From 745272fe66f04fee6976e6a187e308bb7a5987a1 Mon Sep 17 00:00:00 2001
From: Thomas Knall <t.knall@datentechnik-innovation.com>
Date: Fri, 23 Jan 2015 11:22:07 +0100
Subject: Add foreign identity process support (MOAID-61).

- moa-id auth web.xml: Replace servlet mapping "/GetForeignID".
- Fix some javadoc of AuthenticationServer.
- Set GetForeignIDServlet deprecated.
- Remove redundant code across several classes.
- VerifyIdentityLinkTask: Separate identity link verification from subsequent (a) creation of CreateXMLSignatureRequest (ProcessIdentityLinkTask) and (b) creation of InfoBoxReadRequest (CertificateReadRequestTask).
---
 id/server/auth/src/main/webapp/WEB-INF/web.xml     |  12 +-
 .../moa/id/auth/AuthenticationServer.java          |  47 +-----
 .../moa/id/auth/servlet/GetForeignIDServlet.java   |   6 +
 .../id/auth/servlet/VerifyCertificateServlet.java  |   2 +-
 .../id/auth/servlet/VerifyIdentityLinkServlet.java |   6 +-
 .../moa/id/auth/tasks/AbstractAuthServletTask.java |   2 +-
 .../id/auth/tasks/CertificateReadRequestTask.java  | 102 ++++++++++++
 .../moa/id/auth/tasks/GetForeignIDTask.java        | 183 +++++++++++++++++++++
 .../moa/id/auth/tasks/ProcessIdentityLinkTask.java | 103 ++++++++++++
 .../moa/id/auth/tasks/VerifyCertificateTask.java   |   3 +-
 .../moa/id/auth/tasks/VerifyIdentityLinkTask.java  |  80 +--------
 .../gv/egovernment/moa/id/util/ServletUtils.java   |   3 +-
 .../processes/DefaultAuthentication.process.xml    |  15 +-
 13 files changed, 424 insertions(+), 140 deletions(-)
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CertificateReadRequestTask.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetForeignIDTask.java
 create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/ProcessIdentityLinkTask.java

(limited to 'id/server')

diff --git a/id/server/auth/src/main/webapp/WEB-INF/web.xml b/id/server/auth/src/main/webapp/WEB-INF/web.xml
index 1dd3b7a40..4548e05d9 100644
--- a/id/server/auth/src/main/webapp/WEB-INF/web.xml
+++ b/id/server/auth/src/main/webapp/WEB-INF/web.xml
@@ -108,17 +108,6 @@
 		<servlet-name>IDPSLO</servlet-name>
 		<url-pattern>/idpSingleLogout</url-pattern>
 	</servlet-mapping>
-
-	<servlet>
-		<description>Gets the foreign eID from security layer</description>
-		<display-name>GetForeignID</display-name>
-		<servlet-name>GetForeignID</servlet-name>
-		<servlet-class>at.gv.egovernment.moa.id.auth.servlet.GetForeignIDServlet</servlet-class>
-	</servlet>
-	<servlet-mapping>
-		<servlet-name>GetForeignID</servlet-name>
-		<url-pattern>/GetForeignID</url-pattern>
-	</servlet-mapping>
 	
