From 576f5ea5cfaf2ea174f198dc5df238c1ca0c331a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 10 Mar 2016 15:35:48 +0100
Subject: MOA-ID, which use MOA-Sig (includes new IAIK-MOA, with iaik_xect,
 iaik_eccelerate, and new iaik_PKI module

---
 .../moa-id-modul-citizencard_authentication/pom.xml      |  7 +++++++
 .../gv/egovernment/moa/id/auth/AuthenticationServer.java |  2 +-
 .../validator/VerifyXMLSignatureResponseValidator.java   | 16 +++++++---------
 id/server/modules/moa-id-modules-saml1/pom.xml           |  7 +++++++
 4 files changed, 22 insertions(+), 10 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml b/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml
index f2403a62e..e5b38f9b6 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/pom.xml
@@ -22,6 +22,13 @@
   		<type>test-jar</type>
   	</dependency>
   	
+  	<dependency>
+			<groupId>iaik.prod</groupId>
+			<artifactId>iaik_ixsil</artifactId>
+			<version>1.2.2.5</version>
+			<scope>test</scope>
+		</dependency> 
+  	
   	<dependency>
 			<groupId>MOA.id.server</groupId>
 			<artifactId>moa-id-commons</artifactId>
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 21e7f2027..40f203bfd 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -64,7 +64,6 @@ import at.gv.egovernment.moa.id.data.MISMandate;
 import at.gv.egovernment.moa.id.moduls.IRequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.util.XMLUtil;
-import at.gv.egovernment.moa.logging.LogMsg;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.DOMUtils;
@@ -72,6 +71,7 @@ import at.gv.egovernment.moa.util.DateTimeUtils;
 import at.gv.egovernment.moa.util.FileUtils;
 import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.egovernment.moa.util.StringUtils;
+import at.gv.egovernment.moaspss.logging.LogMsg;
 import iaik.asn1.ObjectID;
 import iaik.x509.X509Certificate;
 import iaik.x509.X509ExtensionInitException;
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
index ac528c89d..0597df622 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java
@@ -46,13 +46,6 @@
 
 package at.gv.egovernment.moa.id.auth.validator;
 
-import iaik.asn1.ObjectID;
-import iaik.asn1.structures.Name;
-import iaik.security.ecc.ecdsa.ECPublicKey;
-import iaik.utils.RFC2253NameParserException;
-import iaik.x509.X509Certificate;
-import iaik.x509.X509ExtensionInitException;
-
 import java.security.InvalidKeyException;
 import java.security.PublicKey;
 import java.security.interfaces.RSAPublicKey;
@@ -70,6 +63,11 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.logging.Logger;
+import iaik.asn1.structures.Name;
+import iaik.security.ec.common.ECPublicKey;
+import iaik.utils.RFC2253NameParserException;
+import iaik.x509.X509Certificate;
+import iaik.x509.X509ExtensionInitException;
 
 /**
  * This class is used to validate an {@link VerifyXMLSignatureResponse} 
@@ -268,9 +266,9 @@ public class VerifyXMLSignatureResponseValidator {
       
       //compare ECDSAPublicKeys
       if( ( (idl.getPublicKey()[i] instanceof java.security.interfaces.ECPublicKey) || 
-    		  (idl.getPublicKey()[i] instanceof iaik.security.ecc.ecdsa.ECPublicKey)) && 
+    		  (idl.getPublicKey()[i] instanceof ECPublicKey)) && 
          ( (pubKeySignature instanceof java.security.interfaces.ECPublicKey) || 
-        		(pubKeySignature instanceof iaik.security.ecc.ecdsa.ECPublicKey) ) ) {
+        		(pubKeySignature instanceof ECPublicKey) ) ) {
 
 		try {
 			ECPublicKey ecdsaPubKeySignature = new ECPublicKey(pubKeySignature.getEncoded());
diff --git a/id/server/modules/moa-id-modules-saml1/pom.xml b/id/server/modules/moa-id-modules-saml1/pom.xml
index f19802a01..f54c24499 100644
--- a/id/server/modules/moa-id-modules-saml1/pom.xml
+++ b/id/server/modules/moa-id-modules-saml1/pom.xml
@@ -25,6 +25,13 @@
   		<type>test-jar</type>
   	</dependency>
 
+  	<dependency>
+			<groupId>MOA.id.server</groupId>
+			<artifactId>moa-id-commons</artifactId>
+			<type>test-jar</type>
+			<scope>test</scope>
+		</dependency>
+
   	<dependency>
   		<groupId>MOA.id.server</groupId>
   		<artifactId>moa-id-lib</artifactId>
-- 
cgit v1.2.3


From 4b932484d66ef161bb547a419fdc32f04677fe57 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 7 Apr 2016 10:44:11 +0200
Subject: fix some possible problems with STORK configuration in config-GUI

---
 .../gv/egovernment/moa/id/auth/AuthenticationServer.java   | 14 ++++++++------
 .../ssotransfer/data/SSOTransferAuthenticationData.java    |  5 +++--
 2 files changed, 11 insertions(+), 8 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index 7122c6577..f5000581c 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -167,12 +167,14 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 		}
 
 		String infoboxReadRequest = "";
-		if (pendingReq.needSingleSignOnFunctionality()) {
-			Logger.info("SSO Login requested");
+		String ssoDomainIdentifier = authConfig.getSSOTagetIdentifier();
+		if (MiscUtil.isNotEmpty(ssoDomainIdentifier) && 
+				pendingReq.needSingleSignOnFunctionality()) {
+			Logger.debug("SSO Login requested");
 			//load identityLink with SSO Target
 			boolean isbuisness = false;
-			String domainIdentifier = authConfig.getSSOTagetIdentifier().trim();
-			if (domainIdentifier.startsWith(PREFIX_WPBK)) {
+			
+			if (ssoDomainIdentifier.startsWith(PREFIX_WPBK)) {
 				isbuisness = true;
 
 			} else {
@@ -182,10 +184,10 @@ public class AuthenticationServer extends BaseAuthenticationServer {
 
 			//build ReadInfobox request
 			infoboxReadRequest = new InfoboxReadRequestBuilder().build(
-					isbuisness, domainIdentifier);
+					isbuisness, ssoDomainIdentifier);
 
