From 9bafb2671b297d39574c346c896347f197282081 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 18 Feb 2016 19:21:10 +0100
Subject: remove AXIS1 implemented WebService for SAML1  --> now a simple
 Spring controller is used as WebService endpoint

---
 id/server/auth/pom.xml                             |  21 +-
 .../src/main/webapp/WEB-INF/server-config.wsdd     |  29 --
 id/server/auth/src/main/webapp/WEB-INF/web.xml     |   4 +-
 .../WebFrontEndSecurityInterceptor.java            |  11 +-
 .../moa/id/auth/builder/SAMLResponseBuilder.java   |   3 +-
 .../saml1/GetAuthenticationDataService.java        | 386 ++++++++++-----
 .../SAML1AssertionResponseBuildException.java      |  86 ++++
 .../src/main/resources/plain_info.vm               |  14 +
 .../src/main/resources/soap_error.vm               |   4 +
 .../src/main/resources/soap_success.vm             |   4 +
 .../src/main/resources/wsdl/MOA-ID-1.x.vm          |  40 ++
 .../src/main/resources/wsdl/MOA-SPSS-1.2.vm        | 528 +++++++++++++++++++++
 12 files changed, 957 insertions(+), 173 deletions(-)
 delete mode 100644 id/server/auth/src/main/webapp/WEB-INF/server-config.wsdd
 create mode 100644 id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AssertionResponseBuildException.java
 create mode 100644 id/server/modules/moa-id-modules-saml1/src/main/resources/plain_info.vm
 create mode 100644 id/server/modules/moa-id-modules-saml1/src/main/resources/soap_error.vm
 create mode 100644 id/server/modules/moa-id-modules-saml1/src/main/resources/soap_success.vm
 create mode 100644 id/server/modules/moa-id-modules-saml1/src/main/resources/wsdl/MOA-ID-1.x.vm
 create mode 100644 id/server/modules/moa-id-modules-saml1/src/main/resources/wsdl/MOA-SPSS-1.2.vm

(limited to 'id/server')

diff --git a/id/server/auth/pom.xml b/id/server/auth/pom.xml
index c50d4ce47..b9c55148c 100644
--- a/id/server/auth/pom.xml
+++ b/id/server/auth/pom.xml
@@ -91,15 +91,6 @@
 
 
         <!-- we need Axis 1.1 here, 1.0 is included in SPSS -->
-		<dependency>
-			<groupId>axis</groupId>
-			<artifactId>axis</artifactId>
-		</dependency>
-		<dependency>
-    		<groupId>org.tuckey</groupId>
-    		<artifactId>urlrewritefilter</artifactId>
-    		<version>4.0.4</version>
-		</dependency>
 		<dependency>
 			<groupId>MOA.spss.server</groupId>
 			<artifactId>moa-spss-lib</artifactId>
@@ -108,14 +99,14 @@
 					<artifactId>iaik_pki_module</artifactId>
 					<groupId>iaik</groupId>
 				</exclusion>
-				<exclusion>
-					<artifactId>axis-wsdl4j</artifactId>
-					<groupId>axis</groupId>
-				</exclusion>
 				<exclusion>
 					<groupId>commons-logging</groupId>
 					<artifactId>commons-logging</artifactId>
 				</exclusion>
+				<exclusion>
+					<artifactId>axis-wsdl4j</artifactId>
+					<groupId>axis</groupId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 		<dependency>
@@ -130,6 +121,10 @@
 					<groupId>ch.qos.logback</groupId>
 					<artifactId>logback-classic</artifactId>
 				</exclusion>
+				<exclusion>
+					<artifactId>axis</artifactId>
+					<groupId>axis</groupId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 		
diff --git a/id/server/auth/src/main/webapp/WEB-INF/server-config.wsdd b/id/server/auth/src/main/webapp/WEB-INF/server-config.wsdd
deleted file mode 100644
index 121ec3cf9..000000000
--- a/id/server/auth/src/main/webapp/WEB-INF/server-config.wsdd
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<deployment name="defaultClientConfig"
-            xmlns="http://xml.apache.org/axis/wsdd/"
-            xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"
-            xmlns:handler="http://xml.apache.org/axis/wsdd/providers/handler">
-
-  <handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>
-  <handler name="MsgDispatcher" type="java:org.apache.axis.providers.java.MsgProvider"/>
-  <handler name="HTTPAuthHandler" type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
-
-  <service name="GetAuthenticationData" provider="java:MSG">
-    <namespace>urn:oasis:names:tc:SAML:1.0:protocol</namespace>
-    <parameter name="allowedMethods" value="Request"/>
-    <parameter name="className" value="at.gv.egovernment.moa.id.protocols.saml1.GetAuthenticationDataService"/>
-    <wsdlFile>/resources/wsdl/MOA-ID-1.x.wsdl</wsdlFile>
-    <requestFlow>
-    </requestFlow>
-    <responseFlow>
-    </responseFlow>
-  </service>
-
-  <transport name="http">
-    <requestFlow>
-      <handler type="URLMapper"/>
-      <handler type="HTTPAuthHandler"/>
-    </requestFlow>
-  </transport>
-
-</deployment>
diff --git a/id/server/auth/src/main/webapp/WEB-INF/web.xml b/id/server/auth/src/main/webapp/WEB-INF/web.xml
index 4b129f374..92dcf1266 100644
--- a/id/server/auth/src/main/webapp/WEB-INF/web.xml
+++ b/id/server/auth/src/main/webapp/WEB-INF/web.xml
@@ -112,7 +112,7 @@
 		<url-pattern>/idpSingleLogout</url-pattern>
 	</servlet-mapping> -->
 	
-	<servlet>
+<!-- 	<servlet>
 		<display-name>Apache-Axis Servlet</display-name>
 		<servlet-name>AxisServlet</servlet-name>
 		<servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class>
@@ -120,7 +120,7 @@
 	<servlet-mapping>
 		<servlet-name>AxisServlet</servlet-name>
 		<url-pattern>/services/*</url-pattern>
-	</servlet-mapping>
+	</servlet-mapping> -->
 
