		
 		OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req;		
 		String responseType = oAuthRequest.getResponseType();
 		
-		MOAReversionLogger.getInstance().logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST);
+		revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST);
 		
 		String code = Random.nextRandom();		
 				
@@ -87,7 +93,7 @@ class OAuth20AuthAction implements IAction {
 			}
 			
 			// store data in oath session			
-			AssertionStorage.getInstance().put(code, o);
+			transactionStorage.put(code, o);
 			
 			Logger.debug("Saved OAuth20SessionObject in session with id: " + code);
 			
@@ -113,8 +119,8 @@ class OAuth20AuthAction implements IAction {
 			Logger.warn("An error occur during OpenID-Connect idToken generation.", e);
 			
 			//remove OAuthSessionObject if it already exists
-			if (AssertionStorage.getInstance().containsKey(code)) {
-				AssertionStorage.getInstance().remove(code);
+			if (transactionStorage.containsKey(code)) {
+				transactionStorage.remove(code);
 			}
 			
 			if (e instanceof OAuth20Exception) {
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
index e5d8db873..ecef9b0a3 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
@@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
 import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
 import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
@@ -43,7 +44,6 @@ import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseType
 import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
-import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder;
 import at.gv.egovernment.moa.logging.Logger;
 
 public class OAuth20AuthRequest extends OAuth20BaseRequest {
@@ -55,6 +55,12 @@ public class OAuth20AuthRequest extends OAuth20BaseRequest {
 	public OAuth20AuthRequest(HttpServletRequest req)
 			throws ConfigurationException {
 		super(req);
+				
+		//AuthnRequest needs authentication
+		this.setNeedAuthentication(true);
+
+		//set protocol action, which should be executed after authentication
+		this.setAction(OAuth20AuthAction.class.getName());
 	}
 
 	private static final long serialVersionUID = 1L;
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
index 5fcac0b2f..5906964a4 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
@@ -81,7 +81,6 @@ abstract class OAuth20BaseRequest extends RequestImpl {
 			if (oaParam == null) {
 				throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
 			}
-			this.setTarget(oaParam.getTarget());
 			
 			if (StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET)) 
 					|| StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))
@@ -120,7 +119,7 @@ abstract class OAuth20BaseRequest extends RequestImpl {
 	
 	protected abstract void populateSpecialParameters(final HttpServletRequest request) throws OAuth20Exception;
 	
-	public static OAuth20BaseRequest newInstance(final String action, final HttpServletRequest request, String sessionId, String transactionId) throws OAuth20Exception {
+	public static OAuth20BaseRequest newInstance(final String action, final HttpServletRequest request) throws OAuth20Exception {
 		OAuth20BaseRequest res;
 		try {
 			if (action.equals(OAuth20Protocol.AUTH_ACTION)) {
@@ -139,7 +138,6 @@ abstract class OAuth20BaseRequest extends RequestImpl {
 			
 		}
 		
-		res.setAction(action);
 		res.setModule(OAuth20Protocol.NAME);
 		
 		res.populateParameters(request);
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
index 70c29359e..52204d7f6 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
@@ -1,6 +1,8 @@
 package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
 
+import java.io.IOException;
 import java.net.URLEncoder;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -9,12 +11,18 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringUtils;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import com.google.gson.JsonObject;
 
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
 import at.gv.egovernment.moa.id.moduls.IAction;
-import at.gv.egovernment.moa.id.moduls.IModulInfo;
 import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.moduls.RequestImpl;
+import at.gv.egovernment.moa.id.protocols.AbstractProtocolModulController;
 import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
 import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
 import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
@@ -23,11 +31,7 @@ import at.gv.egovernment.moa.id.util.ErrorResponseUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
-import com.google.gson.JsonObject;
-
-import java.util.Arrays;
-
-public class OAuth20Protocol implements IModulInfo {
+public class OAuth20Protocol extends AbstractProtocolModulController {
 	
 	public static final String NAME = OAuth20Protocol.class.getName();
 	public static final String PATH = "id_oauth20";
@@ -60,16 +64,65 @@ public class OAuth20Protocol implements IModulInfo {
 		return actions.get(action);
 	}
 	
