From 583d95af8f722f60cf848e603f12f6c0be0e9a59 Mon Sep 17 00:00:00 2001
From: kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>
Date: Fri, 10 Feb 2012 16:21:09 +0000
Subject: * Ausbau MOASecurityManager (nicht anwendbar da SecurityManager nur
 systemweit gesetzt werden kann) * Update ExternalURIResolver mit
 ExternalURIVerifier der gegen Blackliste checkt

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1238 d688527b-c9ab-4aba-bd8d-4036d912da1d
---
 .../spss/server/MOASecurityManagerExtended.java    | 111 --------------
 .../moa/spss/server/MOASecurityManagerSimple.java  | 163 ---------------------
 .../server/config/ConfigurationPartsBuilder.java   |  20 ++-
 .../spss/server/config/ConfigurationProvider.java  |  51 ++-----
 .../invoke/CMSSignatureVerificationInvoker.java    |  18 +--
 .../spss/server/invoke/ExternalURIResolver.java    |   4 +
 .../invoke/SignatureCreationServiceImpl.java       |   2 +
 .../invoke/SignatureVerificationServiceImpl.java   |   4 +
 .../invoke/XMLSignatureVerificationInvoker.java    |   6 -
 .../server/service/SignatureCreationService.java   |   2 +
 .../service/SignatureVerificationService.java      |  10 +-
 .../moa/spss/util/ExternalURIVerifier.java         |  63 ++++++++
 .../properties/spss_messages_de.properties         |   8 +
 13 files changed, 127 insertions(+), 335 deletions(-)
 delete mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java
 delete mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java
 create mode 100644 spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java

(limited to 'spss')

diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java
deleted file mode 100644
index 42ee621e6..000000000
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerExtended.java
+++ /dev/null
@@ -1,111 +0,0 @@
-package at.gv.egovernment.moa.spss.server;
-
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.util.Iterator;
-import java.util.List;
-
-import at.gv.egovernment.moa.logging.Logger;
-
-
-public class MOASecurityManagerExtended extends SecurityManager {
-
-	private List blacklist;
-	private boolean allowExternalUris;
-
-	public MOASecurityManagerExtended(boolean allowExternalUris, List blacklist) {
-		this.blacklist = blacklist;
-		this.allowExternalUris = allowExternalUris;
-	}
-
-	
-	/**
-	 * Overwrite checkConnect methods with blacklist check 
-	 */
-	
-	public void checkConnect(String host, int port, Object context) {
-		// System.out.println("checkConnect: " + host + ":" + port);
-		if (!checkURI(host, port))
-			throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
-		else {
-			// System.out.println("Perform checkConnect of given SecurityManager");
-			super.checkConnect(host, port, context);
-		}
-	}
-	
-	public void checkConnect(String host, int port) {
-		// System.out.println("checkConnect: " + host + ":" + port);
-		if (!checkURI(host, port))
-			throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
-		else {
-			// System.out.println("Perform checkConnect of given SecurityManager");
-			super.checkConnect(host, port);
-		}	
-	}
-
-	private boolean checkURI(String host, int port) {
-		if (allowExternalUris) {
-			Iterator it = blacklist.iterator();
-			while (it.hasNext()) {
-				String[] array = (String[])it.next();
-				String bhost = array[0];
-				String bport = array[1];
-				if (bport == null) {
-					// check only host
-					if (bhost.equalsIgnoreCase(host)) {
-						// System.out.println("Security check: " + host + " blacklisted");
-						return false;
-					}
-				}
-				else {
-					// check host and port
-					int iport = new Integer(bport).intValue();
-					if (bhost.equalsIgnoreCase(host) && (iport == port)) {
-						// System.out.println("Security check: " + host + ":" + port + " blacklisted");
-						return false;
-					}
-						
-				}
-			}
-			
-			// System.out.println("Security check: " + host + ":" + port + " allowed");
-			return true;
-		}
-		else {			
-			String localhost = getLocalhostName();
-			if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
-				// System.out.println("Security check: localhost name allowed");
-				return true;
-			}
-						
-			// System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
-			return false;
-		}
-	}
-	private String getLocalhostName() {
-		try {
-			// save current SecurityManager
-			SecurityManager sm = System.getSecurityManager();
-			// set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
-			System.setSecurityManager(null);
-
-			InetAddress localhostaddress = InetAddress.getLocalHost();
-			String localhost = localhostaddress.getHostName();
-			
-			// set previously saved SecurityManager
-			System.setSecurityManager(sm);
-			
-			return localhost;
-		
-		}
-		catch (UnknownHostException e) {
-			// System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost");
-			return "localhost";
-		}
-	}
-
-	
-	/**
-	 * Don't overwrite other methods 
-	 */
-}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java
deleted file mode 100644
index 530a27a48..000000000
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/MOASecurityManagerSimple.java
+++ /dev/null
@@ -1,163 +0,0 @@
-package at.gv.egovernment.moa.spss.server;
-
-
-import java.io.FileDescriptor;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.security.Permission;
-import java.util.Iterator;
-import java.util.List;
-
-public class MOASecurityManagerSimple extends SecurityManager {
-
-	private List blacklist;
-	private boolean allowExternalUris;
-	
-	
-	public MOASecurityManagerSimple(boolean allowExternalUris, List blacklist) {
-		this.blacklist = blacklist;
-		this.allowExternalUris = allowExternalUris;
-	}
-
-	/**
-	 * Overwrite checkConnect methods with blacklist check 
-	 */
-	
-	public void checkConnect(String host, int port, Object context) {
-		if (!checkURI(host, port))
-			throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
-	}
-
-	public void checkConnect(String host, int port) {
-		// System.out.println("checkConnect: " + host + ":" + port);
-		if (!checkURI(host, port))
-			throw new SecurityException("URI not allowed (blacklisted or external URIs generally not allowed");
-	}
-
-	private boolean checkURI(String host, int port) {
-		if (allowExternalUris) {
-			Iterator it = blacklist.iterator();
-			while (it.hasNext()) {
-				String[] array = (String[])it.next();
-				String bhost = array[0];
-				String bport = array[1];
-				if (bport == null) {
-					// check only host
-					if (bhost.equalsIgnoreCase(host)) {
-						// System.out.println("Security check: " + host + " blacklisted");
-						return false;
-					}
-				}
-				else {
-					// check host and port
-					int iport = new Integer(bport).intValue();
-					if (bhost.equalsIgnoreCase(host) && (iport == port)) {
-						// System.out.println("Security check: " + host + ":" + port + " blacklisted");
-						return false;
-					}
-						
-				}
-			}
-			
-			// System.out.println("Security check: " + host + ":" + port + " allowed");
-			return true;
-		}
-		else {			
-			String localhost = getLocalhostName();
-			if (host.equalsIgnoreCase(localhost) || host.equalsIgnoreCase("localhost") || host.equalsIgnoreCase("127.0.0.1") ) {
-				// System.out.println("Security check: localhost name allowed");
-				return true;
-			}
-						
-			// System.out.println("Security check: " + host + ":" + port + " not allowed (external URIs not allowed)");
-			return false;
-		}
-	}
-	
-	private String getLocalhostName() {
-		try {
-			// save current SecurityManager
-			SecurityManager sm = System.getSecurityManager();
-			// set System SecurityManager null (needed as java.net.InetAddress.getLocalHost call SecurityManager.checkConnect --> leads to endless loop)
-			System.setSecurityManager(null);
-
-			InetAddress localhostaddress = InetAddress.getLocalHost();
-			String localhost = localhostaddress.getHostName();
-			
-			// set previously saved SecurityManager
-			System.setSecurityManager(sm);
-			
-			return localhost;
-		
-		}
-		catch (UnknownHostException e) {
-			// System.out.println("UnknownHostExeption: Returns \"localhost\" as name for localhost");
-			return "localhost";
-		}
-	}
-	
-
-	/**
-	 * Overwrite all other methods by doing nothing (as no SecurityManager is set initially) 
-	 */
-	
-	public void checkAccept(String host, int port) {
-	}
-	public void checkAccess(Thread t) {
-	}
-	public void checkAccess(ThreadGroup g) {
-	}
-	public void checkAwtEventQueueAccess() {
-	}
-	public void checkCreateClassLoader() {
-	}
-	public void checkDelete(String file) {
-	}
-	public void checkExec(String cmd) {
-	}
-	public void checkExit(int status) {
-	}
-	public void checkLink(String lib) {
-	}
-	public void checkListen(int port) {
-	}
-	public void checkMemberAccess(Class arg0, int arg1) {
-	}
-	public void checkMulticast(InetAddress maddr, byte ttl) {
-	}
-	public void checkMulticast(InetAddress maddr) {
-	}
-	public void checkPackageAccess(String pkg) {
-	}
-	public void checkPackageDefinition(String pkg) {
-	}
-	public void checkPermission(Permission perm, Object context) {
-	}
-	public void checkPermission(Permission perm) {
-	}
-	public void checkPrintJobAccess() {
-	}
-	public void checkPropertiesAccess() {
-	}
-	public void checkPropertyAccess(String key) {
-	}
-	public void checkRead(FileDescriptor fd) {
-	}
-	public void checkRead(String file, Object context) {
-	}
-	public void checkRead(String file) {
-	}
-	public void checkSecurityAccess(String target) {
-	}
-	public void checkSetFactory() {
-	}
-	public void checkSystemClipboardAccess() {
-	}
-	public void checkWrite(FileDescriptor fd) {
-	}
-	public void checkWrite(String file) {
-	}
-
-
-
-}
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index abc781303..1211b5e94 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -385,8 +385,8 @@ public class ConfigurationPartsBuilder {
 	  Element permitExtUris = (Element)XPathUtils.selectSingleNode(getConfigElem(), PERMIT_EXTERNAL_URIS_XPATH);
 	  