 	<servlet>
 		<display-name>Apache-Axis Servlet</display-name>
@@ -172,6 +161,7 @@
 	<servlet-mapping>
 		<servlet-name>ProcessEngineSignal</servlet-name>
 		<url-pattern>/GetMISSessionID</url-pattern>
+		<url-pattern>/GetForeignID</url-pattern>
 		<url-pattern>/VerifyAuthBlock</url-pattern>
 		<url-pattern>/VerifyCertificate</url-pattern>
 		<url-pattern>/VerifyIdentityLink</url-pattern>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index b412b9964..fb67d078e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -1363,17 +1363,16 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 	/**
 	 * Gets the foreign authentication data.<br>
 	 * <ul>
-	 * <li>Creates authentication data</li>
+	 * <li><strong>Creates authentication data</strong></li>
 	 * <li>Creates a corresponding SAML artifact</li>
 	 * <li>Stores authentication data in the authentication data store indexed
 	 * by the SAML artifact</li>
 	 * <li>Deletes authentication session</li>
-	 * <li>Returns the SAML artifact, encoded BASE64</li>
+	 * <li><strike>Returns the SAML artifact, encoded BASE64</strike></li>
 	 * </ul>
 	 *
 	 * @param sessionID session ID of the running authentication session
-	 * @return SAML artifact needed for retrieving authentication data, encoded
-	 * BASE64
+	 * @return String "new Session"
 	 */
 	public String getForeignAuthenticationData(AuthenticationSession session)
 			throws AuthenticationException, BuildException, ParseException,
@@ -1382,46 +1381,6 @@ public class AuthenticationServer implements MOAIDAuthConstants {
 		if (session == null)
 			throw new AuthenticationException("auth.10", new Object[]{
 					REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID});
-
-		//        // post processing of the infoboxes
-		//        Iterator iter = session.getInfoboxValidatorIterator();
-		//        boolean formpending = false;
-		//        if (iter != null) {
-		//            while (!formpending && iter.hasNext()) {
-		//                Vector infoboxValidatorVector = (Vector) iter.next();
-		//                String identifier = (String) infoboxValidatorVector.get(0);
-		//                String friendlyName = (String) infoboxValidatorVector.get(1);
-		//                InfoboxValidator infoboxvalidator = (InfoboxValidator) infoboxValidatorVector
-		//                        .get(2);
-		//                InfoboxValidationResult infoboxValidationResult = null;
-		//                try {
-		//                    infoboxValidationResult = infoboxvalidator.validate(session
-		//                            .getIdentityLink().getSamlAssertion());
-		//                } catch (ValidateException e) {
-		//                    Logger.error("Error validating " + identifier + " infobox:"
-		//                            + e.getMessage());
-		//                    throw new ValidateException("validator.44",
-		//                            new Object[]{friendlyName});
-		//                }
-		//                if (!infoboxValidationResult.isValid()) {
-		//                    Logger.info("Validation of " + identifier
-		//                            + " infobox failed.");
-		//                    throw new ValidateException("validator.40", new Object[]{
-		//                            friendlyName,
-		//                            infoboxValidationResult.getErrorMessage()});
-		//                }
-		//                String form = infoboxvalidator.getForm();
-		//                if (ParepUtils.isEmpty(form)) {
-		//                    AddAdditionalSAMLAttributes(
-		//                            session,
-		//                            infoboxValidationResult.getExtendedSamlAttributes(),
-		//                            identifier, friendlyName);
-		//                } else {
-		//                    return "Redirect to Input Processor";
-		//                }
-		//            }
-		//        }
-
 		VerifyXMLSignatureResponse vsresp = new VerifyXMLSignatureResponse();
 		X509Certificate cert = session.getSignerCertificate();
 		vsresp.setX509certificate(cert);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java
index bbc704f22..f8b0dbdab 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GetForeignIDServlet.java
@@ -71,6 +71,7 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser;
 import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.auth.tasks.GetForeignIDTask;
 import at.gv.egovernment.moa.id.client.SZRGWClientException;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.moduls.ModulUtils;
@@ -85,6 +86,7 @@ import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse;
  * Servlet requested for getting the foreign eID
  * provided by the security layer implementation.
  * Utilizes the {@link AuthenticationServer}.
+ * @deprecated Use {@link GetForeignIDTask} instead.
  *
  */
 public class GetForeignIDServlet extends AuthServlet {
@@ -134,6 +136,10 @@ public class GetForeignIDServlet extends AuthServlet {
 
 		Logger.debug("POST GetForeignIDServlet");
 		
+		  if (System.currentTimeMillis() > 0) {
+			  throw new IllegalStateException(getClass().getName() + " should not be called any more.");
+		  }	
+		
 		resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
 		resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
 		resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
index 36e219a97..77e401899 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyCertificateServlet.java
@@ -214,7 +214,7 @@ public class VerifyCertificateServlet extends AuthServlet {
 					throw new MOAIDException("session store error", null);
 				}
 		    	