 <!-- 	<servlet>
 		<display-name>Dispatcher Servlet</display-name>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
index 7835687e8..c5a9ad34b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
@@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfiguration;
 import at.gv.egovernment.moa.id.util.HTTPUtils;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 /**
  * @author tlenz
@@ -49,7 +50,15 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor {
 	@Override
 	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
 			throws Exception {
-
+		
+		//only for SAML1 GetAuthenticationData webService functionality
+		String requestedServlet = request.getServletPath();		
+		if (MiscUtil.isNotEmpty(requestedServlet) && requestedServlet.startsWith("/services/GetAuthenticationData")) {
+			Logger.debug("SAML1 GetAuthenticationServices allow access without SSL");
+			return true;
+			
+		}
+		
 		//check AuthURL
 	    String authURL = HTTPUtils.extractAuthURLFromRequest(request);
 		if (!authURL.startsWith("https:") && !authConfig.isHTTPAuthAllowed()) {
diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLResponseBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLResponseBuilder.java
index 8b0d906fe..306c871fc 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLResponseBuilder.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/SAMLResponseBuilder.java
@@ -123,7 +123,8 @@ public class SAMLResponseBuilder implements Constants {
         statusMessage, 
         StringUtils.removeXMLDeclaration(samlAssertion) });
   		Element domResponse = DOMUtils.parseDocument(xmlResponse, false, ALL_SCHEMA_LOCATIONS, null).getDocumentElement();
-		  return domResponse;
+		return domResponse;
+		
   	}
   	catch (Throwable ex) {
   		throw new BuildException(
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
index 7e46e53fe..fc5837e51 100644
--- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java
@@ -46,18 +46,39 @@
 
 package at.gv.egovernment.moa.id.protocols.saml1;
 
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.StringWriter;
 import java.util.Calendar;
 
-import org.apache.axis.AxisFault;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerException;
+
 import org.apache.commons.lang3.StringEscapeUtils;
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.auth.builder.SAMLResponseBuilder;
+import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
 import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.auth.servlet.AbstractController;
 import at.gv.egovernment.moa.id.util.ErrorResponseUtils;
+import at.gv.egovernment.moa.id.util.HTTPUtils;
 import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
 import at.gv.egovernment.moa.id.util.Random;
+import at.gv.egovernment.moa.id.util.VelocityProvider;
+import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.Constants;
 import at.gv.egovernment.moa.util.DOMUtils;
 import at.gv.egovernment.moa.util.DateTimeUtils;
@@ -66,151 +87,262 @@ import at.gv.egovernment.moa.util.XPathUtils;
 /**
  * Web service for picking up authentication data created in the MOA-ID Auth component.
  * 
- * @author Paul Ivancsics
- * @version $Id: GetAuthenticationDataService.java 1233 2012-01-26 21:59:33Z kstranacher $
- * @see at.gv.egovernment.moa.id.auth.AuthenticationServer#getAuthenticationData
+ * This getAssertion WebService implementations a hacked solution to integrate SAML1 into
+ * the new Spring based MOA-ID implementation.
+ *  
+ * @deprecated
+ * It is too bad about the time to implement a better solution, 
+ * since SAML1 is deprecated MOA-ID >= 2.0.0 
+ * 
+ * @author tlenz
  */
-public class GetAuthenticationDataService implements Constants {
+@Controller
+public class GetAuthenticationDataService extends AbstractController implements Constants {
 
-  /**
-   * Constructor for GetAuthenticationDataService.
-   */
-  public GetAuthenticationDataService() {
-    super();
-  }
+	@Autowired private SAML1AuthenticationServer saml1AuthServer;
+	
+	private static final String PARAM_WSDL="wsdl";
+	private static final String PARAM_XSD="xsd";
+  
+	private static final String TEMPLATE_PLAIN_INFO="plain_info.vm";
+	private static final String TEMPLATE_WSDL="wsdl/MOA-ID-1.x.vm";
+	private static final String TEMPLATE_XSD="wsdl/MOA-SPSS-1.2.vm";	
+	private static final String TEMPLATE_SOAP_ERROR="soap_error.vm";
+	private static final String TEMPLATE_SOAP_SUCCESS="soap_success.vm";
+	
+	private static final String SERVICE_ENDPOINT = "/services/GetAuthenticationData";
+	
+	private static final String CONTEXT_ENDPOINT = "endpoint";
+	private static final String CONTEXT_ERROR = "error";
+	
+	private static final String CONTEXT_SOAP_RESPONSEID = "responseID";
+	private static final String CONTEXT_SOAP_REQUESTEID = "requestID";
+	private static final String CONTEXT_SOAP_ISSUEINSTANT = "issueInstant";
+	private static final String CONTEXT_SOAP_ERRORMESSAGE = "errorMsg";
+	private static final String CONTEXT_SOAP_STATUSCODE = "statusCode";
+	private static final String CONTEXT_SOAP_ASSERTION = "assertion";
+	
+	@RequestMapping(value = "/services/GetAuthenticationData", method = {RequestMethod.POST})
+	public void getAuthenticationData(HttpServletRequest req, HttpServletResponse resp)
+		    throws IOException {
+		InputStream is = null;
+		VelocityContext context = new VelocityContext();
+		try { 
+			is = req.getInputStream();		
+			Element soapReq = DOMUtils.parseXmlNonValidating(is);
 