 		} else {
-			Logger.info("Non-SSO Login requested");
+			Logger.debug("Non-SSO Login requested or SSO not allowed/possible");
 			//build ReadInfobox request
 			infoboxReadRequest = new InfoboxReadRequestBuilder().build(
 					oaParam.getBusinessService(), oaParam
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
index f9cb4c636..78cbd788d 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java
@@ -49,8 +49,9 @@ public class SSOTransferAuthenticationData implements IAuthData {
 	
 	public SSOTransferAuthenticationData(AuthConfiguration authConfig, AuthenticationSession authSession) throws ConfigurationException {
 		this.authSession = authSession;
-		String domainIdentifier = authConfig.getSSOTagetIdentifier().trim();
-		isIDPPrivateService = domainIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK);
+		String domainIdentifier = authConfig.getSSOTagetIdentifier();
+		if (domainIdentifier != null)
+			isIDPPrivateService = domainIdentifier.startsWith(MOAIDAuthConstants.PREFIX_WPBK);
 		
 	}
 	
-- 
cgit v1.2.3


From 19cbabff11dd919e40eaef5e8eb50d4e35c7421f Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Fri, 8 Apr 2016 09:53:57 +0200
Subject: fix typo in redirectTarget parameter

---
 .../gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
index 18495381e..ef81af94b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java
@@ -174,7 +174,7 @@ public class GetIdentityLinkFormBuilder extends Builder {
 		htmlForm = replaceTag(htmlForm, COLOR_TAG, FormBuildUtils.getDefaultMap().get(FormBuildUtils.PARAM_MAIN_BACKGROUNDCOLOR), false, ALL);
     	
    	//set redirect target
-   	if (oaParam != null && MiscUtil.isNotEmpty(oaParam.getConfigurationValue(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET))))
+   	if (oaParam != null && MiscUtil.isNotEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET)))
    		htmlForm = replaceTag(htmlForm, REDIRECTTARGETTAG, 
    				oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET), false, ALL);
    	else
-- 
cgit v1.2.3


From 4790e826491e753882a6da8b414db1ab34924620 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Fri, 8 Apr 2016 13:41:52 +0200
Subject: some Update of ELGA MandateService client implementation

---
 .../tasks/ReceiveElgaMandateResponseTask.java      | 23 +++++++++++++---------
 .../elgamandates/tasks/RequestELGAMandateTask.java | 20 +++++++++++++++++--
 2 files changed, 32 insertions(+), 11 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
index 5604b7640..07bde7762 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java
@@ -149,16 +149,21 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask {
 			//load MOASession object
 			defaultTaskInitialization(request, executionContext);
 			
+
+			/**
+			 * Mandate Reference-Value is generated from ELGA MandateServie  -->
+			 * MOA-ID generated reference value is not equal to reference-value from ELGA MandateService
+			 * But MOA-ID refernece-value is also validated in 'inResponseTo' attribute from ELGA MandateService response
+			 */
 			//validate receive mandate reference-value
-			//TODO: update if ReferenceValue Discussion is finished
-			String responseRefValue = extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME); 
-			if (!moasession.getMandateReferenceValue().equals(responseRefValue)) {
-				Logger.warn("PVP Response from ELGA mandate-service contains a not valid MandateReferenceValue.");
-				throw new AssertionValidationExeption("sp.pvp2.07", 
-						new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
-								PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME});
-				
-			}
+//			String responseRefValue = extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME); 
+//			if (!moasession.getMandateReferenceValue().equals(responseRefValue)) {
+//				Logger.warn("PVP Response from ELGA mandate-service contains a not valid MandateReferenceValue.");
+//				throw new AssertionValidationExeption("sp.pvp2.07", 
+//						new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING,
+//								PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME});
+//				
+//			}
 			
 			Logger.debug("Validation of PVP Response from ELGA mandate-service is complete.");
 			
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
index 6a7858575..fd918c7f4 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java
@@ -150,9 +150,25 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask {
 				}								
 			}
 			
+			//build subjectNameID with bPK-Type Prefix
+			String bPKPrefix = null;
+			if (configTarget.startsWith(Constants.URN_PREFIX_WBPK))
+				bPKPrefix = configTarget.substring((Constants.URN_PREFIX_WBPK + "+").length());
+			
+			else if (configTarget.startsWith(Constants.URN_PREFIX_CDID)) 
+				bPKPrefix = configTarget.substring((Constants.URN_PREFIX_CDID + "+").length());
+			
+			if (bPKPrefix == null) {
+				throw new MOAIDException("service.10", 
+						new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, "Configurated bPK-Type is wrong."});
+				
+			}
+			
 			//set bPK of representative as SAML2 subjectNameID
-			authnReqConfig.setSubjectNameID(representativeBPK );
-			authnReqConfig.setSubjectNameIDQualifier(configTarget);
+			authnReqConfig.setSubjectNameID(bPKPrefix + ":" + representativeBPK );
+
+			//is not recommended from ELGA
+			//authnReqConfig.setSubjectNameIDQualifier(configTarget);
 			
 			//set MandateReferenceValue as RequestID
 			authnReqConfig.setRequestID(moasession.getMandateReferenceValue());
-- 
cgit v1.2.3


From dbb7e7d21f318f5969521a1e3986101218b2b766 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 9 May 2016 09:45:59 +0200
Subject: update Struts to 2.3.28.1
 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3081) switch
 MOA-ID Version to 3.1.1

---
 id/server/modules/moa-id-module-openID/pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-module-openID/pom.xml b/id/server/modules/moa-id-module-openID/pom.xml
index 4684c8032..2bd3b6b4f 100644
--- a/id/server/modules/moa-id-module-openID/pom.xml
+++ b/id/server/modules/moa-id-module-openID/pom.xml
@@ -41,13 +41,13 @@
 		<dependency>
 			<groupId>com.google.http-client</groupId>
 			<artifactId>google-http-client-jackson2</artifactId>
-			<version>1.21.0</version>
+			<version>1.22.0</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>com.google.oauth-client</groupId>
 			<artifactId>google-oauth-client-jetty</artifactId>
-			<version>1.21.0</version>
+			<version>1.22.0</version>
 			<scope>test</scope>
 			<exclusions>
 				<exclusion>
-- 
cgit v1.2.3