 	  // if PermitExternalUris element does not exist - don't allow external uris
-	  if (permitExtUris == null)
-		  return false;
+	  if (permitExtUris == null) 		  
+		  return false;	    
 	  else
 		  return true;
 	  
@@ -397,8 +397,8 @@ public class ConfigurationPartsBuilder {
    * @return
    */
   public List buildPermitExternalUris() {
-	  if (!allowExternalUris())
-		  return null;
+	    
+	  info("config.33", null);
 	  
 	  List blacklist = new ArrayList();
 	  
@@ -411,7 +411,11 @@ public class ConfigurationPartsBuilder {
 	      String host = getElementValue(permitExtElem, CONF + "Host", null);
 	      String port = getElementValue(permitExtElem, CONF + "Port", null);
 	      
-	      //System.out.println("Host:Port =  " + host + ":" + port);
+	      
+	      if (port == null)	    	  
+	    	  info("config.34", new Object[]{host});
+	      else
+	    	  info("config.34", new Object[]{host + ":" + port});
 	      
 	      String array[] = new String[2];
 	      array[0] = host;
@@ -420,6 +424,10 @@ public class ConfigurationPartsBuilder {
 	      
 	    }
 	  
+	  if(blacklist.isEmpty()) // no blacklisted uris given
+		  info("config.36", null);
+		  
+	  
 	  return blacklist;
   }
 
@@ -1205,7 +1213,7 @@ public class ConfigurationPartsBuilder {
     MessageProvider msg = MessageProvider.getInstance();
     String txt = msg.getMessage(messageId, args);
 
-    Logger.warn(new LogMsg(txt), t);
+    Logger.warn(new LogMsg(txt), t);    
     warnings.add(txt);
   }
 
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
index bcd9416b8..a5f861c52 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java
@@ -33,9 +33,7 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.math.BigInteger;
-import java.net.InetAddress;
 import java.net.URL;
-import java.net.UnknownHostException;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -48,8 +46,6 @@ import org.w3c.dom.Element;
 
 import at.gv.egovernment.moa.logging.LogMsg;
 import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended;
-import at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple;
 import at.gv.egovernment.moa.spss.util.MessageProvider;
 import at.gv.egovernment.moa.util.DOMUtils;
 
@@ -373,8 +369,11 @@ public class ConfigurationProvider
       
       if (allowExternalUris_)
     	  blackListedUris_ = builder.buildPermitExternalUris();
-      else
+      else {
+    	  info("config.35", null);
     	  blackListedUris_ = null;
+      }
+    	
       
 //      Set set = crlRetentionIntervals.entrySet();
 //      Iterator i = set.iterator();
@@ -383,37 +382,7 @@ public class ConfigurationProvider
 //        System.out.println("Key: " + me.getKey() + " - Value: " + me.getValue() );
 //      }
       