-		    	ServletUtils.writeCreateXMLSignatureRequest(resp, session, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
+		    	ServletUtils.writeCreateXMLSignatureRequest(resp, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
 		    	
 		    	Logger.debug("Send CreateXMLSignatureRequest to BKU");
 	    	}	    		    	 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
index 3fcdfe150..e94273881 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/VerifyIdentityLinkServlet.java
@@ -53,7 +53,6 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.commons.fileupload.FileUploadException;
 import org.apache.commons.lang.StringEscapeUtils;
 
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
@@ -67,7 +66,6 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.auth.tasks.VerifyIdentityLinkTask;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
-import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
@@ -207,7 +205,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
                   session.getSessionID());
           
          
-          ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+          ServletUtils.writeCreateXMLSignatureRequest(resp, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
           
     	    	
     	    }
@@ -237,7 +235,7 @@ public class VerifyIdentityLinkServlet extends AuthServlet {
      		  //ServletUtils.writeCreateXMLSignatureRequestURLEncoded(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
      		   
      		  Logger.debug("ContentType set to: text/xml;charset=UTF-8 (ServletUtils)");
-     		  ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+     		  ServletUtils.writeCreateXMLSignatureRequest(resp, infoboxReadRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
     			
     		}	
     		else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java
index d5b869777..7351933c1 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/AbstractAuthServletTask.java
@@ -325,7 +325,7 @@ public abstract class AbstractAuthServletTask extends AbstractSpringWebSupported
 	 * @param resp
 	 *            The HttpServletResponse.
 	 */
-	private void setNoCachingHeaders(HttpServletResponse resp) {
+	public void setNoCachingHeaders(HttpServletResponse resp) {
 		resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
 		resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
 		resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CertificateReadRequestTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CertificateReadRequestTask.java
new file mode 100644
index 000000000..da8a3d997
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/CertificateReadRequestTask.java
@@ -0,0 +1,102 @@
+package at.gv.egovernment.moa.id.auth.tasks;
+
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.BooleanUtils;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.ServletUtils;
+import at.gv.egovernment.moa.logging.Logger;
+
+import com.datentechnik.process_engine.api.ExecutionContext;
+
+/**
+ * Creates {@code InfoBoxReadRequest} in order to read the subject's certificates.<p/>
+ * In detail:
+ * <ul>
+ * <li>Renames the moa session id.</li>
+ * <li>Creates {@code InfoBoxReadRequest} in order to read the subject's certificates.</li>
+ * <li>Responds with {@code InfoBoxReadRequest} (for CCE), {@code DataURL} is {@code {/VerifyCertificate}</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Responds with {@code InfoBoxReadRequest} (for CCE), {@code DataURL} is {@code {/VerifyCertificate}</li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
+public class CertificateReadRequestTask extends AbstractAuthServletTask {
+
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
+			throws Exception {
+
+		// TODO[branch]: Foreign citizen or mandate mode; respond with IRR for certificates, dataURL = "/VerifyCertificate"
+		Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");
+
+		setNoCachingHeaders(resp);
+
+		String pendingRequestID = null;
+		
+		try {
+		
+			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
+			
+			// check parameter
+			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
+				throw new WrongParametersException("CertificateReadRequestTask", PARAM_SESSIONID, "auth.12");
+			}
+
+			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+
+			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
+
+			boolean useMandate = session.getUseMandate();
+			boolean identityLinkFound = BooleanUtils.isTrue((Boolean) executionContext.get("identityLinkFound"));
+			
+			if (!identityLinkFound && useMandate) {
+				Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
+				throw new AuthenticationException("auth.13", null);
+			}
+
+			// change MOASessionID
+			AuthenticationSessionStoreage.changeSessionID(session);
+			
+			// create the InfoboxReadRequest to get the certificate
+			String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
+
+			// build dataurl (to the VerifyCertificateSerlvet)
+			String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,
+					session.getSessionID());
+
+			ServletUtils.writeCreateXMLSignatureRequest(resp, infoboxReadRequest,
+					AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