From c3e07d7fb87b2d132ffc838e4878b9479da361a7 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 9 May 2016 16:06:56 +0200
Subject: fix ContentType typo, which make problems with IE11 in some cases

---
 .../modules/internal/tasks/CreateIdentityLinkFormTask.java |  6 ++++--
 .../egovernment/moa/id/util/CitizenCardServletUtils.java   |  6 ++++--
 .../auth/modules/eidas/tasks/GenerateAuthnRequestTask.java |  6 ++++--
 .../controller/ELGAMandateMetadataController.java          |  4 +++-
 .../modules/ssotransfer/task/RestoreSSOSessionTask.java    |  3 ++-
 .../controller/FederatedAuthMetadataController.java        |  4 +++-
 .../id/protocols/saml1/GetAuthenticationDataService.java   | 14 ++++++++------
 7 files changed, 28 insertions(+), 15 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java
index e82aa8fbb..e47aff83b 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java
@@ -10,6 +10,8 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
 
+import com.google.common.net.MediaType;
+
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
@@ -75,9 +77,9 @@ public class CreateIdentityLinkFormTask extends AbstractAuthServletTask {
 						pendingReq, MOAIDEventConstants.AUTHPROCESS_MANDATES_REQUESTED);			
 				revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), 
 					pendingReq, MOAIDEventConstants.AUTHPROCESS_BKU_URL, moasession.getBkuURL());
-			
+				     				
 			if (!StringUtils.isEmpty(getIdentityLinkForm)) {
-				resp.setContentType("text/html;charset=UTF-8");
+				resp.setContentType(MediaType.HTML_UTF_8.toString());
 				PrintWriter out = new PrintWriter(resp.getOutputStream());
 				out.print(getIdentityLinkForm);
 				out.flush();
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java
index 2a8d26566..9fbdf5cd7 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java
@@ -55,6 +55,8 @@ import java.net.URLEncoder;
 
 import javax.servlet.http.HttpServletResponse;
 
+import com.google.common.net.MediaType;
+
 import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
@@ -91,7 +93,7 @@ public class CitizenCardServletUtils extends ServletUtils{
       resp.addHeader("Location", dataURL);
       
       //TODO test impact of explicit setting charset with older versions of BKUs (HotSign)
-      resp.setContentType("text/xml;charset=UTF-8");
+      resp.setContentType(MediaType.XML_UTF_8.toString());
       
       OutputStream out = resp.getOutputStream();
       out.write(createXMLSignatureRequestOrRedirect.getBytes("UTF-8"));
@@ -127,7 +129,7 @@ public class CitizenCardServletUtils extends ServletUtils{
       resp.addHeader("Location", dataURL);
       
       //TODO test impact of explicit setting charset with older versions of BKUs (HotSign)
-      resp.setContentType("text/xml;charset=UTF-8");
+      resp.setContentType(MediaType.XML_UTF_8.toString());
             
       OutputStream out = resp.getOutputStream();
       out.write(createXMLSignatureRequestOrRedirect.getBytes("UTF-8"));
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index c82636a8f..30c206025 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -35,6 +35,8 @@ import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.springframework.stereotype.Component;
 
+import com.google.common.net.MediaType;
+
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
@@ -176,8 +178,8 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 	            Logger.debug("Template merge done");
 
 	            Logger.debug("Sending html content: " + writer.getBuffer().toString());
-
-	            response.setContentType("text/html;charset=UTF-8");
+	            
+	            response.setContentType(MediaType.HTML_UTF_8.toString());
 	            response.getOutputStream().write(writer.getBuffer().toString().getBytes("UTF-8"));
 
 	            revisionsLogger.logEvent(oaConfig, pendingReq, 
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java
index 29bc5ee12..5720e4827 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java
@@ -32,6 +32,8 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
+import com.google.common.net.MediaType;
+
 import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
 import at.gv.egovernment.moa.id.auth.modules.elgamandates.config.ELGAMandatesMetadataConfiguration;
 import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider;
@@ -80,7 +82,7 @@ public class ELGAMandateMetadataController extends AbstractController {
 				String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig);
 				
 				//write response
-				resp.setContentType("text/xml");
+				resp.setContentType(MediaType.XML_UTF_8.toString());
 				resp.getOutputStream().write(xmlMetadata.getBytes("UTF-8"));
 				resp.getOutputStream().close();
 
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java
index dd133e4fb..003ce8c21 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java
@@ -39,6 +39,7 @@ import org.opensaml.saml2.core.Response;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
+import com.google.common.net.MediaType;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
 
@@ -216,7 +217,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask {
 		    			SSOTransferConstants.SSOCONTAINER_KEY_STATUS, 
 		    			"OK");
 		    	response.setStatus(HttpServletResponse.SC_OK);
-		    	response.setContentType("text/html;charset=UTF-8");
+		    	response.setContentType(MediaType.HTML_UTF_8.toString());
 				PrintWriter out = new PrintWriter(response.getOutputStream()); 
 				out.print(responseMsg.toString());
 				out.flush();
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java
index 98240a636..02356d74a 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java
@@ -32,6 +32,8 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
+import com.google.common.net.MediaType;
+
 import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
 import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthMetadataConfiguration;
 import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
@@ -80,7 +82,7 @@ public class FederatedAuthMetadataController extends AbstractController {
 				String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig);
 				
 				//write response
-				resp.setContentType("text/xml");
+				resp.setContentType(MediaType.XML_UTF_8.toString());
 				resp.getOutputStream().write(xmlMetadata.getBytes("UTF-8"));
 				resp.getOutputStream().close();
 
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
index b01ea666d..f00358d02 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
@@ -69,6 +69,8 @@ import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
 
+import com.google.common.net.MediaType;
+
 import at.gv.egovernment.moa.id.auth.builder.SAMLResponseBuilder;
 import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
@@ -136,13 +138,13 @@ public class GetAuthenticationDataService extends AbstractController implements
 		    
 			String respString = DOMUtils.serializeNode(soapResp, true);
 			