-      
-      // set SecurityManager for permitting/disallowing external URIs
-      SecurityManager sm = System.getSecurityManager();      
-      
-      if (sm == null) {
-    	  // no security manager exists - create a new one
-    	  Logger.debug(new LogMsg("Create new MOASecurityManagerSimple"));
-    	  sm = new MOASecurityManagerSimple(allowExternalUris_, blackListedUris_);
-    	  
-    	  
-    	  Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple"));
-          System.setSecurityManager(sm);
-        
-      }      
-      else {    	
-    	  String classname = sm.getClass().getName();
-    	  if (!classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerSimple") &&
-    		  !classname.equalsIgnoreCase("at.gv.egovernment.moa.spss.server.MOASecurityManagerExtended")) {
-    		  // if SecurityManager is not already a MOASecurityManager
-    		  
-    		  Logger.debug(new LogMsg("Create new MOASecurityManagerExtended (including existing SecurityManager)"));
-    		  sm = new MOASecurityManagerExtended(allowExternalUris_, blackListedUris_);
-    		  
-    		  Logger.debug(new LogMsg("Set the new MOASecurityManagerSimple"));
-    		  System.setSecurityManager(sm);
-    	  }
-    	  Logger.debug(new LogMsg("No new MOASecurityManager instantiated"));
-      }
-
-      
-      
+            
     } catch (Throwable t) {
       throw new ConfigurationException("config.11", null, t);
     } finally {
@@ -446,7 +415,15 @@ public class ConfigurationProvider
   public String getDigestMethodAlgorithmName() {
     return digestMethodAlgorithmName;
   }
-
+  
+  public boolean getAllowExternalUris() {
+	  return this.allowExternalUris_;
+  }
+  
+  public List getBlackListedUris() {
+	  return this.blackListedUris_;
+  }
+  
   /**
    * Return the name of the canonicalization algorithm used during signature
    * creation.
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
index 02d282387..ba2513d2f 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java
@@ -24,12 +24,6 @@
 
 package at.gv.egovernment.moa.spss.server.invoke;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.Date;
-import java.util.Iterator;
-import java.util.List;
-
 import iaik.IAIKException;
 import iaik.IAIKRuntimeException;
 import iaik.server.modules.cmsverify.CMSSignatureVerificationModule;
@@ -37,9 +31,14 @@ import iaik.server.modules.cmsverify.CMSSignatureVerificationModuleFactory;
 import iaik.server.modules.cmsverify.CMSSignatureVerificationProfile;
 import iaik.server.modules.cmsverify.CMSSignatureVerificationResult;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.List;
+
 import at.gv.egovernment.moa.logging.LoggingContext;
 import at.gv.egovernment.moa.logging.LoggingContextManager;
-
 import at.gv.egovernment.moa.spss.MOAApplicationException;
 import at.gv.egovernment.moa.spss.MOAException;
 import at.gv.egovernment.moa.spss.api.cmsverify.CMSContent;
@@ -102,6 +101,7 @@ public class CMSSignatureVerificationInvoker {
    */
   public VerifyCMSSignatureResponse verifyCMSSignature(VerifyCMSSignatureRequest request)
     throws MOAException {
+	  
     CMSSignatureVerificationProfileFactory profileFactory =
       new CMSSignatureVerificationProfileFactory(request);
     VerifyCMSSignatureResponseBuilder responseBuilder =
@@ -127,7 +127,6 @@ public class CMSSignatureVerificationInvoker {
     TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId());
     
     try {
-       
       // get the signed content
       signedContent = getSignedContent(request);
 
@@ -142,7 +141,7 @@ public class CMSSignatureVerificationInvoker {
         CMSSignatureVerificationModuleFactory.getInstance();
 
       module.setLog(new IaikLog(loggingCtx.getNodeID()));
-
+      
       module.init(
         signature,
         signedContent,
@@ -152,6 +151,7 @@ public class CMSSignatureVerificationInvoker {
 
       while (input.read(buf) > 0);
       results = module.verifySignature(signingTime);
+      
     } catch (IAIKException e) {
       MOAException moaException = IaikExceptionMapper.getInstance().map(e);
       throw moaException;
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java
index 96c20d4a4..e09ade231 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/ExternalURIResolver.java
@@ -37,6 +37,7 @@ import java.net.URLConnection;
 import at.gv.egovernment.moa.spss.MOAApplicationException;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
+import at.gv.egovernment.moa.spss.util.ExternalURIVerifier;
 
 /**
  * Resolve external URIs and provide them as a stream.
@@ -100,6 +101,9 @@ public class ExternalURIResolver {
     try {
       // create the URL
       url = new URL(uriStr);
+      System.out.println("ExternalURIResolver: " + url);
+      ExternalURIVerifier.verify(url.getHost(), url.getPort());
+      
     } catch (MalformedURLException e) {
       throw new MOAApplicationException("2214", new Object[] { uriStr });
     }
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java
index 993c8f7a9..b746333e6 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureCreationServiceImpl.java
@@ -57,9 +57,11 @@ public class SignatureCreationServiceImpl extends SignatureCreationService {
     CreateXMLSignatureResponse response;
 