+		
+		} catch (MOAIDException ex) {
+			handleError(null, ex, req, resp, pendingRequestID);
+		} finally {
+			ConfigurationDBUtils.closeSession();
+		}		
+
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetForeignIDTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetForeignIDTask.java
new file mode 100644
index 000000000..602ad527b
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/GetForeignIDTask.java
@@ -0,0 +1,183 @@
+package at.gv.egovernment.moa.id.auth.tasks;
+
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.TransformerException;
+
+import org.apache.commons.fileupload.FileUploadException;
+import org.apache.commons.lang.StringEscapeUtils;
+import org.w3c.dom.Element;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse;
+import at.gv.egovernment.moa.id.auth.data.IdentityLink;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.ParseException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser;
+import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
+import at.gv.egovernment.moa.id.client.SZRGWClientException;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.moduls.ModulUtils;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.DOMUtils;
+import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse;
+
+import com.datentechnik.process_engine.api.ExecutionContext;
+
+/**
+ * Evaluates the {@code CreateXMLSignatureResponse}, extracts signature and certificate and asks the SZR Gateway for an identity link.<p/>
+ * In detail:
+ * <ul>
+ * <li>Renames the moa session id.</li>
+ * <li>Parses the CreateXMLSignatureResponse retrieved from POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}.</li>
+ * <li>Extracts signature and signer certificate.</li>
+ * <li>Send request to SZR Gateway in order to get an identity link.</li>
+ * <li>Updates moa session (sets identity link, QAA level 4, authentication data and foreigner flag).</li>
+ * <li>Redirects back to {@code /dispatcher} in order to finalize authentication.</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}</li>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE} containing a {@code CreateXMLSignatureResponse}.</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Identity link, QAA level 4 and foreigner flag put into moa session.</li>
+ * <li>Redirect to {@code /dispatcher}.</li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.GetForeignIDServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
+public class GetForeignIDTask extends AbstractAuthServletTask {
+
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
+			throws Exception {
+
+		Logger.debug("POST GetForeignIDServlet");
+
+		setNoCachingHeaders(resp);
+
+		Map<String, String> parameters;
+
+		try {
+			parameters = getParameters(req);
+		} catch (FileUploadException e) {
+			Logger.error("Parsing mulitpart/form-data request parameters failed: " + e.getMessage());
+			throw new IOException(e.getMessage());
+		}
+		
+		String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
+		String pendingRequestID = null;
+		String redirectURL = null;
+		AuthenticationSession session = null;
+		try {
+			// check parameter
+			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
+				throw new WrongParametersException("GetForeignID", PARAM_SESSIONID, "auth.12");
+			}
+			String xmlCreateXMLSignatureResponse = (String) parameters.get(PARAM_XMLRESPONSE);
+			if (!ParamValidatorUtils.isValidXMLDocument(xmlCreateXMLSignatureResponse)) {
+				throw new WrongParametersException("GetForeignID", PARAM_XMLRESPONSE, "auth.12");
+			}
+			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+			session = AuthenticationServer.getSession(sessionID);
+
+			// change MOASessionID
+			sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+
+			Logger.debug(xmlCreateXMLSignatureResponse);
+
+			CreateXMLSignatureResponse csresp = new CreateXMLSignatureResponseParser(xmlCreateXMLSignatureResponse)
+					.parseResponseDsig();
+
+			try {
+				String serializedAssertion = DOMUtils.serializeNode(csresp.getDsigSignature());
+				session.setAuthBlock(serializedAssertion);
+
+			} catch (TransformerException e) {
+				throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE });
+
+			} catch (IOException e) {
+				throw new ParseException("parser.04", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_XMLRESPONSE });
+
+			}
+
+			Element signature = csresp.getDsigSignature();
+
+			try {
+				session.setSignerCertificate(AuthenticationServer.getCertificateFromXML(signature));
+			} catch (CertificateException e) {
+				Logger.error("Could not extract certificate from CreateXMLSignatureResponse");
+				throw new MOAIDException("auth.14", null);
+			}
+
+			// make SZR request to the identity link
+			CreateIdentityLinkResponse response = AuthenticationServer.getInstance().getIdentityLink(signature);
+
+			if (null != response.getErrorResponse()) {
+				// TODO fix exception parameter
+				throw new SZRGWClientException("service.08", (String) response.getErrorResponse().getErrorCode(),
+						(String) response.getErrorResponse().getInfo());
+			} else {