+	//OpenID Connect auth request
+	@RequestMapping(value = "/oauth2/auth", method = {RequestMethod.POST, RequestMethod.GET})
+	public void openIDConnectAuthRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException, IOException {
+		if (!authConfig.getAllowedProtocols().isOAUTHActive()) {
+			Logger.info("OpenID-Connect is deaktivated!");
+			throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME });
+			
+		}
+		
+		//PreProcess
+		IRequest pendingReq = preProcess(req, resp, AUTH_ACTION);
+		
+		revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier());
+		revisionsLogger.logEvent(MOAIDEventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier());						
+		revisionsLogger.logEvent(
+				pendingReq.getUniqueSessionIdentifier(), 
+				pendingReq.getUniqueTransactionIdentifier(), 
+				MOAIDEventConstants.TRANSACTION_IP, 
+				req.getRemoteAddr());
+		
+		//process request
+		performAuthentication(req, resp, (RequestImpl)pendingReq);
+		
+	}
+	
+	//openID Connect tokken request
+	@RequestMapping(value = "/oauth2/token", method = {RequestMethod.POST, RequestMethod.GET})
+	public void OpenIDConnectTokkenRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException, IOException {
+		if (!authConfig.getAllowedProtocols().isOAUTHActive()) {
+			Logger.info("OpenID-Connect is deaktivated!");
+			throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME });
+			
+		}
+		
+		//PreProcess
+		IRequest pendingReq = preProcess(req, resp, TOKEN_ACTION);
+		
+		revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier());
+		revisionsLogger.logEvent(MOAIDEventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier());						
+		revisionsLogger.logEvent(
+				pendingReq.getUniqueSessionIdentifier(), 
+				pendingReq.getUniqueTransactionIdentifier(), 
+				MOAIDEventConstants.TRANSACTION_IP, 
+				req.getRemoteAddr());
+		
+		//process request
+		performAuthentication(req, resp, (RequestImpl)pendingReq);
+		
+	}
+	
 	/*
 	 * (non-Javadoc)
 	 * @see
 	 * at.gv.egovernment.moa.id.moduls.IModulInfo#preProcess(javax.servlet.http.HttpServletRequest,
 	 * javax.servlet.http.HttpServletResponse, java.lang.String)
 	 */
-	public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action,
-			String sessionId, String transactionId) throws MOAIDException {
+	public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action) throws MOAIDException {
 		// validation is done inside creation
-		OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request, sessionId, transactionId);
+		OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request);
 		Logger.debug("Created: " + res);
 		return res;
 	}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
index 2238a25e1..bb0126a7b 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
@@ -26,6 +26,11 @@ package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import com.google.gson.JsonObject;
+
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
@@ -38,13 +43,15 @@ import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
 import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
 import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException;
 import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20UnauthorizedClientException;
-import at.gv.egovernment.moa.id.storage.AssertionStorage;
+import at.gv.egovernment.moa.id.storage.ITransactionStorage;
 import at.gv.egovernment.moa.logging.Logger;
 
-import com.google.gson.JsonObject;
-
+@Service("OAuth20TokenAction")
 class OAuth20TokenAction implements IAction {
 	
+	@Autowired protected MOAReversionLogger revisionsLogger;
+	@Autowired protected ITransactionStorage transactionStorage;
+	
 	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp,
 			IAuthData authData) throws MOAIDException {
 		
@@ -53,13 +60,13 @@ class OAuth20TokenAction implements IAction {
 		try {
 			OAuth20TokenRequest oAuthRequest = (OAuth20TokenRequest) req;
 		
-			MOAReversionLogger.getInstance().logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_TOKENREQUEST);
+			revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_TOKENREQUEST);
 			
 			try {
 				Logger.debug("Loaded OAuth20SessionObject from session: " + oAuthRequest.getCode());
 				
 				auth20SessionObject = 
-						AssertionStorage.getInstance().get(oAuthRequest.getCode(), OAuth20SessionObject.class);
+						transactionStorage.get(oAuthRequest.getCode(), OAuth20SessionObject.class);
 			
 			} catch (MOADatabaseException e) {
 				throw new OAuth20UnauthorizedClientException();
@@ -97,7 +104,7 @@ class OAuth20TokenAction implements IAction {
 				// destroy session for clean up
 