-	/**
-	 * Takes a <code>lt;samlp:Request&gt;</code> containing a 
-	 * <code>SAML artifact</code> and returns the corresponding 
-	 * authentication data <code>lt;saml:Assertion&gt;</code> 
-	 * (obtained from the <code>AuthenticationServer</code>),
-	 * enclosed in a <code>lt;samlp:Response&gt;</code>.
-	 * <br/>Bad requests are mapped into various <code>lt;samlp:StatusCode&gt;</code>s,
-	 * possibly containing enclosed sub-<code>lt;samlp:StatusCode&gt;</code>s.
-	 * The status codes are defined in the SAML specification.
-	 * 
-	 * @param requests request elements of type <code>lt;samlp:Request&gt;</code>;
-	 * 				 only 1 request element is allowed
-	 * @return response element of type <code>lt;samlp:Response&gt;</code>,
-	 * 				  packed into an <code>Element[]</code>
-	 * @throws AxisFault thrown when an error occurs in assembling the 
-	 * 					<code>lt;samlp:Response&gt;</code>
-	 */
-  public Element[] Request(Element[] requests) 
-  	throws AxisFault {
-  		
-		Element request = requests[0];
-		Element[] responses = new Element[1];
+			//process request
+			Element soapResp = processRequest(soapReq); 
+		    
+			String respString = DOMUtils.serializeNode(soapResp, true);
+			
+			resp.setContentType("text/xml;charset=UTF-8");
+			context.put(CONTEXT_SOAP_ASSERTION, respString);
+			evaluateTemplate(context, resp, TEMPLATE_SOAP_SUCCESS);
+						
+		} catch (ParserConfigurationException | SAXException | IOException | TransformerException e) {
+			Logger.error("SAML1 GetAuthenticationData receive a non-valid request.", e);
+			resp.setContentType("text/xml;charset=UTF-8");
+					
+			context.put(CONTEXT_SOAP_ISSUEINSTANT, DateTimeUtils.buildDateTimeUTC(Calendar.getInstance()));
+			context.put(CONTEXT_SOAP_RESPONSEID, Random.nextRandom());
+			context.put(CONTEXT_SOAP_STATUSCODE, "samlp:Requester");
+			context.put(CONTEXT_SOAP_ERRORMESSAGE, e.getMessage());
+			
+			evaluateTemplate(context, resp, TEMPLATE_SOAP_ERROR);
+			
+		} catch (SAML1AssertionResponseBuildException e) {
+			Logger.error("SAML1 GetAuthenticationData response build failed..", e);
+			resp.setContentType("text/xml;charset=UTF-8");
+			
+			context.put(CONTEXT_SOAP_ISSUEINSTANT, e.getIssueInstant());
+			context.put(CONTEXT_SOAP_REQUESTEID, e.getRequestID());
+			context.put(CONTEXT_SOAP_RESPONSEID, e.getResponseID());
+			context.put(CONTEXT_SOAP_STATUSCODE, "samlp:Responder");
+			context.put(CONTEXT_SOAP_ERRORMESSAGE, e.getMessage());
+			
+			evaluateTemplate(context, resp, TEMPLATE_SOAP_ERROR);
+			
+		} finally {
+			try {
+				if (is != null)
+					is.close();
+				
+			} catch (Exception e) {
+								
+			}			
+		}		
+	}
+		
+	@RequestMapping(value = "/services/GetAuthenticationData", method = {RequestMethod.GET})
+	public void getAuthenticationDataWSDL(HttpServletRequest req, HttpServletResponse resp)
+		    throws Exception {		
+		String wsdl_param = req.getParameter(PARAM_WSDL);
+		String xsd_param = req.getParameter(PARAM_XSD);
+				
+		String fullServiceEndPoint = HTTPUtils.extractAuthURLFromRequest(req) + SERVICE_ENDPOINT;
+		
+		VelocityContext context = new VelocityContext();		
+		context.put(CONTEXT_ENDPOINT, fullServiceEndPoint);
+		
+		if (wsdl_param != null) {
+			//print wsdl
+			resp.setContentType("text/xml;charset=UTF-8");
+			evaluateTemplate(context, resp, TEMPLATE_WSDL);
+			
+		} else if (xsd_param != null){
+			//print xsd
+			resp.setContentType("text/xml;charset=UTF-8");
+			evaluateTemplate(context, resp, TEMPLATE_XSD);
+						
+		} else {
+			//print plain info
+			resp.setContentType("text/html;charset=UTF-8");
+			evaluateTemplate(context, resp, TEMPLATE_PLAIN_INFO);
+			
+		}
+				
+	}
+	
+	private Element processRequest(Element soapReq) throws ParserConfigurationException, IOException, SAXException, TransformerException, SAML1AssertionResponseBuildException {
 		String requestID = "";
 		String statusCode = "";
 		String subStatusCode = null;
 		String statusMessageCode = null;
 		String statusMessage = null;
 		String samlAssertion = "";
-		if (requests.length > 1) {
-			// more than 1 request given as parameter
-			statusCode = "samlp:Requester";
-			subStatusCode = "samlp:TooManyResponses";
-			statusMessageCode = "1201";
-		}
+		Element responses;
+
+		//select soap-body element
+		NodeList saml1ReqList = soapReq.getElementsByTagNameNS(soapReq.getNamespaceURI(), "Body");;				
+		if (saml1ReqList.getLength() != 1) {
+			saml1ReqList = soapReq.getElementsByTagNameNS(soapReq.getNamespaceURI(), "body");;
+			if (saml1ReqList.getLength() != 1) {
+				throw new SAXException("No unique 'soap-env:Body' element.");
+				
+			}	
+		} 
+		
+		//get first child from body --> should be the SAML1 Request element 
+		Element saml1Req;
+		if (saml1ReqList.item(0).getFirstChild() instanceof Element)
+			saml1Req = (Element) saml1ReqList.item(0).getFirstChild();
+			
 		else {
-			try {
-				DOMUtils.validateElement(request, ALL_SCHEMA_LOCATIONS, null);
-				NodeList samlArtifactList = XPathUtils.selectNodeList(request, "samlp:AssertionArtifact");
-				if (samlArtifactList.getLength() == 0) {
-					// no SAML artifact given in request
-					statusCode = "samlp:Requester";
-					statusMessageCode = "1202";
-				}
-				else if (samlArtifactList.getLength() > 1) {
-					// too many SAML artifacts given in request
-					statusCode = "samlp:Requester";
-					subStatusCode = "samlp:TooManyResponses";
-					statusMessageCode = "1203";
-				}
+			throw new SAXException("First child of 'soap-env:Body' element has a wrong type.");
 				
-				else {
-					Element samlArtifactElem = (Element)samlArtifactList.item(0);
-                    requestID = request.getAttribute("RequestID");
-					String samlArtifact = DOMUtils.getText(samlArtifactElem);
-					
-					
-					//SAML1AuthenticationServer saml1server = SAML1AuthenticationServer.getInstace();
-					
-					try {
+		}
 
-						samlAssertion = "Find a solution to integrate Axis 1 into Spring";
-						//samlAssertion = saml1server.getSaml1AuthenticationData(samlArtifact);
-                        
-						// success
-						statusCode = "samlp:Success";
-						statusMessageCode = "1200";
-					}
-					
-					catch (ClassCastException ex) {
+		//validate the SAML1 request element, which we selected above 
+		DOMUtils.validateElement(saml1Req, ALL_SCHEMA_LOCATIONS, null);	
+		
+		//parse inforamtion from SAML1 request
+		try {
+			NodeList samlArtifactList = XPathUtils.selectNodeList(saml1Req, "samlp:AssertionArtifact");
+			if (samlArtifactList.getLength() == 0) {
+				// no SAML artifact given in request
+				statusCode = "samlp:Requester";
+				statusMessageCode = "1202";
+				
+			} else if (samlArtifactList.getLength() > 1) {
+				// too many SAML artifacts given in request
+				statusCode = "samlp:Requester";
+				subStatusCode = "samlp:TooManyResponses";
+				statusMessageCode = "1203";
+				
+			} else {
+				Element samlArtifactElem = (Element)samlArtifactList.item(0);
+                requestID = saml1Req.getAttribute("RequestID");
+				String samlArtifact = DOMUtils.getText(samlArtifactElem);
+								
+				try {
+					samlAssertion = saml1AuthServer.getSaml1AuthenticationData(samlArtifact);
+                    
+					// success
+					statusCode = "samlp:Success";
+					statusMessageCode = "1200";
 					
-						try {
-							//Throwable error = saml1server.getErrorResponse(samlArtifact);
-							Throwable error = new Exception("Find a solution to integrate Axis 1 into Spring");
-							statusCode = "samlp:Responder";
+				} catch (ClassCastException ex) {				
+					try {
+						Throwable error = saml1AuthServer.getErrorResponse(samlArtifact);
+						statusCode = "samlp:Responder";
+						
+						ErrorResponseUtils errorUtils = ErrorResponseUtils.getInstance();
+						
+						if (error instanceof MOAIDException) {
+							statusMessageCode = ((MOAIDException)error).getMessageId();
+							statusMessage = StringEscapeUtils.escapeXml(((MOAIDException)error).getMessage());
 							