+				IdentityLinkAssertionParser ilParser = new IdentityLinkAssertionParser(new ByteArrayInputStream(
+						response.getIdentityLink()));
+				IdentityLink identitylink = ilParser.parseIdentityLink();
+				session.setIdentityLink(identitylink);
+
+				// set QAA Level four in case of card authentifcation
+				session.setQAALevel(PVPConstants.STORK_QAA_1_4);
+
+				AuthenticationServer.getInstance().getForeignAuthenticationData(session);
+
+				// session is implicit stored in changeSessionID!!!!
+				String newMOASessionID = AuthenticationSessionStoreage.changeSessionID(session);
+
+				Logger.info("Changed MOASession " + sessionID + " to Session " + newMOASessionID);
+				Logger.info("Daten angelegt zu MOASession " + newMOASessionID);
+
+				redirectURL = new DataURLBuilder().buildDataURL(session.getAuthURL(),
+						ModulUtils.buildAuthURL(session.getModul(), session.getAction(), pendingRequestID),
+						newMOASessionID);
+				redirectURL = resp.encodeRedirectURL(redirectURL);
+
+				// TODO[branch]: Final step back to /dispatcher
+
+				try {
+					AuthenticationSessionStoreage.storeSession(session);
+				} catch (MOADatabaseException e) {
+					throw new MOAIDException("Session store error", null);
+				}
+
+				resp.setContentType("text/html");
+				resp.setStatus(302);
+				resp.addHeader("Location", redirectURL);
+				Logger.debug("REDIRECT TO: " + redirectURL);
+			}
+
+		} catch (MOAIDException ex) {
+			handleError(null, ex, req, resp, pendingRequestID);
+
+		} catch (Exception e) {
+			Logger.error("GetForeignIDServlet has an interal Error.", e);
+
+		}
+
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/ProcessIdentityLinkTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/ProcessIdentityLinkTask.java
new file mode 100644
index 000000000..34ef9b134
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/ProcessIdentityLinkTask.java
@@ -0,0 +1,103 @@
+package at.gv.egovernment.moa.id.auth.tasks;
+
+import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.*;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringEscapeUtils;
+
+import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
+import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.id.util.ServletUtils;
+import at.gv.egovernment.moa.logging.Logger;
+
+import com.datentechnik.process_engine.api.ExecutionContext;
+
+/**
+ * Creates {@code CreateXMLSignatureRequest} for auth block signature.<p/>
+ * In detail:
+ * <ul>
+ * <li>Renames the moa session id.</li>
+ * <li>Creates {@code CreateXMLSignatureRequest} for auth block signature.</li>
+ * <li>Responds with {@code CreateXMLSignatureRequest} (for CCE), {@code DataURL} is {@code {/VerifyAuthBlock}</li>
+ * </ul>
+ * Expects:
+ * <ul>
+ * <li>HttpServletRequest parameter {@link MOAIDAuthConstants#PARAM_SESSIONID}</li>
+ * </ul>
+ * Result:
+ * <ul>
+ * <li>Responds with {@code CreateXMLSignatureRequest} (for CCE), {@code DataURL} is {@code {/VerifyAuthBlock}</li>
+ * </ul>
+ * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet}.
+ * @author tknall
+ * @see #execute(ExecutionContext, HttpServletRequest, HttpServletResponse)
+ *
+ */
+public class ProcessIdentityLinkTask extends AbstractAuthServletTask {
+
+	@Override
+	public void execute(ExecutionContext executionContext, HttpServletRequest req, HttpServletResponse resp)
+			throws Exception {
+		// note: code taken from at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet
+
+		Logger.debug("Process IdentityLink");
+
+		setNoCachingHeaders(resp);
+		
+		String pendingRequestID = null;
+
+		try {
+			
+			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
+			
+			// check parameter
+			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
+				throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
+			}
+
+			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
+
+			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
+
+			// change MOASessionID
+			sessionID = AuthenticationSessionStoreage.changeSessionID(session);
+				
+			Logger.info("Normal");
+
+			// TODO[branch]: Default behaviour; respond with CXSR for authblock signature, dataURL "/VerifyAuthBlock"
+
+			OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
+					session.getPublicOAURLPrefix());
+			AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
+
+			String createXMLSignatureRequest = AuthenticationServer.getInstance()
+					.getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam);
+
+			AuthenticationSessionStoreage.storeSession(session);
+			
+			ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session,
+					createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT,
+					"VerifyIdentityLink");
+
+		} catch (MOAIDException ex) {
+			handleError(null, ex, req, resp, pendingRequestID);
+
+		} catch (Exception e) {
+			Logger.error("IdentityLinkValidation has an interal Error.", e);
+		}
+
+		finally {
+			ConfigurationDBUtils.closeSession();
+		}
+	}
+
+}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java
index 979e64888..ddea4c414 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyCertificateTask.java
@@ -101,7 +101,6 @@ public class VerifyCertificateTask extends AbstractAuthServletTask {
     		