 				Logger.debug("Going to destroy session: " + auth20SessionObject.getCode());
-				AssertionStorage.getInstance().remove(auth20SessionObject.getCode());
+				transactionStorage.remove(auth20SessionObject.getCode());
 
 			}
 		}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
index abfe4ce15..9b0ee099e 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
@@ -48,6 +48,12 @@ class OAuth20TokenRequest extends OAuth20BaseRequest {
 	public OAuth20TokenRequest(HttpServletRequest req)
 			throws ConfigurationException {
 		super(req);
+		
+		//AuthnRequest needs authentication
+		this.setNeedAuthentication(false);
+
+		//set protocol action, which should be executed after authentication
+		this.setAction(OAuth20TokenAction.class.getName());
 	}
 
 	private static final long serialVersionUID = 1L;
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
index 7f3c353f1..b4c8c37d4 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java
@@ -27,6 +27,9 @@ import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants;
 import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
@@ -43,8 +46,11 @@ import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.URLEncoder;
 import eu.eidas.auth.commons.IPersonalAttributeList;
 
+@Service("SAML1_GetArtifactAction")
 public class GetArtifactAction implements IAction {
 
+	@Autowired private SAML1AuthenticationServer saml1server;
+	
 	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq,
 			HttpServletResponse httpResp, IAuthData obj) throws AuthenticationException {
 			
@@ -69,15 +75,13 @@ public class GetArtifactAction implements IAction {
 		try {
 			OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance()
 					.getOnlineApplicationParameter(oaURL);
-			
-			SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace();
-						
+								
 			// add other stork attributes to MOA assertion if available
 			IPersonalAttributeList storkAttributes = authData.getGenericData(
 					AuthenticationSessionStorageConstants.STORK_ATTRIBUTELIST, 
 					IPersonalAttributeList.class);
 			if(null != storkAttributes) {
-				List<ExtendedSAMLAttribute> moaExtendedSAMLAttibutes = SAML1AuthenticationServer.addAdditionalSTORKAttributes(storkAttributes);
+				List<ExtendedSAMLAttribute> moaExtendedSAMLAttibutes = saml1server.addAdditionalSTORKAttributes(storkAttributes);
 				authData.getExtendedSAMLAttributesOA().addAll(moaExtendedSAMLAttibutes);
 				Logger.info("MOA assertion assembled and SAML Artifact generated.");
 			}
@@ -88,7 +92,8 @@ public class GetArtifactAction implements IAction {
 				String url = req.getAuthURL() + "/RedirectServlet";
 				url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(oaURL, "UTF-8"));
 				if (!oaParam.getBusinessService())
-					url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET, URLEncoder.encode(req.getTarget(), "UTF-8"));
+					url = addURLParameter(url, MOAIDAuthConstants.PARAM_TARGET, 
+							URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8"));
 				url = addURLParameter(url, MOAIDAuthConstants.PARAM_SAMLARTIFACT, URLEncoder.encode(samlArtifactBase64, "UTF-8"));
 				url = httpResp.encodeRedirectURL(url);
 				
@@ -100,7 +105,7 @@ public class GetArtifactAction implements IAction {
 				String redirectURL = oaURL;		
 				if (!oaParam.getBusinessService()) {
 					redirectURL = addURLParameter(redirectURL, MOAIDAuthConstants.PARAM_TARGET,
-					URLEncoder.encode(req.getTarget(), "UTF-8"));
+					URLEncoder.encode(req.getGenericData(SAML1Protocol.REQ_DATA_TARGET, String.class), "UTF-8"));
 
 				}
 				
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
index 2b4aaf458..7e46e53fe 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
@@ -54,7 +54,6 @@ import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
 
 import at.gv.egovernment.moa.id.auth.builder.SAMLResponseBuilder;
-import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.util.ErrorResponseUtils;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
@@ -134,11 +133,14 @@ public class GetAuthenticationDataService implements Constants {
 					Element samlArtifactElem = (Element)samlArtifactList.item(0);
                     requestID = request.getAttribute("RequestID");
 					String samlArtifact = DOMUtils.getText(samlArtifactElem);
-					SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace();
+					
+					
+					//SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace();
 					
 					try {
-							
-						samlAssertion = saml1server.getSaml1AuthenticationData(samlArtifact);
+
+						samlAssertion = "Find a solution to integrate Axis 1 into Spring";
+						//samlAssertion = saml1server.getSaml1AuthenticationData(samlArtifact);
                         