-							ErrorResponseUtils errorUtils = ErrorResponseUtils.getInstance();
+						} else {
+							statusMessage = StringEscapeUtils.escapeXml(error.getMessage());
 							
-							if (error instanceof MOAIDException) {
-								statusMessageCode = ((MOAIDException)error).getMessageId();
-								statusMessage = StringEscapeUtils.escapeXml(((MOAIDException)error).getMessage());
-								
-							} else {
-								statusMessage = StringEscapeUtils.escapeXml(error.getMessage());
-							}							
-							subStatusCode = errorUtils.getResponseErrorCode(error);
-																
-						} catch (Exception e) {
-							//no authentication data for given SAML artifact
-							statusCode = "samlp:Requester";
-							subStatusCode = "samlp:ResourceNotRecognized";
-							statusMessage = ex.toString();
-						}
-						
+						}							
+						subStatusCode = errorUtils.getResponseErrorCode(error);
+															
+					} catch (Exception e) {
+						//no authentication data for given SAML artifact
+						statusCode = "samlp:Requester";
+						subStatusCode = "samlp:ResourceNotRecognized";
+						statusMessage = ex.toString();
 					}
 					
-//					catch (AuthenticationException ex) {
-//						//no authentication data for given SAML artifact
-//						statusCode = "samlp:Requester";
-//						subStatusCode = "samlp:ResourceNotRecognized";
-//						statusMessage = ex.toString();
-//					}
+				} catch (AuthenticationException ex) {
+					//no authentication data for given SAML artifact
+					statusCode = "samlp:Requester";
+					subStatusCode = "samlp:ResourceNotRecognized";
+					statusMessage = ex.toString();
 				}
 			}
-	    catch (Throwable t) {
-	    	// invalid request format
-				statusCode = "samlp:Requester";
-				statusMessageCode = "1204";
-	    }
+			
+			
+		} catch (Throwable t) {
+			// invalid request format
+			statusCode = "samlp:Requester";
+			statusMessageCode = "1204";
+			
+		}
+
+		String responseID = Random.nextRandom();			
+		String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar.getInstance());
+
+		try {		
+			if (statusMessage == null)
+				statusMessage = MOAIDMessageProvider.getInstance().getMessage(statusMessageCode, null);
+				responses = new SAMLResponseBuilder().build(
+						responseID, requestID, issueInstant, statusCode, subStatusCode, statusMessage, samlAssertion);			
+				return responses;
+				
+		} catch (Throwable e) {
+			throw new SAML1AssertionResponseBuildException(responseID, issueInstant, 
+					requestID, "1299", e.getMessage(), e);
+			
+		}
 	}
+	
+	
+	private void evaluateTemplate(VelocityContext context, HttpServletResponse httpResp, String templateURL) throws IOException {
+		InputStream is = null;
+		try {
+			is = Thread.currentThread()
+					.getContextClassLoader()
+					.getResourceAsStream(templateURL);	
+		
+			VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine();		
+			BufferedReader reader = new BufferedReader(new InputStreamReader(is ));				
+			StringWriter writer = new StringWriter();						
+			engine.evaluate(context, writer, "SAML1 GetAuthenticationData", reader);		            
+			httpResp.getOutputStream().write(writer.toString().getBytes("UTF-8"));
+			
+		} catch (Exception e) {
+			Logger.error("SAML1 GetAuthenticationData has an error:", e);
+			throw new IOException(e);
+			
+		} finally {
+			if (is != null) 
+				is.close();
+			
+		} 
 		