 	    	boolean useMandate = session.getUseMandate();
 	    	
-	    	
 	    	if (useMandate) {
 
 	    		// verify certificate for OrganWalter
@@ -144,7 +143,7 @@ public class VerifyCertificateTask extends AbstractAuthServletTask {
 				}
 		    	
 	    		// TODO[branch]: Foreign citizen; respond with CXSR for authblock signature, dataURL "/GetForeignID"
-		    	ServletUtils.writeCreateXMLSignatureRequest(resp, session, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
+		    	ServletUtils.writeCreateXMLSignatureRequest(resp, createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "GetForeignID", dataurl);
 		    	
 		    	Logger.debug("Send CreateXMLSignatureRequest to BKU");
 	    	}	    		    	 
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
index 09dd9e1f7..5b21cd29c 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/tasks/VerifyIdentityLinkTask.java
@@ -12,33 +12,26 @@ import org.apache.commons.lang.StringEscapeUtils;
 
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
-import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder;
-import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate;
 import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
-import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.ParseException;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
-import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage;
 import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
-import at.gv.egovernment.moa.id.util.ServletUtils;
 import at.gv.egovernment.moa.logging.Logger;
 
 import com.datentechnik.process_engine.api.ExecutionContext;
 
 /**
- * Verifies the identity link and prepares auth block signature if identity link provided, or triggers reading the subject's certificate if not provided.<p/>
+ * Verifies the identity link.<p/>
  * In detail:
  * <ul>
  * <li>Renames the moa session id.</li>
- * <li>Parses the identity link retrieves as {@code InfoBoxReadResponse} from POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}.</li>
+ * <li>Parses the identity link retrieved as {@code InfoBoxReadResponse} from POST parameter {@link MOAIDAuthConstants#PARAM_XMLRESPONSE}.</li>
  * <li>Verifies the identity link.</li>
- * <li>Creates the auth block to be signed.</li>
  * <li>Updates moa session.</li>
- * <li>Creates and returns a {@code CreateXMLSignatureRequest} via HttpServletResponse.</li>
+ * <li>Puts boolean flag {@code identityLinkFound} into {@code ExecutionContext}.</li>
  * </ul>
  * Expects:
  * <ul>
@@ -48,17 +41,7 @@ import com.datentechnik.process_engine.api.ExecutionContext;
  * Result:
  * <ul>
  * <li>Identity link put into moa session.</li>
- * <li>Returns {@code CreateXMLSignatureRequest} via HttpServletResponse (for CCE).</li>
- * </ul>
- * Possible branches:
- * <ul>
- * <li>In case of foreign citizen or in case of mandate
- * <ul>
- * <li>Create {@code InfoBoxReadRequest} for reading the subjects certificate.</li>
- * <li>Set DataURL {@code /VerifyCertificate}.</li>
- * <li>Respond with {@code InfoBoxReadRequest}.</li>
- * </ul>
- * </li>
+ * <li>Boolean flag {@code identityLinkFound} into {@code ExecutionContext}.</li>
  * </ul>
  * Code taken from {@link at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet}.
  * @author tknall
@@ -75,10 +58,7 @@ public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
 