-			resp.setContentType("text/xml;charset=UTF-8");
+			resp.setContentType(MediaType.XML_UTF_8.toString());
 			context.put(CONTEXT_SOAP_ASSERTION, respString);
 			evaluateTemplate(context, resp, TEMPLATE_SOAP_SUCCESS);
 						
 		} catch (ParserConfigurationException | SAXException | IOException | TransformerException e) {
 			Logger.error("SAML1 GetAuthenticationData receive a non-valid request.", e);
-			resp.setContentType("text/xml;charset=UTF-8");
+			resp.setContentType(MediaType.XML_UTF_8.toString());
 					
 			context.put(CONTEXT_SOAP_ISSUEINSTANT, DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()));
 			context.put(CONTEXT_SOAP_RESPONSEID, Random.nextRandom());
@@ -153,7 +155,7 @@ public class GetAuthenticationDataService extends AbstractController implements
 			
 		} catch (SAML1AssertionResponseBuildException e) {
 			Logger.error("SAML1 GetAuthenticationData response build failed..", e);
-			resp.setContentType("text/xml;charset=UTF-8");
+			resp.setContentType(MediaType.XML_UTF_8.toString());
 			
 			context.put(CONTEXT_SOAP_ISSUEINSTANT, e.getIssueInstant());
 			context.put(CONTEXT_SOAP_REQUESTEID, e.getRequestID());
@@ -187,17 +189,17 @@ public class GetAuthenticationDataService extends AbstractController implements
 		
 		if (wsdl_param != null) {
 			//print wsdl
-			resp.setContentType("text/xml;charset=UTF-8");
+			resp.setContentType(MediaType.XML_UTF_8.toString());
 			evaluateTemplate(context, resp, TEMPLATE_WSDL);
 			
 		} else if (xsd_param != null){
 			//print xsd
-			resp.setContentType("text/xml;charset=UTF-8");
+			resp.setContentType(MediaType.XML_UTF_8.toString());
 			evaluateTemplate(context, resp, TEMPLATE_XSD);
 						
 		} else {
 			//print plain info
-			resp.setContentType("text/html;charset=UTF-8");
+			resp.setContentType(MediaType.XML_UTF_8.toString());
 			evaluateTemplate(context, resp, TEMPLATE_PLAIN_INFO);
 			
 		}
-- 
cgit v1.2.3


From d1c1089b4f705fa07181c2cd09ca6e2a9bb68a5c Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 12 May 2016 15:44:54 +0200
Subject: fix typo in SAML1 getAuthenticationData servlet

---
 id/server/modules/moa-id-modules-saml1/src/main/resources/plain_info.vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-modules-saml1/src/main/resources/plain_info.vm b/id/server/modules/moa-id-modules-saml1/src/main/resources/plain_info.vm
index dfc11820f..858479904 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/resources/plain_info.vm
+++ b/id/server/modules/moa-id-modules-saml1/src/main/resources/plain_info.vm
@@ -1,6 +1,6 @@
 <html>
 <head>
-<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
+<meta content="text/html; charset=utf-8" http-equiv="Content-Type"/>
 </head>
 <body>
 <h1>GetAuthenticationData</h1>
-- 
cgit v1.2.3


From f315d259b05c0a33461cc79108a726d93bcc2b3a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Fri, 20 May 2016 10:03:01 +0200
Subject: fix problem with some SAML1 clients to request the SAML1
 GetAuthenticationData SOAP service

---
 .../saml1/GetAuthenticationDataService.java        | 28 +++++++++++++++-------
 1 file changed, 20 insertions(+), 8 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
index f00358d02..893799b5d 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
@@ -66,6 +66,7 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
 
@@ -124,7 +125,8 @@ public class GetAuthenticationDataService extends AbstractController implements
 	private static final String CONTEXT_SOAP_STATUSCODE = "statusCode";
 	private static final String CONTEXT_SOAP_ASSERTION = "assertion";
 	
-	@RequestMapping(value = "/services/GetAuthenticationData", method = {RequestMethod.POST})
+	@RequestMapping(value = {"/services/GetAuthenticationData", "/services"}, 
+			        method = {RequestMethod.POST})
 	public void getAuthenticationData(HttpServletRequest req, HttpServletResponse resp)
 		    throws IOException {
 		InputStream is = null;
@@ -225,13 +227,23 @@ public class GetAuthenticationDataService extends AbstractController implements
 			}	
 		} 
 		
-		//get first child from body --> should be the SAML1 Request element 
-		Element saml1Req;
-		if (saml1ReqList.item(0).getFirstChild() instanceof Element)
-			saml1Req = (Element) saml1ReqList.item(0).getFirstChild();
-			
-		else {
-			throw new SAXException("First child of 'soap-env:Body' element has a wrong type.");
+		//get the first child from body which is of type Element (SAML1 Request element) 
+		Element saml1Req = null;
+		
+		Node reqObj = saml1ReqList.item(0).getFirstChild();
+		while (reqObj != null) {
+			if (reqObj instanceof Element) {
+				saml1Req = (Element) reqObj;
+				break;
+				
+			} else {
+				reqObj = reqObj.getNextSibling();
+				
+			}			
+		}
+		
+		if (saml1Req == null) {
+			throw new SAXException("Every child of 'soap-env:Body' element has a wrong type.");
 				
 		}
 
-- 
cgit v1.2.3


From 8778f159556fab8853eac6e9c97e659973be0d78 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 21 Jun 2016 11:23:31 +0200
Subject: refactor metadataprovider to Spring implementation