-    try {
-			String responseID = Random.nextRandom();			
-			String issueInstant = DateTimeUtils.buildDateTimeUTC(Calendar.getInstance());
-			
-      if (statusMessage == null)
-			  statusMessage = MOAIDMessageProvider.getInstance().getMessage(statusMessageCode, null);
-	    responses[0] = new SAMLResponseBuilder().build(
-	    	responseID, requestID, issueInstant, statusCode, subStatusCode, statusMessage, samlAssertion);
-    
-  	}
-    catch (MOAIDException e) {
-	    AxisFault fault = AxisFault.makeFault(e);
-	    fault.setFaultDetail(new Element[] { e.toErrorResponse()});
-	    throw fault;
-    } 
-    catch (Throwable t) {
-	    MOAIDException e = new MOAIDException("1299", null, t);
-	    AxisFault fault = AxisFault.makeFault(e);
-	    fault.setFaultDetail(new Element[] { e.toErrorResponse()});
-	    throw fault;
-    }
-    return responses;
-  }
-  	
+	}  	
 }
+
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AssertionResponseBuildException.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AssertionResponseBuildException.java
new file mode 100644
index 000000000..0c06a94df
--- /dev/null
+++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AssertionResponseBuildException.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.saml1;
+
+/**
+ * @author tlenz
+ *
+ */
+public class SAML1AssertionResponseBuildException extends Exception {
+
+	private static final long serialVersionUID = -394698807368683821L;
+	
+	private String responseID;
+	private String issueInstant;
+	private String requestID;
+	private String errorCode;
+	
+	/**
+	 * @param responseID
+	 * @param issueInstant
+	 * @param requestID
+	 * @param string
+	 * @param message
+	 */
+	public SAML1AssertionResponseBuildException(String responseID, String issueInstant, String requestID, String errorCode,
+			String errorMsg, Throwable throwable) {
+		super(errorMsg, throwable);
+		
+		this.requestID = requestID;
+		this.issueInstant = issueInstant;
+		this.responseID = responseID;
+		this.errorCode = errorCode;
+	}
+
+	/**
+	 * @return the responseID
+	 */
+	public String getResponseID() {
+		return responseID;
+	}
+
+	/**
+	 * @return the issueInstant
+	 */
+	public String getIssueInstant() {
+		return issueInstant;
+	}
+
+	/**
+	 * @return the requestID
+	 */
+	public String getRequestID() {
+		return requestID;
+	}
+
+	/**
+	 * @return the errorCode
+	 */
+	public String getErrorCode() {
+		return errorCode;
+	}
+
+	
+	
+
+}
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/resources/plain_info.vm b/id/server/modules/moa-id-modules-saml1/src/main/resources/plain_info.vm
new file mode 100644
index 000000000..dfc11820f
--- /dev/null
+++ b/id/server/modules/moa-id-modules-saml1/src/main/resources/plain_info.vm
@@ -0,0 +1,14 @@
+<html>
+<head>
+<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
+</head>
+<body>
+<h1>GetAuthenticationData</h1>
+<p>Hi there, this is an Web service!</p>
+#if($error)
+	<i>Your request has an error: $error</i>
+#else
+	<i>Perhaps there will be a form for invoking the service here...</i>
+#end
+</body>
+</html>
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/resources/soap_error.vm b/id/server/modules/moa-id-modules-saml1/src/main/resources/soap_error.vm
new file mode 100644
index 000000000..65945e2de
--- /dev/null
+++ b/id/server/modules/moa-id-modules-saml1/src/main/resources/soap_error.vm
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <soapenv:Body><samlp:Response #if($requestID) InResponseTo="$requestID" #end IssueInstant="$issueInstant" MajorVersion="1" MinorVersion="0" ResponseID="$responseID" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">  <samlp:Status>    <samlp:StatusCode Value="$statusCode"/>    <samlp:StatusMessage>$errorMsg</samlp:StatusMessage>  </samlp:Status>  </samlp:Response> </soapenv:Body>
+</soapenv:Envelope>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/resources/soap_success.vm b/id/server/modules/moa-id-modules-saml1/src/main/resources/soap_success.vm
new file mode 100644
index 000000000..7dad2c259
--- /dev/null
+++ b/id/server/modules/moa-id-modules-saml1/src/main/resources/soap_success.vm
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <soapenv:Body>$assertion</soapenv:Body>
+</soapenv:Envelope>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/resources/wsdl/MOA-ID-1.x.vm b/id/server/modules/moa-id-modules-saml1/src/main/resources/wsdl/MOA-ID-1.x.vm
new file mode 100644
index 000000000..74be59723
--- /dev/null
+++ b/id/server/modules/moa-id-modules-saml1/src/main/resources/wsdl/MOA-ID-1.x.vm
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<definitions name="MOA" targetNamespace="http://reference.e-government.gv.at/namespace/moa/20020822#" xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="http://reference.e-government.gv.at/namespace/moa/20020822#" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:moa="http://reference.e-government.gv.at/namespace/moa/20020822#" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/wsdl/ http://schemas.xmlsoap.org/wsdl/">
+	<import namespace="http://reference.e-government.gv.at/namespace/moa/20020822#" location="$endpoint?xsd"/>
+	<message name="GetAuthenticationDataInput">
+		<part name="body" element="samlp:Request"/>
+	</message>
+	<message name="GetAuthenticationDataOutput">
+		<part name="body" element="samlp:Response"/>
+	</message>
+	<message name="MOAFault">
+		<part name="body" element="moa:ErrorResponse"/>
+	</message>
+	<portType name="IdentificationPortType">
+		<operation name="getAuthenticationData">
+			<input message="tns:GetAuthenticationDataInput"/>
+			<output message="tns:GetAuthenticationDataOutput"/>
+			<fault name="MOAFault" message="tns:MOAFault"/>
+		</operation>
+	</portType>
+	<binding name="IdentificationBinding" type="tns:IdentificationPortType" xsi:schemaLocation="http://schemas.xmlsoap.org/wsdl/soap/ http://schemas.xmlsoap.org/wsdl/soap/">
+		<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+		<operation name="getAuthenticationData">
+			<soap:operation soapAction="urn:GetAuthenticationDataAction"/>
+			<input>
+				<soap:body use="literal" namespace="http://reference.e-government.gv.at/namespace/moa/20020822#"/>
+			</input>
+			<output>
+				<soap:body use="literal" namespace="http://reference.e-government.gv.at/namespace/moa/20020822#"/>
+			</output>
+			<fault name="MOAFault">
+				<soap:fault name="MOAFault" use="literal" namespace="http://reference.e-government.gv.at/namespace/moa/20020822#"/>
+			</fault>
+		</operation>
+	</binding>
+	<service name="GetAuthenticationDataService">
+		<port name="IdentificationPort" binding="tns:IdentificationBinding">
+			<soap:address location="$endpoint"/>
+		</port>
+	</service>
+</definitions>
diff --git a/id/server/modules/moa-id-modules-saml1/src/main/resources/wsdl/MOA-SPSS-1.2.vm b/id/server/modules/moa-id-modules-saml1/src/main/resources/wsdl/MOA-SPSS-1.2.vm
new file mode 100644
index 000000000..4c86626a0