 		Logger.debug("POST VerifyIdentityLink");
 
-		resp.setHeader(HEADER_EXPIRES, HEADER_VALUE_EXPIRES);
-		resp.setHeader(HEADER_PRAGMA, HEADER_VALUE_PRAGMA);
-		resp.setHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL);
-		resp.addHeader(HEADER_CACHE_CONTROL, HEADER_VALUE_CACHE_CONTROL_IE);
+		setNoCachingHeaders(resp);
 		
 		Map<String, String> parameters;
 		String pendingRequestID = null;
@@ -93,62 +73,18 @@ public class VerifyIdentityLinkTask extends AbstractAuthServletTask {
 		try {
 			
 			String sessionID = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_SESSIONID));
-			
 			// check parameter
 			if (!ParamValidatorUtils.isValidSessionID(sessionID)) {
 				throw new WrongParametersException("VerifyIdentityLink", PARAM_SESSIONID, "auth.12");
 			}
-
 			pendingRequestID = AuthenticationSessionStoreage.getPendingRequestID(sessionID);
 
 			AuthenticationSession session = AuthenticationServer.getSession(sessionID);
 
-			// change MOASessionID
-			sessionID = AuthenticationSessionStoreage.changeSessionID(session);
-
 			boolean identityLinkFound = AuthenticationServer.getInstance().verifyIdentityLink(session, parameters) != null;
-			boolean useMandate = session.getUseMandate();
-			
-			if (!identityLinkFound && useMandate) {
-				Logger.error("Online-Mandate Mode for foreign citizencs not supported.");
-				throw new AuthenticationException("auth.13", null);
-			}
-			
-			if (!identityLinkFound || useMandate) {
-			
-				// TODO[branch]: Foreign citizen or mandate mode; respond with IRR for certificates, dataURL = "/VerifyCertificate"
-				Logger.info("Send InfoboxReadRequest to BKU to get signer certificate.");
-
-				// create the InfoboxReadRequest to get the certificate
-				String infoboxReadRequest = new InfoboxReadRequestBuilderCertificate().build(true);
-
-				// build dataurl (to the VerifyCertificateSerlvet)
-				String dataurl = new DataURLBuilder().buildDataURL(session.getAuthURL(), REQ_VERIFY_CERTIFICATE,
-						session.getSessionID());
-
-				AuthenticationSessionStoreage.storeSession(session);
-				
-				ServletUtils.writeCreateXMLSignatureRequest(resp, session, infoboxReadRequest,
-						AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT, "VerifyIdentityLink", dataurl);
-			} else {
-				
-				Logger.info("Normal");
-
-				// TODO[branch]: Default behaviour; respond with CXSR for authblock signature, dataURL "/VerifyAuthBlock"
-
-				OAAuthParameter oaParam = AuthConfigurationProvider.getInstance().getOnlineApplicationParameter(
-						session.getPublicOAURLPrefix());
-				AuthConfigurationProvider authConf = AuthConfigurationProvider.getInstance();
-
-				String createXMLSignatureRequest = AuthenticationServer.getInstance()
-						.getCreateXMLSignatureRequestAuthBlockOrRedirect(session, authConf, oaParam);
-
-				AuthenticationSessionStoreage.storeSession(session);
-				
-				ServletUtils.writeCreateXMLSignatureRequestOrRedirect(resp, session,
-						createXMLSignatureRequest, AuthenticationServer.REQ_PROCESS_VALIDATOR_INPUT,
-						"VerifyIdentityLink");
-			}
+			AuthenticationSessionStoreage.storeSession(session);
+
+			executionContext.put("identityLinkFound", identityLinkFound);
 