---
 .../engine/MOAeIDASChainingMetadataProvider.java   | 58 +++++++++++++++-------
 .../eidas/tasks/GenerateAuthnRequestTask.java      |  6 ++-
 .../eidas/tasks/ReceiveAuthnResponseTask.java      |  6 ++-
 .../auth/modules/eidas/utils/SAMLEngineUtils.java  |  4 +-
 .../moa/id/protocols/eidas/EIDASData.java          |  3 +-
 .../moa/id/protocols/eidas/EIDASProtocol.java      | 11 ++--
 .../id/protocols/eidas/EidasMetaDataRequest.java   |  6 ++-
 .../eidas/eIDASAuthenticationRequest.java          |  5 +-
 .../src/main/resources/moaid_eidas_auth.beans.xml  |  3 ++
 .../utils/ELGAMandateServiceMetadataProvider.java  | 23 ++++++++-
 .../oauth20/protocol/OAuth20AuthRequest.java       |  3 +-
 .../oauth20/protocol/OAuth20TokenRequest.java      |  3 +-
 .../tasks/CreateAuthnRequestTask.java              |  4 +-
 .../tasks/ReceiveAuthnResponseTask.java            | 10 ++--
 .../moa/id/protocols/saml1/SAML1RequestImpl.java   |  3 +-
 15 files changed, 107 insertions(+), 41 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
index 80a2734f2..f062ad3c2 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java
@@ -25,14 +25,15 @@ import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider;
 import org.opensaml.xml.XMLObject;
+import org.springframework.stereotype.Service;
 
+import at.gv.egovernment.moa.id.auth.IDestroyableObject;
+import at.gv.egovernment.moa.id.auth.IGarbageCollectorProcessing;
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException;
 import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
-import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing;
-import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter;
@@ -41,34 +42,56 @@ import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 import eu.eidas.auth.engine.AbstractSAMLEngine;
 
-public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing {
+@Service("eIDASMetadataProvider")
+public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvider, 
+	IGarbageCollectorProcessing, IDestroyableObject {
 
-	private static MOAeIDASChainingMetadataProvider instance = null;
+//	private static MOAeIDASChainingMetadataProvider instance = null;
 	private static Object mutex = new Object();
 	
 	private MetadataProvider internalProvider;
 	private Map<String, Date> lastAccess = null;
 	
 	
-	public static MOAeIDASChainingMetadataProvider getInstance() {
-		if (instance == null) {
-			synchronized (mutex) {
-				if (instance == null) {
-					instance = new MOAeIDASChainingMetadataProvider();
-					MOAGarbageCollector.addModulForGarbageCollection(instance);
-				}
-			}
-		}
-		return instance;
-	}
+//	public static MOAeIDASChainingMetadataProvider getInstance() {
+//		if (instance == null) {
+//			synchronized (mutex) {
+//				if (instance == null) {
+//					instance = new MOAeIDASChainingMetadataProvider();
+//					MOAGarbageCollector.addModulForGarbageCollection(instance);
+//				}
+//			}
+//		}
+//		return instance;
+//	}
 	
 	
-	private MOAeIDASChainingMetadataProvider() {
+	public MOAeIDASChainingMetadataProvider() {
 		internalProvider = new ChainingMetadataProvider();
 		lastAccess = new HashMap<String, Date>();
 				
 	}
 	
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.IDestroyableObject#fullyDestroy()
+	 */
+	@Override
+	public void fullyDestroy() {
+		Map<String, HTTPMetadataProvider> loadedproviders = getAllActuallyLoadedProviders();
+		if (loadedproviders != null) {
+			for (Entry<String, HTTPMetadataProvider> el : loadedproviders.entrySet()) {
+				try {
+					el.getValue().destroy();
+					Logger.debug("Destroy eIDAS Matadataprovider: " + el.getKey() + " finished");
+					
+				} catch (Exception e) {
+					Logger.warn("Destroy eIDAS Matadataprovider: " + el.getKey() + " FAILED");
+					
+				}
+			}
+		}		
+	}
+	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing#runGarbageCollector()
 	 */
@@ -196,7 +219,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 				}
 			}
 			
-			timer = new Timer();
+			timer = new Timer(true);
 			httpProvider = new HTTPMetadataProvider(timer, httpClient, 
 					metadataURL);
 			httpProvider.setParserPool(AbstractSAMLEngine.getNewBasicSecuredParserPool());
@@ -405,5 +428,4 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi
 			if (observer != null)
 				observer.onEvent(this);
 	}
-
 }
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
index 30c206025..2f10df540 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java
@@ -33,6 +33,7 @@ import org.apache.commons.lang3.StringUtils;
 import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
 import com.google.common.net.MediaType;
@@ -43,6 +44,7 @@ import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
 import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
 import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
@@ -70,6 +72,8 @@ import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
 @Component("GenerateAuthnRequestTask")
 public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 
+	@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
+	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
 	 */
@@ -127,7 +131,7 @@ public class GenerateAuthnRequestTask extends AbstractAuthServletTask {
 				pAttList.add(newAttribute);
 			}
 
-			EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine();
+			EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
 
 			//build eIDAS AuthnRequest
 			EIDASAuthnRequest authnRequest = new EIDASAuthnRequest();
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
index fae06031a..daa4d8b02 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
@@ -4,6 +4,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.opensaml.saml2.core.StatusCode;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
@@ -11,6 +12,7 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
 import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
 import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.eIDASResponseNotSuccessException;
 import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeList;
@@ -29,6 +31,8 @@ import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
 @Component("ReceiveAuthnResponseTask")
 public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 
+	@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
+	
 	@Override
 	public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException {
 
@@ -48,7 +52,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			byte[] decSamlToken = EIDASUtil.decodeSAMLToken(base64SamlToken);		
 			
 			//get eIDAS SAML-engine
-			EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine();
+			EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
 			
 			//validate SAML token
 			EIDASAuthnResponse samlResp = engine.validateEIDASAuthnResponse(decSamlToken, 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
index eeb8305cf..68640caf7 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/utils/SAMLEngineUtils.java
@@ -42,7 +42,7 @@ public class SAMLEngineUtils {
 
 	private static EIDASSAMLEngine eIDASEngine = null;
 	
-	public static synchronized EIDASSAMLEngine createSAMLEngine() throws EIDASEngineException{
+	public static synchronized EIDASSAMLEngine createSAMLEngine(MOAeIDASChainingMetadataProvider moaeIDASMetadataProvider) throws EIDASEngineException{
 		
 		if (eIDASEngine == null) {
 			try {
@@ -56,7 +56,7 @@ public class SAMLEngineUtils {
 				//set metadata management to eIDAS SAMLengine
 				engine.setMetadataProcessor(
 						new MOAeIDASMetadataProviderDecorator(
-								MOAeIDASChainingMetadataProvider.getInstance()));
+								moaeIDASMetadataProvider));
 	