--- /dev/null
+++ b/id/server/modules/moa-id-modules-saml1/src/main/resources/wsdl/MOA-SPSS-1.2.vm
@@ -0,0 +1,528 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- MOA SP/SS 1.2 Schema -->
+<xsd:schema
+	targetNamespace="http://reference.e-government.gv.at/namespace/moa/20020822#"
+	xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+	xmlns="http://reference.e-government.gv.at/namespace/moa/20020822#"
+	elementFormDefault="qualified" attributeFormDefault="unqualified"
+	version="1.2">
+	<xsd:import namespace="http://www.w3.org/2000/09/xmldsig#"
+		schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd" />
+	<xsd:import namespace="http://www.w3.org/XML/1998/namespace"
+		schemaLocation="http://www.w3.org/2001/xml.xsd" />
+	<!--########## Create XML Signature ### -->
+	<!--### Create XML Signature Request ### -->
+	<xsd:element name="CreateXMLSignatureRequest">
+		<xsd:complexType>
+			<xsd:complexContent>
+				<xsd:extension base="CreateXMLSignatureRequestType" />
+			</xsd:complexContent>
+		</xsd:complexType>
+	</xsd:element>
+	<xsd:complexType name="CreateXMLSignatureRequestType">
+		<xsd:sequence>
+			<xsd:element name="KeyIdentifier" type="KeyIdentifierType" />
+			<xsd:element name="SingleSignatureInfo" maxOccurs="unbounded">
+				<xsd:annotation>
+					<xsd:documentation>Ermöglichung der Stapelsignatur durch
+						wiederholte Angabe dieses Elements</xsd:documentation>
+				</xsd:annotation>
+				<xsd:complexType>
+					<xsd:sequence>
+						<xsd:element name="DataObjectInfo" maxOccurs="unbounded">
+							<xsd:complexType>
+								<xsd:complexContent>
+									<xsd:extension base="DataObjectInfoType">
+										<xsd:attribute name="ChildOfManifest" type="xsd:boolean"
+											use="optional" default="false" />
+									</xsd:extension>
+								</xsd:complexContent>
+							</xsd:complexType>
+						</xsd:element>
+						<xsd:element name="CreateSignatureInfo" minOccurs="0">
+							<xsd:complexType>
+								<xsd:sequence>
+									<xsd:element name="CreateSignatureEnvironment"
+										type="ContentOptionalRefType" />
+									<xsd:choice>
+										<xsd:annotation>
+											<xsd:documentation>Auswahl: Entweder explizite Angabe des
+												Signaturorts sowie ggf. sinnvoller Supplements im Zshg. mit
+												der Signaturumgebung, oder Verweis auf ein benanntes Profil
+											</xsd:documentation>
+										</xsd:annotation>
+										<xsd:element ref="CreateSignatureEnvironmentProfile" />
+										<xsd:element name="CreateSignatureEnvironmentProfileID"
+											type="ProfileIdentifierType" />
+									</xsd:choice>
+								</xsd:sequence>
+							</xsd:complexType>
+						</xsd:element>
+					</xsd:sequence>
+					<xsd:attribute name="SecurityLayerConformity" type="xsd:boolean"
+						use="optional" default="true" />
+				</xsd:complexType>
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+	<!--### Create XML Signature Response ### -->
+	<xsd:complexType name="CreateXMLSignatureResponseType">
+		<xsd:choice maxOccurs="unbounded">
+			<xsd:annotation>
+				<xsd:documentation>Kardinalität 1..oo erlaubt die Antwort auf eine
+					Stapelsignatur-Anfrage</xsd:documentation>
+			</xsd:annotation>
+			<xsd:element name="SignatureEnvironment">
+				<xsd:annotation>
+					<xsd:documentation>Resultat, falls die Signaturerstellung
+						erfolgreich war</xsd:documentation>
+				</xsd:annotation>
+				<xsd:complexType>
+					<xsd:sequence>
+						<xsd:any namespace="##any" processContents="lax" />
+					</xsd:sequence>
+				</xsd:complexType>
+			</xsd:element>
+			<xsd:element ref="ErrorResponse" />
+		</xsd:choice>
+	</xsd:complexType>
+	<xsd:element name="CreateXMLSignatureResponse" type="CreateXMLSignatureResponseType" />
+	<!--########## Verify CMS Signature ### -->
+	<!--### Verifiy CMS Signature Request ### -->
+	<xsd:element name="VerifyCMSSignatureRequest">
+		<xsd:complexType>
+			<xsd:complexContent>
+				<xsd:extension base="VerifyCMSSignatureRequestType">
+					<xsd:attribute name="Signatories" type="SignatoriesType"
+						use="optional" default="1" />
+				</xsd:extension>
+			</xsd:complexContent>
+		</xsd:complexType>
+	</xsd:element>
+	<xsd:complexType name="VerifyCMSSignatureRequestType">
+		<xsd:sequence>
+			<xsd:element name="DateTime" type="xsd:dateTime"
+				minOccurs="0" />
+			<xsd:element name="CMSSignature" type="xsd:base64Binary" />
+			<xsd:element name="DataObject" type="CMSDataObjectOptionalMetaType"
+				minOccurs="0" />
+			<xsd:element name="TrustProfileID">
+				<xsd:annotation>
+					<xsd:documentation>mit diesem Profil wird eine Menge von
+						vertrauenswürdigen Wurzelzertifikaten spezifiziert
+					</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+	<!--### Verify CMS Signature Response ### -->
+	<xsd:element name="VerifyCMSSignatureResponse" type="VerifyCMSSignatureResponseType" />
+	<xsd:complexType name="VerifyCMSSignatureResponseType">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="SignerInfo" type="dsig:KeyInfoType">
+				<xsd:annotation>
+					<xsd:documentation>only ds:X509Data and RetrievalMethod is
+						supported; QualifiedCertificate is included as
+						X509Data/any;publicAuthority is included as X509Data/any
+					</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
+			<xsd:element name="SignatureCheck" type="CheckResultType" />
+			<xsd:element name="CertificateCheck" type="CheckResultType" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<!--########## Verify XML Signature ### -->
+	<!--### Verify XML Signature Request ### -->
+	<xsd:element name="VerifyXMLSignatureRequest" type="VerifyXMLSignatureRequestType" />
+	<xsd:complexType name="VerifyXMLSignatureRequestType">
+		<xsd:sequence>
+			<xsd:element name="DateTime" type="xsd:dateTime"
+				minOccurs="0" />
+			<xsd:element name="VerifySignatureInfo">
+				<xsd:complexType>
+					<xsd:sequence>
+						<xsd:element name="VerifySignatureEnvironment" type="ContentOptionalRefType" />
+						<xsd:element name="VerifySignatureLocation" type="xsd:token" />
+					</xsd:sequence>
+				</xsd:complexType>
+			</xsd:element>
+			<xsd:choice minOccurs="0" maxOccurs="unbounded">
+				<xsd:element ref="SupplementProfile" />
+				<xsd:element name="SupplementProfileID" type="xsd:string" />
+			</xsd:choice>
+			<xsd:element name="SignatureManifestCheckParams"
+				minOccurs="0">
+				<xsd:complexType>
+					<xsd:sequence>
+						<xsd:element name="ReferenceInfo" type="VerifyTransformsDataType"
+							maxOccurs="unbounded">
+							<xsd:annotation>
+								<xsd:documentation>Pro dsig:Reference-Element in der zu
+									überprüfenden XML-Signatur muss hier ein ReferenceInfo-Element
+									erscheinen. Die Reihenfolge der einzelnen ReferenceInfo
+									Elemente entspricht jener der dsig:Reference Elemente in der
+									XML-Signatur.</xsd:documentation>
+							</xsd:annotation>
+						</xsd:element>
+					</xsd:sequence>
+					<xsd:attribute name="ReturnReferenceInputData" type="xsd:boolean"