 		} catch (ParseException ex) {
 			handleError(null, ex, req, resp, pendingRequestID);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ServletUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ServletUtils.java
index 56e59a4aa..3dbc0ab7b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ServletUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ServletUtils.java
@@ -113,14 +113,13 @@ public class ServletUtils {
    * depending on the requests starting text.
    * 
    * @param resp The httpServletResponse
-   * @param session The current AuthenticationSession
    * @param createXMLSignatureRequestOrRedirect The request
    * @param servletGoal The servlet to which the redirect should happen
    * @param servletName The servlet name for debug purposes
    * @throws MOAIDException
    * @throws IOException
    */
-  public static void writeCreateXMLSignatureRequest(HttpServletResponse resp, AuthenticationSession session, String createXMLSignatureRequestOrRedirect, String servletGoal, String servletName, String dataURL) 
+  public static void writeCreateXMLSignatureRequest(HttpServletResponse resp, String createXMLSignatureRequestOrRedirect, String servletGoal, String servletName, String dataURL) 
   throws MOAIDException,
          IOException
   { 
diff --git a/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml b/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml
index 8ac58bd4b..f3555df2a 100644
--- a/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml
+++ b/id/server/idserverlib/src/main/resources/resources/processes/DefaultAuthentication.process.xml
@@ -10,6 +10,9 @@
 	<pd:Task id="verifyAuthBlock"        class="at.gv.egovernment.moa.id.auth.tasks.VerifyAuthenticationBlockTask" async="true" />
 	<pd:Task id="verifyCertificate"      class="at.gv.egovernment.moa.id.auth.tasks.VerifyCertificateTask"         async="true" />
 	<pd:Task id="getMISSessionID"        class="at.gv.egovernment.moa.id.auth.tasks.GetMISSessionIDTask"           async="true" />
+	<pd:Task id="certificateReadRequest" class="at.gv.egovernment.moa.id.auth.tasks.CertificateReadRequestTask" />
+	<pd:Task id="processIdentityLink"    class="at.gv.egovernment.moa.id.auth.tasks.ProcessIdentityLinkTask" />
+	<pd:Task id="getForeignID"           class="at.gv.egovernment.moa.id.auth.tasks.GetForeignIDTask"              async="true" />
 
 	<pd:StartEvent id="start" />
 	
@@ -17,15 +20,21 @@
 	
 	<pd:Transition from="createIdentityLinkForm" to="verifyIdentityLink" />
 	
-	<pd:Transition from="verifyIdentityLink"     to="verifyCertificate" conditionExpression="ctx['useMandate']" />
-	<pd:Transition from="verifyIdentityLink"     to="verifyAuthBlock" />
+	<pd:Transition from="verifyIdentityLink"     to="certificateReadRequest" conditionExpression="!ctx['identityLinkFound'] || ctx['useMandate']" />
+	<pd:Transition from="verifyIdentityLink"     to="processIdentityLink" />
 	
-	<pd:Transition from="verifyCertificate"      to="verifyAuthBlock" />
+	<pd:Transition from="processIdentityLink"    to="verifyAuthBlock" />
+	
+	<pd:Transition from="certificateReadRequest" to="verifyCertificate" />
+	
+	<pd:Transition from="verifyCertificate"      to="verifyAuthBlock" conditionExpression="ctx['useMandate']" />
+	<pd:Transition from="verifyCertificate"      to="getForeignIDTask" />
 	
 	<pd:Transition from="verifyAuthBlock"        to="getMISSessionID" conditionExpression="ctx['useMandate']" />
 	<pd:Transition from="verifyAuthBlock"        to="end" />
 	
 	<pd:Transition from="getMISSessionID"        to="end" />
+	<pd:Transition from="getForeignID"           to="end" />
 	
 	<pd:EndEvent id="end" />
 
-- 
cgit v1.2.3