 				//set MOA specific extension processor 
 				ExtensionProcessorI extensionProcessor = new MOAeIDAsExtensionProcessor();
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java
index 563c3a18c..4dffba575 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASData.java
@@ -2,6 +2,7 @@ package at.gv.egovernment.moa.id.protocols.eidas;
 
 import java.util.Collection;
 
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Scope;
 import org.springframework.stereotype.Component;
@@ -29,7 +30,7 @@ public class EIDASData extends RequestImpl {
 	private String remoteRelayState;
 
 	@Override
-	public Collection<String> getRequestedAttributes() {
+	public Collection<String> getRequestedAttributes(MetadataProvider metadataProvider) {
 		// TODO Auto-generated method stub
 		return null;
 	}
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 24134f1d9..379a16a96 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -34,6 +34,7 @@ import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -74,6 +75,8 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
     public static final String NAME = EIDASProtocol.class.getName();
     public static final String PATH = "eidas";
 
+    @Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
+    
 	public EIDASProtocol() {
 		super();
 		Logger.debug("Registering servlet " + getClass().getName() + 
@@ -170,7 +173,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 
 		try {
 			//get eIDAS SAML-engine
-			EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine();
+			EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
 
 			//validate SAML token
 			EIDASAuthnRequest samlReq = engine.validateEIDASAuthnRequest(decSamlToken);
@@ -197,7 +200,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			String reqDestination = samlReq.getDestination();
 			if (MiscUtil.isNotEmpty(reqDestination)) {
 				boolean isValid = false;
-				List<AssertionConsumerService> allowedAssertionConsumerUrl = new MOAeIDASMetadataProviderDecorator(MOAeIDASChainingMetadataProvider.getInstance())
+				List<AssertionConsumerService> allowedAssertionConsumerUrl = new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider)
 						.getSPSSODescriptor(samlReq.getIssuer()).getAssertionConsumerServices();
 				
 				for (AssertionConsumerService el : allowedAssertionConsumerUrl) {
@@ -279,11 +282,11 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
         		}
      		
         		
-        		EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine();
+        		EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
         		
         		if(null == eidasReq.getEidasRequest().getAssertionConsumerServiceURL()) {
     				String assertionConsumerUrl = MetadataUtil.getAssertionUrlFromMetadata(
-    						new MOAeIDASMetadataProviderDecorator(MOAeIDASChainingMetadataProvider.getInstance()), 
+    						new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider), 
     						engine, 
     						eidasReq.getEidasRequest());
     				eidasReq.getEidasRequest().setAssertionConsumerServiceURL(assertionConsumerUrl);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
index b4db5c83d..3fc13406c 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java
@@ -23,10 +23,12 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.opensaml.saml2.metadata.ContactPerson;
 import org.opensaml.saml2.metadata.Organization;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Service;
 
 import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
+import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider;
 import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException;
 import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils;
 import at.gv.egovernment.moa.id.commons.api.IRequest;
@@ -50,6 +52,8 @@ import eu.eidas.engine.exceptions.SAMLEngineException;
 @Service("EidasMetaDataRequest")
 public class EidasMetaDataRequest implements IAction {
     
+	@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
+	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData)
 	 */
@@ -103,7 +107,7 @@ public class EidasMetaDataRequest implements IAction {
     public String generateMetadata(String metadata_url, String sp_return_url) throws SAMLEngineException, EIDASEngineException{
         String metadata="invalid metadata";
 
-		EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine();
+		EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
         
         MetadataGenerator generator = new MetadataGenerator();
         MetadataConfigParams mcp=new MetadataConfigParams();
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index 9943cc5fb..8289e18d2 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -68,6 +68,7 @@ import eu.eidas.auth.engine.metadata.MetadataUtil;
 public class eIDASAuthenticationRequest implements IAction {
 
 	@Autowired protected MOAReversionLogger revisionsLogger;
+	@Autowired(required=true) MOAeIDASChainingMetadataProvider eIDASMetadataProvider;
 	
 	@Override
 	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException {
@@ -116,7 +117,7 @@ public class eIDASAuthenticationRequest implements IAction {
 		
 		String token = null;
 		try {
-			EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine();
+			EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
 			
 			// encryption is done by the SamlEngine, i.e. by the module we provide in the config
 			// but we need to set the appropriate request issuer
@@ -125,7 +126,7 @@ public class eIDASAuthenticationRequest implements IAction {
 
 			if(null == eidasRequest.getEidasRequest().getAssertionConsumerServiceURL()) {
 				String assertionConsumerUrl = MetadataUtil.getAssertionUrlFromMetadata(
-						new MOAeIDASMetadataProviderDecorator(MOAeIDASChainingMetadataProvider.getInstance()), 
+						new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider), 
 						engine, 
 						eidasRequest.getEidasRequest());
 				eidasRequest.getEidasRequest().setAssertionConsumerServiceURL(assertionConsumerUrl);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/resources/moaid_eidas_auth.beans.xml b/id/server/modules/moa-id-module-eIDAS/src/main/resources/moaid_eidas_auth.beans.xml
index 5d79d082a..20395f210 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/resources/moaid_eidas_auth.beans.xml
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/resources/moaid_eidas_auth.beans.xml
@@ -14,6 +14,9 @@
 
 	<bean id="EIDASProtocol"
 				class="at.gv.egovernment.moa.id.protocols.eidas.EIDASProtocol"/>
+				
+	<bean id="eIDASMetadataProvider"
+				class="at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider"/>
 							
 <!-- Authentication Process Tasks -->
 	<bean id="GenerateAuthnRequestTask" 
diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
index c9485104b..36cd2c7e7 100644
--- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
+++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java
@@ -36,6 +36,7 @@ import org.opensaml.xml.XMLObject;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
+import at.gv.egovernment.moa.id.auth.IDestroyableObject;
 import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.SimpleMOAMetadataProvider;
@@ -51,7 +52,8 @@ import at.gv.egovernment.moa.util.MiscUtil;
  */
 
 @Service("ELGAMandate_MetadataProvider")
-public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvider {
+public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvider
+	implements IDestroyableObject {
 