+						use="optional" default="true" />
+				</xsd:complexType>
+			</xsd:element>
+			<xsd:element name="ReturnHashInputData" minOccurs="0" />
+			<xsd:element name="TrustProfileID">
+				<xsd:annotation>
+					<xsd:documentation>mit diesem Profil wird eine Menge von
+						vertrauenswürdigen Wurzelzertifikaten spezifiziert
+					</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
+		</xsd:sequence>
+	</xsd:complexType>
+	<!--### Verify XML Signature Response ### -->
+	<xsd:element name="VerifyXMLSignatureResponse" type="VerifyXMLSignatureResponseType" />
+	<xsd:complexType name="VerifyXMLSignatureResponseType">
+		<xsd:sequence>
+			<xsd:element name="SignerInfo" type="dsig:KeyInfoType">
+				<xsd:annotation>
+					<xsd:documentation>only ds:X509Data and ds:RetrievalMethod is
+						supported; QualifiedCertificate is included as X509Data/any;
+						PublicAuthority is included as X509Data/any</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
+			<xsd:element name="HashInputData" type="ContentExLocRefBaseType"
+				minOccurs="0" maxOccurs="unbounded" />
+			<xsd:element name="ReferenceInputData" type="ContentExLocRefBaseType"
+				minOccurs="0" maxOccurs="unbounded" />
+			<xsd:element name="SignatureCheck" type="ReferencesCheckResultType" />
+			<xsd:element name="SignatureManifestCheck" type="ReferencesCheckResultType"
+				minOccurs="0" />
+			<xsd:element name="XMLDSIGManifestCheck" type="ManifestRefsCheckResultType"
+				minOccurs="0" maxOccurs="unbounded" />
+			<xsd:element name="CertificateCheck" type="CheckResultType" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<xsd:simpleType name="ProfileIdentifierType">
+		<xsd:restriction base="xsd:token" />
+	</xsd:simpleType>
+	<xsd:complexType name="MetaInfoType">
+		<xsd:sequence>
+			<xsd:element name="MimeType" type="MimeTypeType" />
+			<xsd:element name="Description" type="xsd:anyURI"
+				minOccurs="0" />
+			<xsd:any namespace="##other" minOccurs="0" maxOccurs="unbounded" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<xsd:complexType name="FinalDataMetaInfoType">
+		<xsd:complexContent>
+			<xsd:extension base="MetaInfoType">
+				<xsd:sequence>
+					<xsd:element name="Type" type="xsd:anyURI" minOccurs="0" />
+				</xsd:sequence>
+			</xsd:extension>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<xsd:complexType name="DataObjectInfoType">
+		<xsd:sequence>
+			<xsd:element name="DataObject">
+				<xsd:complexType>
+					<xsd:complexContent>
+						<xsd:extension base="ContentOptionalRefType" />
+					</xsd:complexContent>
+				</xsd:complexType>
+			</xsd:element>
+			<xsd:choice>
+				<xsd:annotation>
+					<xsd:documentation>Auswahl: Entweder explizite Angabe EINER
+						Transformationskette inklusive ggf. sinnvoller Supplements oder
+						Verweis auf ein benanntes Profil</xsd:documentation>
+				</xsd:annotation>
+				<xsd:element ref="CreateTransformsInfoProfile" />
+				<xsd:element name="CreateTransformsInfoProfileID" type="ProfileIdentifierType" />
+			</xsd:choice>
+		</xsd:sequence>
+		<xsd:attribute name="Structure" use="required">
+			<xsd:simpleType>
+				<xsd:restriction base="xsd:string">
+					<xsd:enumeration value="detached" />
+					<xsd:enumeration value="enveloping" />
+				</xsd:restriction>
+			</xsd:simpleType>
+		</xsd:attribute>
+	</xsd:complexType>
+	<xsd:complexType name="TransformsInfoType">
+		<xsd:sequence>
+			<xsd:element ref="dsig:Transforms" minOccurs="0" />
+			<xsd:element name="FinalDataMetaInfo" type="FinalDataMetaInfoType" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<xsd:complexType name="XMLDataObjectAssociationType">
+		<xsd:sequence>
+			<xsd:element name="MetaInfo" type="MetaInfoType"
+				minOccurs="0" />
+			<xsd:element name="Content" type="ContentRequiredRefType" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<xsd:complexType name="CMSDataObjectOptionalMetaType">
+		<xsd:sequence>
+			<xsd:element name="MetaInfo" type="MetaInfoType"
+				minOccurs="0" />
+			<xsd:element name="Content" type="CMSContentBaseType" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<xsd:complexType name="CMSContentBaseType">
+		<xsd:complexContent>
+			<xsd:restriction base="ContentOptionalRefType">
+				<xsd:choice minOccurs="0">
+					<xsd:element name="Base64Content" type="xsd:base64Binary" />
+				</xsd:choice>
+			</xsd:restriction>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<xsd:complexType name="CheckResultType">
+		<xsd:sequence>
+			<xsd:element name="Code" type="xsd:nonNegativeInteger" />
+			<xsd:element name="Info" type="AnyChildrenType"
+				minOccurs="0" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<xsd:complexType name="ReferencesCheckResultType">
+		<xsd:complexContent>
+			<xsd:restriction base="CheckResultType">
+				<xsd:sequence>
+					<xsd:element name="Code" type="xsd:nonNegativeInteger" />
+					<xsd:element name="Info" type="ReferencesCheckResultInfoType"
+						minOccurs="0" />
+				</xsd:sequence>
+			</xsd:restriction>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<xsd:complexType name="ReferencesCheckResultInfoType"
+		mixed="true">
+		<xsd:complexContent mixed="true">
+			<xsd:restriction base="AnyChildrenType">
+				<xsd:sequence>
+					<xsd:any namespace="##other" processContents="lax"
+						minOccurs="0" maxOccurs="unbounded" />
+					<xsd:element name="FailedReference" type="xsd:positiveInteger"
+						minOccurs="0" maxOccurs="unbounded" />
+				</xsd:sequence>
+			</xsd:restriction>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<xsd:complexType name="ManifestRefsCheckResultType">
+		<xsd:complexContent>
+			<xsd:restriction base="CheckResultType">
+				<xsd:sequence>
+					<xsd:element name="Code" type="xsd:nonNegativeInteger" />
+					<xsd:element name="Info" type="ManifestRefsCheckResultInfoType" />
+				</xsd:sequence>
+			</xsd:restriction>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<xsd:complexType name="ManifestRefsCheckResultInfoType"
+		mixed="true">
+		<xsd:complexContent mixed="true">
+			<xsd:restriction base="AnyChildrenType">
+				<xsd:sequence>
+					<xsd:any namespace="##other" processContents="lax"
+						minOccurs="0" maxOccurs="unbounded" />
+					<xsd:element name="FailedReference" type="xsd:positiveInteger"
+						minOccurs="0" maxOccurs="unbounded" />
+					<xsd:element name="ReferringSigReference" type="xsd:positiveInteger" />
+				</xsd:sequence>
+			</xsd:restriction>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<!--########## Error Response ### -->
+	<xsd:element name="ErrorResponse" type="ErrorResponseType">
+		<xsd:annotation>
+			<xsd:documentation>Resultat, falls die Signaturerstellung gescheitert
+				ist</xsd:documentation>
+		</xsd:annotation>
+	</xsd:element>
+	<xsd:complexType name="ErrorResponseType">
+		<xsd:sequence>
+			<xsd:element name="ErrorCode" type="xsd:integer" />
+			<xsd:element name="Info" type="xsd:string" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<!--########## Auxiliary Types ### -->