 						// success
 						statusCode = "samlp:Success";
@@ -148,7 +150,8 @@ public class GetAuthenticationDataService implements Constants {
 					catch (ClassCastException ex) {
 					
 						try {
-							Throwable error = saml1server.getErrorResponse(samlArtifact);
+							//Throwable error = saml1server.getErrorResponse(samlArtifact);
+							Throwable error = new Exception("Find a solution to integrate Axis 1 into Spring");
 							statusCode = "samlp:Responder";
 							
 							ErrorResponseUtils errorUtils = ErrorResponseUtils.getInstance();
@@ -171,12 +174,12 @@ public class GetAuthenticationDataService implements Constants {
 						
 					}
 					
-					catch (AuthenticationException ex) {
-						//no authentication data for given SAML artifact
-						statusCode = "samlp:Requester";
-						subStatusCode = "samlp:ResourceNotRecognized";
-						statusMessage = ex.toString();
-					}
+//					catch (AuthenticationException ex) {
+//						//no authentication data for given SAML artifact
+//						statusCode = "samlp:Requester";
+//						subStatusCode = "samlp:ResourceNotRecognized";
+//						statusMessage = ex.toString();
+//					}
 				}
 			}
 	    catch (Throwable t) {
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
index 5312d779c..1d06bb48a 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java
@@ -35,6 +35,8 @@ import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
 
 import org.apache.commons.lang3.StringEscapeUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
@@ -60,7 +62,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.config.auth.data.SAML1ConfigurationParameters;
 import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.moduls.IRequest;
-import at.gv.egovernment.moa.id.storage.AssertionStorage;
+import at.gv.egovernment.moa.id.storage.ITransactionStorage;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Base64Utils;
@@ -77,19 +79,10 @@ import eu.eidas.auth.commons.IPersonalAttributeList;
 import eu.eidas.auth.commons.PersonalAttribute;
 //import at.gv.egovernment.moa.id.util.IdentityLinkReSigner;
 
+@Service("SAML1AuthenticationServer")
 public class SAML1AuthenticationServer extends AuthenticationServer {
-	
-	private static SAML1AuthenticationServer instance;
-	
-	public static SAML1AuthenticationServer getInstace() {
-		if (instance == null)
-			instance = new SAML1AuthenticationServer();
 		
-		return instance;
-	}
-	
-	private static AssertionStorage authenticationDataStore =  AssertionStorage.getInstance();
-	
+	@Autowired private ITransactionStorage authenticationDataStore;
 	
 	/**
 	 * time out in milliseconds used by {@link cleanup} for authentication data
@@ -129,7 +122,7 @@ public class SAML1AuthenticationServer extends AuthenticationServer {
 	 * @param iPersonalAttributeList STORK attribute list
 	 * @return
 	 */
-	public static List<ExtendedSAMLAttribute> addAdditionalSTORKAttributes(IPersonalAttributeList iPersonalAttributeList) {
+	public List<ExtendedSAMLAttribute> addAdditionalSTORKAttributes(IPersonalAttributeList iPersonalAttributeList) {
 		List<ExtendedSAMLAttribute> moaExtendedSAMLAttributeList = new Vector<ExtendedSAMLAttribute>();
 		
 		if(null == iPersonalAttributeList)
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
index 6573270e4..417bf4dc9 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java
@@ -22,18 +22,20 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.saml1;
 
+import java.io.IOException;
 import java.util.Arrays;
-import java.util.HashMap;
 import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringEscapeUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
-import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
-import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
@@ -42,17 +44,23 @@ import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.config.auth.data.SAML1ConfigurationParameters;
-import at.gv.egovernment.moa.id.moduls.IAction;
-import at.gv.egovernment.moa.id.moduls.IModulInfo;
 import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.AbstractProtocolModulController;
+import at.gv.egovernment.moa.id.protocols.pvp2x.AuthenticationAction;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.URLEncoder;
 