 	@Autowired AuthConfiguration authConfig;
 	
@@ -69,6 +71,13 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvide
 		
 	}
 	
+	public void destroy() {
+		if (metadataProvider != null)
+			metadataProvider.destroy();
+		
+	}
+	
+	
 		
 	/* (non-Javadoc)
 	 * @see org.opensaml.saml2.metadata.provider.MetadataProvider#requireValidMetadata()
@@ -220,4 +229,16 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvide
 			metadataProvider.setRequireValidMetadata(true);
 		}
 	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.auth.IDestroyableObject#fullyDestroy()
+	 */
+	@Override
+	public void fullyDestroy() {
+		if (metadataProvider != null) {
+			metadataProvider.destroy();
+			
+		}
+		
+	}
 }
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
index 98fcdc8dc..258b77b98 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
@@ -28,6 +28,7 @@ import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Scope;
 import org.springframework.stereotype.Component;
@@ -209,7 +210,7 @@ public class OAuth20AuthRequest extends OAuth20BaseRequest {
 	 * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes()
 	 */
 	@Override
-	public Collection<String> getRequestedAttributes() {
+	public Collection<String> getRequestedAttributes(MetadataProvider metadataProvider) {
 		Map<String, String> reqAttr = new HashMap<String, String>();
 		for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION)
 			reqAttr.put(el, "");
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
index f35de9c58..50638ebf8 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
@@ -26,6 +26,7 @@ import java.util.Collection;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Scope;
 import org.springframework.stereotype.Component;
@@ -168,7 +169,7 @@ class OAuth20TokenRequest extends OAuth20BaseRequest {
 	 * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes()
 	 */
 	@Override
-	public Collection<String> getRequestedAttributes() {
+	public Collection<String> getRequestedAttributes(MetadataProvider metadataProvider) {
 		return null;
 	}
 }
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
index d581e7e75..f5896bc25 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java
@@ -62,7 +62,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
 
 	@Autowired PVPAuthnRequestBuilder authnReqBuilder;
 	@Autowired FederatedAuthCredentialProvider credential;
-	
+	@Autowired(required=true) MOAMetadataProvider metadataProvider;
 	
 	/* (non-Javadoc)
 	 * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
@@ -95,7 +95,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask {
 			}
 			
 			//load IDP SAML2 entitydescriptor
-			EntityDescriptor idpEntity = MOAMetadataProvider.getInstance().
+			EntityDescriptor idpEntity = metadataProvider.
 					getEntityDescriptor(idpEntityID);			
 			if (idpEntity == null) {
 				Logger.warn("Requested IDP " + idpEntityID 
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index 1c3134b77..f739940c8 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -90,7 +90,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 	@Autowired private SSOManager ssoManager;
 	@Autowired private AttributQueryBuilder attributQueryBuilder;
 	@Autowired private AuthenticationDataBuilder authDataBuilder;
-	
+	@Autowired(required=true) MOAMetadataProvider metadataProvider;
 	
 	
 	/* (non-Javadoc)
@@ -125,7 +125,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			
 			//decode PVP response object
 			msg = (InboundMessage) decoder.decode(
-					request, response, MOAMetadataProvider.getInstance(), true,
+					request, response, metadataProvider, true,
 					comperator);
 			 
 			if (MiscUtil.isEmpty(msg.getEntityID())) {
@@ -135,7 +135,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 
 			//validate response signature
 			if(!msg.isVerified()) {
-				samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance()));
+				samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
 				msg.setVerified(true);
 								
 			}
@@ -247,7 +247,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 		
 		try {
 			Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
-			Collection<String> requestedAttr = pendingReq.getRequestedAttributes();
+			Collection<String> requestedAttr = pendingReq.getRequestedAttributes(metadataProvider);
 						
 			//check if SAML2 Assertion contains a minimal set of attributes
 			if (!extractor.containsAllRequiredAttributes()) {
@@ -267,7 +267,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			
 			//check if all attributes are include
 			if (!extractor.containsAllRequiredAttributes(
-					pendingReq.getRequestedAttributes())) {
+					pendingReq.getRequestedAttributes(metadataProvider))) {
 				Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
 				throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
 				
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
index 42fafc01e..1d3525626 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java
@@ -26,6 +26,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Scope;
 import org.springframework.stereotype.Component;
@@ -81,7 +82,7 @@ public class SAML1RequestImpl extends RequestImpl {
 	 * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes()
 	 */
 	@Override
-	public Collection<String> getRequestedAttributes() {
+	public Collection<String> getRequestedAttributes(MetadataProvider metadataProvider) {
 		
 		List<String> reqAttr = new ArrayList<String>();
 		reqAttr.addAll(SAML1Protocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION);
-- 
cgit v1.2.3


From 055d4911acee6ab9d989f5a1574bbe9a9ade4404 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 21 Jun 2016 15:35:13 +0200
Subject: fix a request validation problem in eIDAS endpoint

---
 .../moa/id/protocols/eidas/EIDASProtocol.java        | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 379a16a96..85fb1626f 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -196,23 +196,33 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			samlReq.setPersonalAttributeList(pendingReq.getEidasRequestedAttributes()); // circumvent non-serializable eidas personal attribute list
 			pendingReq.setEidasRequest(samlReq);
 			
-			//validate destination against metadata 
+			//validate Destination against MOA-ID-Auth configuration
 			String reqDestination = samlReq.getDestination();
-			if (MiscUtil.isNotEmpty(reqDestination)) {
+			if (MiscUtil.isEmpty(reqDestination) || 
+					!reqDestination.startsWith(pendingReq.getAuthURL())) {
+				Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
+				throw new eIDASAuthnRequestValidationException("stork.01", 
+						new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
+				
+			}
+							
+			//validate AssertionConsumerServiceURL against metadata 
+			String reqAssertionConsumerServiceURL = samlReq.getAssertionConsumerServiceURL();			
+			if (MiscUtil.isNotEmpty(reqAssertionConsumerServiceURL)) {
 				boolean isValid = false;
 				List<AssertionConsumerService> allowedAssertionConsumerUrl = new MOAeIDASMetadataProviderDecorator(eIDASMetadataProvider)
 						.getSPSSODescriptor(samlReq.getIssuer()).getAssertionConsumerServices();
 				
 				for (AssertionConsumerService el : allowedAssertionConsumerUrl) {
-					if (reqDestination.equals(el.getLocation()))
+					if (reqAssertionConsumerServiceURL.equals(el.getLocation()))
 						isValid = true;
 					