+	<xsd:simpleType name="KeyIdentifierType">
+		<xsd:restriction base="xsd:string" />
+	</xsd:simpleType>
+	<xsd:simpleType name="KeyStorageType">
+		<xsd:restriction base="xsd:string">
+			<xsd:enumeration value="Software" />
+			<xsd:enumeration value="Hardware" />
+		</xsd:restriction>
+	</xsd:simpleType>
+	<xsd:simpleType name="MimeTypeType">
+		<xsd:restriction base="xsd:token" />
+	</xsd:simpleType>
+	<xsd:complexType name="AnyChildrenType" mixed="true">
+		<xsd:sequence>
+			<xsd:any namespace="##any" processContents="lax" minOccurs="0"
+				maxOccurs="unbounded" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<xsd:complexType name="XMLContentType" mixed="true">
+		<xsd:complexContent mixed="true">
+			<xsd:extension base="AnyChildrenType">
+				<xsd:attribute ref="xml:space" use="optional" />
+			</xsd:extension>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<xsd:complexType name="ContentBaseType">
+		<xsd:choice minOccurs="0">
+			<xsd:element name="Base64Content" type="xsd:base64Binary" />
+			<xsd:element name="XMLContent" type="XMLContentType" />
+			<xsd:element name="LocRefContent" type="xsd:anyURI" />
+		</xsd:choice>
+	</xsd:complexType>
+	<xsd:complexType name="ContentExLocRefBaseType">
+		<xsd:complexContent>
+			<xsd:restriction base="ContentBaseType">
+				<xsd:choice minOccurs="0">
+					<xsd:element name="Base64Content" type="xsd:base64Binary" />
+					<xsd:element name="XMLContent" type="XMLContentType" />
+				</xsd:choice>
+			</xsd:restriction>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<xsd:complexType name="ContentOptionalRefType">
+		<xsd:complexContent>
+			<xsd:extension base="ContentBaseType">
+				<xsd:attribute name="Reference" type="xsd:anyURI" use="optional" />
+			</xsd:extension>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<xsd:complexType name="ContentRequiredRefType">
+		<xsd:complexContent>
+			<xsd:restriction base="ContentOptionalRefType">
+				<xsd:choice minOccurs="0">
+					<xsd:element name="Base64Content" type="xsd:base64Binary" />
+					<xsd:element name="XMLContent" type="XMLContentType" />
+					<xsd:element name="LocRefContent" type="xsd:anyURI" />
+				</xsd:choice>
+				<xsd:attribute name="Reference" type="xsd:anyURI" use="required" />
+			</xsd:restriction>
+		</xsd:complexContent>
+	</xsd:complexType>
+	<xsd:complexType name="VerifyTransformsDataType">
+		<xsd:choice maxOccurs="unbounded">
+			<xsd:annotation>
+				<xsd:documentation>Ein oder mehrere Transformationswege können von
+					der Applikation an MOA mitgeteilt werden. Die zu prüfende Signatur
+					hat zumindest einem dieser Transformationswege zu entsprechen. Die
+					Angabe kann explizit oder als Profilbezeichner erfolgen.
+				</xsd:documentation>
+			</xsd:annotation>
+			<xsd:element ref="VerifyTransformsInfoProfile" />
+			<xsd:element name="VerifyTransformsInfoProfileID" type="xsd:string">
+				<xsd:annotation>
+					<xsd:documentation>Profilbezeichner für einen Transformationsweg
+					</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
+		</xsd:choice>
+	</xsd:complexType>
+	<xsd:element name="QualifiedCertificate" />
+	<xsd:element name="PublicAuthority" type="PublicAuthorityType" />
+	<xsd:complexType name="PublicAuthorityType">
+		<xsd:sequence>
+			<xsd:element name="Code" type="xsd:string" minOccurs="0" />
+		</xsd:sequence>
+	</xsd:complexType>
+	<xsd:simpleType name="SignatoriesType">
+		<xsd:union memberTypes="AllSignatoriesType">
+			<xsd:simpleType>
+				<xsd:list itemType="xsd:positiveInteger" />
+			</xsd:simpleType>
+		</xsd:union>
+	</xsd:simpleType>
+	<xsd:simpleType name="AllSignatoriesType">
+		<xsd:restriction base="xsd:string">
+			<xsd:enumeration value="all" />
+		</xsd:restriction>
+	</xsd:simpleType>
+	<xsd:complexType name="CreateSignatureLocationType">
+		<xsd:simpleContent>
+			<xsd:extension base="xsd:token">
+				<xsd:attribute name="Index" type="xsd:nonNegativeInteger"
+					use="required" />
+			</xsd:extension>
+		</xsd:simpleContent>
+	</xsd:complexType>
+	<xsd:complexType name="TransformParameterType">
+		<xsd:choice minOccurs="0">
+			<xsd:annotation>
+				<xsd:documentation>Die Angabe des Transformationsparameters
+					(explizit oder als Hashwert) kann unterlassen werden, wenn die
+					Applikation von der Unveränderlichkeit des Inhalts der in
+					"Transformationsparamter", Attribut "URI" angegebenen URI ausgehen
+					kann.</xsd:documentation>
+			</xsd:annotation>
+			<xsd:element name="Base64Content" type="xsd:base64Binary">
+				<xsd:annotation>
+					<xsd:documentation>Der Transformationsparameter explizit angegeben.
+					</xsd:documentation>
+				</xsd:annotation>
+			</xsd:element>
+			<xsd:element name="Hash">
+				<xsd:annotation>
+					<xsd:documentation>Der Hashwert des Transformationsparameters.
+					</xsd:documentation>
+				</xsd:annotation>
+				<xsd:complexType>
+					<xsd:sequence>
+						<xsd:element ref="dsig:DigestMethod" />
+						<xsd:element ref="dsig:DigestValue" />
+					</xsd:sequence>
+				</xsd:complexType>
+			</xsd:element>
+		</xsd:choice>
+		<xsd:attribute name="URI" type="xsd:anyURI" use="required" />
+	</xsd:complexType>
+	<xsd:element name="CreateSignatureEnvironmentProfile">
+		<xsd:complexType>
+			<xsd:sequence>
+				<xsd:element name="CreateSignatureLocation" type="CreateSignatureLocationType" />
+				<xsd:element name="Supplement" type="XMLDataObjectAssociationType"
+					minOccurs="0" maxOccurs="unbounded" />
+			</xsd:sequence>
+		</xsd:complexType>
+	</xsd:element>
+	<xsd:element name="VerifyTransformsInfoProfile">
+		<xsd:annotation>
+			<xsd:documentation>Explizite Angabe des Transformationswegs
+			</xsd:documentation>
+		</xsd:annotation>
+		<xsd:complexType>
+			<xsd:sequence>
+				<xsd:element ref="dsig:Transforms" minOccurs="0" />
+				<xsd:element name="TransformParameter" type="TransformParameterType"
+					minOccurs="0" maxOccurs="unbounded">
+					<xsd:annotation>
+						<xsd:documentation>Alle impliziten Transformationsparameter, die
+							zum Durchlaufen der oben angeführten Transformationskette bekannt
+							sein müssen, müssen hier angeführt werden. Das Attribut "URI"
+							bezeichnet den Transformationsparameter in exakt jener Weise, wie
+							er in der zu überprüfenden Signatur gebraucht wird.
+						</xsd:documentation>
+					</xsd:annotation>
+				</xsd:element>
+			</xsd:sequence>
+		</xsd:complexType>
+	</xsd:element>
+	<xsd:element name="Supplement" type="XMLDataObjectAssociationType" />
+	<xsd:element name="SupplementProfile" type="XMLDataObjectAssociationType" />
+	<xsd:element name="CreateTransformsInfoProfile">
+		<xsd:complexType>
+			<xsd:sequence>
+				<xsd:element name="CreateTransformsInfo" type="TransformsInfoType" />
+				<xsd:element ref="Supplement" minOccurs="0" maxOccurs="unbounded" />
+			</xsd:sequence>
+		</xsd:complexType>
+	</xsd:element>
+</xsd:schema>
-- 
cgit v1.2.3