-public class SAML1Protocol extends MOAIDAuthConstants implements IModulInfo {
+@Controller
+public class SAML1Protocol extends AbstractProtocolModulController {
 
+	@Autowired private SAML1AuthenticationServer saml1AuthServer;
+	
+	public static final String REQ_DATA_SOURCEID = "sourceID";
+	public static final String REQ_DATA_TARGET = "target";
+	
 	public static final String NAME = SAML1Protocol.class.getName();
 	public static final String PATH = "id_saml1";
 
@@ -72,24 +80,6 @@ public class SAML1Protocol extends MOAIDAuthConstants implements IModulInfo {
 					PVPConstants.EID_SOURCE_PIN_TYPE_NAME
 			});
 	
-	private static HashMap<String, IAction> actions = new HashMap<String, IAction>();
-		
-	static {
-
-		actions.put(GETARTIFACT, new GetArtifactAction());
-		
-		instance = new SAML1Protocol();
-	}
-
-	private static SAML1Protocol instance = null;
-
-	public static SAML1Protocol getInstance() {
-		if (instance == null) {
-			instance = new SAML1Protocol();
-		}
-		return instance;
-	}
-
 	public String getName() {
 		return NAME;
 	}
@@ -98,16 +88,29 @@ public class SAML1Protocol extends MOAIDAuthConstants implements IModulInfo {
 		return PATH;
 	}
 
-	public IRequest preProcess(HttpServletRequest request,
-			HttpServletResponse response, String action,
-			String sessionId, String transactionId) throws MOAIDException {
-		SAML1RequestImpl config = new SAML1RequestImpl(request);
-		
+	
+	@RequestMapping(value = "/StartAuthentication", method = {RequestMethod.POST, RequestMethod.GET})
+	public void PVPMetadataRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException, IOException {		
 		if (!AuthConfigurationProviderFactory.getInstance().getAllowedProtocols().isSAML1Active()) {
 			Logger.info("SAML1 is deaktivated!");
 			throw new ProtocolNotActiveException("auth.22", new Object[] { "SAML 1" });
 			
 		}
+		
+		SAML1RequestImpl pendingRequest = new SAML1RequestImpl(req);
+		pendingRequest.setModule(NAME);
+	
+		//preProcess SAML1 Request
+		preProcess(req, resp, pendingRequest);
+			
+		performAuthentication(req, resp, pendingRequest);
+		return;
+				
+	}
+	
+	
+	public void preProcess(HttpServletRequest request,
+			HttpServletResponse response, SAML1RequestImpl pendingRequest) throws MOAIDException {
 			
 		String oaURL = (String) request.getParameter(PARAM_OA);
 		//oaURL = StringEscapeUtils.escapeHtml(oaURL);
@@ -135,7 +138,7 @@ public class SAML1Protocol extends MOAIDAuthConstants implements IModulInfo {
 			throw new WrongParametersException("StartAuthentication", PARAM_OA,
 					"auth.12");
 		
-		config.setOAURL(oaURL);
+		pendingRequest.setOAURL(oaURL);
 		
 		Logger.info("Dispatch SAML1 Request: OAURL=" + oaURL);
 		
@@ -157,19 +160,23 @@ public class SAML1Protocol extends MOAIDAuthConstants implements IModulInfo {
 			throw new InvalidProtocolRequestException("auth.00",
 					new Object[] { null });
 		}
-		config.setOnlineApplicationConfiguration(oaParam);
-		config.setSourceID(sourceID);
+		pendingRequest.setOnlineApplicationConfiguration(oaParam);
+		pendingRequest.setSourceID(sourceID);
 		