 				}
 				
 				if (!isValid) {
-					Logger.info("eIDAS AuthnRequest contains a not valid 'Destination' attribute");
+					Logger.info("eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute");
 					throw new eIDASAuthnRequestValidationException("stork.01", 
-							new Object[]{"eIDAS AuthnRequest contains a not valid 'Destination' attribute"});
+							new Object[]{"eIDAS AuthnRequest contains a not valid 'AssertionConsumerServiceURL' attribute"});
 				}
 				
 			}
-- 
cgit v1.2.3


From b3aa8b6d444e7dee51e1145e3192b191ae24b1d4 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 23 Jun 2016 10:16:46 +0200
Subject: fix some problems in eIDAS module

---
 .../modules/eidas/tasks/CreateIdentityLinkTask.java   |  9 +++++++--
 .../moa/id/protocols/eidas/EIDASProtocol.java         |  6 ++++--
 .../protocols/eidas/eIDASAuthenticationRequest.java   | 19 +++++++++++--------
 3 files changed, 22 insertions(+), 12 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java
index 5d7430dd7..a56e6c3cd 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java
@@ -87,12 +87,17 @@ public class CreateIdentityLinkTask extends AbstractAuthServletTask {
 			    // replace data
 	            Element idlassertion = identityLink.getSamlAssertion();
 	            
-	            // - set bpk/wpbk;
+	            // - set fake baseID;
 		        Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH);		        		        
 		        if(!eIDASAttributes.containsKey(Constants.eIDAS_ATTR_PERSONALIDENTIFIER))
 		        	throw new eIDASAttributeException(Constants.eIDAS_ATTR_PERSONALIDENTIFIER);
-		        String eIdentifier = eIDASAttributes.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER).getValue().get(0);
+		        String eIdentifier = eIDASAttributes.get(Constants.eIDAS_ATTR_PERSONALIDENTIFIER).getValue().get(0);		        		        		        
 		        prIdentification.getFirstChild().setNodeValue(eIdentifier);
+		        
+		        //build personal identifier which looks like a baseID		        
+//		        String fakeBaseID = new BPKBuilder().buildBPK(eIdentifier, "baseID");
+//		        Logger.info("Map eIDAS eIdentifier:" + eIdentifier + " to fake baseID:" + fakeBaseID);
+//		        prIdentification.getFirstChild().setNodeValue(fakeBaseID);
 
 		        // - set last name
 		        Node prFamilyName = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_FAMILY_NAME_XPATH);
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
index 85fb1626f..fc935e2ef 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java
@@ -169,9 +169,11 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController {
 			Logger.warn("No eIDAS SAMLRequest found in http request.");
 			throw new MOAIDException("HTTP request includes no eIDAS SAML-Request element.", null);
 		}						
-		byte[] decSamlToken = EIDASUtil.decodeSAMLToken(base64SamlToken);	
-
+			
 		try {
+			//decode SAML2 token
+			byte[] decSamlToken = EIDASUtil.decodeSAMLToken(base64SamlToken);
+			
 			//get eIDAS SAML-engine
 			EIDASSAMLEngine engine = SAMLEngineUtils.createSAMLEngine(eIDASMetadataProvider);
 
diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
index 8289e18d2..2beb419fb 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java
@@ -49,6 +49,7 @@ import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.data.SLOInformationInterface;
 import at.gv.egovernment.moa.id.moduls.IAction;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 import eu.eidas.auth.commons.EIDASAuthnResponse;
 import eu.eidas.auth.commons.EIDASStatusCode;
 import eu.eidas.auth.commons.EIDASUtil;
@@ -87,20 +88,21 @@ public class eIDASAuthenticationRequest implements IAction {
 			
 			// TODO make use of proper builder
 			switch(current.getKey()) {
-			case Constants.eIDAS_ATTR_DATEOFBIRTH: newValue = new SimpleDateFormat("YYYY-MM-dd").format(authData.getDateOfBirth()); break;
-			case Constants.eIDAS_ATTR_CURRENTFAMILYNAME: newValue = authData.getFamilyName();break;
-			case Constants.eIDAS_ATTR_CURRENTGIVENNAME: newValue = authData.getGivenName();break;
-			
-			//TODO: change bPK builder !!!!!!
-			case Constants.eIDAS_ATTR_PERSONALIDENTIFIER: newValue = authData.getBPK(); break;
+				case Constants.eIDAS_ATTR_DATEOFBIRTH: newValue = new SimpleDateFormat("YYYY-MM-dd").format(authData.getDateOfBirth()); break;
+				case Constants.eIDAS_ATTR_CURRENTFAMILYNAME: newValue = authData.getFamilyName();break;
+				case Constants.eIDAS_ATTR_CURRENTGIVENNAME: newValue = authData.getGivenName();break;			
+				case Constants.eIDAS_ATTR_PERSONALIDENTIFIER: newValue = authData.getBPK(); break;
+				
 			}
 			
-			if("".equals(newValue))
+			if(MiscUtil.isEmpty(newValue))
 				current.getValue().setStatus(EIDASStatusCode.STATUS_NOT_AVAILABLE.toString());
+			
 			else {
 				current.getValue().getValue().clear();
 				current.getValue().getValue().add(newValue);
 				current.getValue().setStatus(EIDASStatusCode.STATUS_AVAILABLE.toString());
+				
 			}
 		}
 		
@@ -138,8 +140,9 @@ public class eIDASAuthenticationRequest implements IAction {
 			
 			token = EIDASUtil.encodeSAMLToken(response.getTokenSaml());
 			
-		} catch(Exception e) {
+		} catch(Exception e) {			
 			e.printStackTrace();
+			
 		}
 		
 		revisionsLogger.logEvent(req, Constants.eIDAS_REVERSIONSLOG_IDP_AUTHREQUEST);
-- 
cgit v1.2.3