-		MOAReversionLogger.getInstance().logEvent(sessionId, transactionId, MOAIDEventConstants.AUTHPROTOCOL_SAML1_AUTHNREQUEST);
+		revisionsLogger.logEvent(pendingRequest, MOAIDEventConstants.AUTHPROTOCOL_SAML1_AUTHNREQUEST);
 		
 		if (MiscUtil.isNotEmpty(target))
-			config.setTarget(target);
+			pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, target);
 		
 		else
-			config.setTarget(oaParam.getTarget());
-			
-				
-		return config;
+			pendingRequest.setGenericDataToSession(REQ_DATA_TARGET, oaParam.getTarget());
+
+		//AuthnRequest needs authentication
+		pendingRequest.setNeedAuthentication(true);
+
+		//set protocol action, which should be executed after authentication
+		pendingRequest.setAction(AuthenticationAction.class.getName());
+						
 	}
 
 	public boolean generateErrorMessage(Throwable e,
@@ -181,9 +188,8 @@ public class SAML1Protocol extends MOAIDAuthConstants implements IModulInfo {
 		if (!oa.getSAML1Parameter().isProvideAllErrors())
 			return false;
 		
-		else {
-			SAML1AuthenticationServer saml1authentication = SAML1AuthenticationServer.getInstace();			
-			String samlArtifactBase64 = saml1authentication.BuildErrorAssertion(e, protocolRequest);
+		else {	
+			String samlArtifactBase64 = saml1AuthServer.BuildErrorAssertion(e, protocolRequest);
 		
 			String url = protocolRequest.getAuthURL() + "/RedirectServlet";
 			url = addURLParameter(url, RedirectServlet.REDIRCT_PARAM_URL, URLEncoder.encode(protocolRequest.getOAURL(), "UTF-8"));
@@ -199,15 +205,6 @@ public class SAML1Protocol extends MOAIDAuthConstants implements IModulInfo {
 		}
 	}
 
-	public IAction getAction(String action) {
-		return actions.get(action);
-	}
-
-	public IAction canHandleRequest(HttpServletRequest request,
-			HttpServletResponse response) {
-		return null;
-	}
-
 	public boolean validate(HttpServletRequest request,
 			HttpServletResponse response, IRequest pending) {
 		
diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringServlet.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringServlet.java
index a7d7b9759..4e5bed97c 100644
--- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringServlet.java
+++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringServlet.java
@@ -28,35 +28,38 @@ import java.util.Arrays;
 import java.util.List;
 
 import javax.servlet.ServletException;
-import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.monitoring.TestManager;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
-@WebServlet(name = "MonitoringServlet", value = "/MonitoringServlet")
-public class MonitoringServlet extends AuthServlet {
+@Controller
+public class MonitoringServlet {
 
-	private static final long serialVersionUID = 1L;
 	private static final String REQUEST_ATTR_MODULE = "module";
 	
+	@Autowired private AuthConfiguration authConfig;
+	
 	  public MonitoringServlet() {
 		super();
 		Logger.debug("Registering servlet " + getClass().getName() + " with mapping '/MonitoringServlet'.");
 	}
 
-	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+	@RequestMapping(value = "/MonitoringServlet", method = RequestMethod.GET)
+	public void getStatusInformation(HttpServletRequest req, HttpServletResponse resp)
 			    throws ServletException, IOException {
 		  
-		  try {
-			AuthConfiguration config = AuthConfigurationProviderFactory.getInstance();
-			
-			if (config.isMonitoringActive()) {
+		  try {			
+			if (authConfig.isMonitoringActive()) {
 				Logger.debug("Monitoring Servlet received request");
 
 				TestManager tests = TestManager.getInstance();
@@ -71,7 +74,7 @@ public class MonitoringServlet extends AuthServlet {
 					} else {
 						resp.setStatus(HttpServletResponse.SC_OK);
 						resp.setContentType("text/html;charset=UTF-8");
-						resp.getWriter().write(getHtml(config.getMonitoringMessageSuccess()));
+						resp.getWriter().write(getHtml(authConfig.getMonitoringMessageSuccess()));
 						Logger.info("Monitoring Servlet finished without errors");
 					}
 					
@@ -84,7 +87,7 @@ public class MonitoringServlet extends AuthServlet {
 						} else {
 							resp.setStatus(HttpServletResponse.SC_OK);
 							resp.setContentType("text/html;charset=UTF-8");
-							resp.getWriter().write(getHtml(config.getMonitoringMessageSuccess()));
+							resp.getWriter().write(getHtml(authConfig.getMonitoringMessageSuccess()));
 							Logger.info("Monitoring Servlet finished without errors");
 						}
 						
-- 
cgit v1.2.3