     try {
+    	
       Configurator.getInstance().init();
       ServiceContextUtils.setUpContexts();
       response = invoker.createXMLSignature(request, Collections.EMPTY_SET);
+      
       return response;
     } finally {
       ServiceContextUtils.tearDownContexts();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java
index 67bc446b0..5b6033ce1 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/SignatureVerificationServiceImpl.java
@@ -62,6 +62,7 @@ public class SignatureVerificationServiceImpl
       Configurator.getInstance().init();
       ServiceContextUtils.setUpContexts();
       response = invoker.verifyCMSSignature(request);
+      
       return response;
     } finally {
       ServiceContextUtils.tearDownContexts();
@@ -84,9 +85,12 @@ public class SignatureVerificationServiceImpl
     VerifyXMLSignatureResponse response;
 
     try {
+    	
+
       Configurator.getInstance().init();
       ServiceContextUtils.setUpContexts();
       response = invoker.verifyXMLSignature(request);
+            
       return response;
     } finally {
       ServiceContextUtils.tearDownContexts();
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
index a123dd4fc..adaf0d376 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java
@@ -212,10 +212,6 @@ public class XMLSignatureVerificationInvoker {
 
       module.setLog(new IaikLog(loggingCtx.getNodeID()));
 
-      //@TODO
-      SecurityManager sm = System.getSecurityManager();
-      System.setSecurityManager(null);
-      
       result =
         module.verifySignature(
           xmlSignature,
@@ -224,8 +220,6 @@ public class XMLSignatureVerificationInvoker {
           signingTime,
           new TransactionId(context.getTransactionID()));
       
-      //@TODO
-      System.setSecurityManager(sm);
     } catch (IAIKException e) {
       MOAException moaException = IaikExceptionMapper.getInstance().map(e);
       throw moaException;
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
index 75f0b1868..3304e262f 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureCreationService.java
@@ -82,6 +82,7 @@ public class SignatureCreationService {
 
     // handle the request
     try {
+        
       // create a parser and builder for binding API objects to/from XML
       CreateXMLSignatureRequestParser requestParser =
         new CreateXMLSignatureRequestParser();
@@ -114,6 +115,7 @@ public class SignatureCreationService {
       // save response in transaction
       context.setResponse(response[0]);
 	  Logger.trace("---- Leaving SignatureCreationService");
+	  
 
     } catch (MOAException e) {
       AxisFault fault = AxisFault.makeFault(e);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java
index 38310f53b..a1caac6a7 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/SignatureVerificationService.java
@@ -66,8 +66,9 @@ public class SignatureVerificationService {
     CMSSignatureVerificationInvoker invoker =
       CMSSignatureVerificationInvoker.getInstance();
     Element[] response = new Element[1];
-
+    
     try {
+             
       // create a parser and builder for binding API objects to/from XML
       VerifyCMSSignatureRequestParser requestParser =
         new VerifyCMSSignatureRequestParser();
@@ -93,7 +94,8 @@ public class SignatureVerificationService {
 
       // save response in transaction
       context.setResponse(response[0]);
-
+      
+     
     } catch (MOAException e) {
       AxisFault fault = AxisFault.makeFault(e);
       fault.setFaultDetail(new Element[] { e.toErrorResponse()});
@@ -128,7 +130,8 @@ public class SignatureVerificationService {
     Element[] response = new Element[1];
 
     try {
-      // create a parser and builder for binding API objects to/from XML
+
+        // create a parser and builder for binding API objects to/from XML
       VerifyXMLSignatureRequestParser requestParser =
         new VerifyXMLSignatureRequestParser();
       VerifyXMLSignatureResponseBuilder responseBuilder =
@@ -153,6 +156,7 @@ public class SignatureVerificationService {
       
       // save response in transaction
       context.setResponse(response[0]);
+      
 
     } catch (MOAException e) {
       AxisFault fault = AxisFault.makeFault(e);
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
new file mode 100644
index 000000000..9901212db
--- /dev/null
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java
@@ -0,0 +1,63 @@
+package at.gv.egovernment.moa.spss.util;
+
+import java.util.Iterator;
+import java.util.List;
+
+import at.gv.egovernment.moa.spss.MOAApplicationException;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationException;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+
+public class ExternalURIVerifier {
+	
+	public static void verify(String host, int port) throws MOAApplicationException {
+			try {
+				ConfigurationProvider config = ConfigurationProvider.reload();
+//				
+				boolean allowExternalUris = config.getAllowExternalUris();
+				List blacklist = config.getBlackListedUris();
+				
+			  	  
+				if (allowExternalUris) {
+					Iterator it = blacklist.iterator();
+					while (it.hasNext()) {
+						String[] array = (String[])it.next();
+						String bhost = array[0];
+						String bport = array[1];
+						if (bport == null) {
+							// check only host
+							if (bhost.equalsIgnoreCase(host)) {
+								System.out.println("Blacklist check: " + host + " blacklisted");
+								throw new MOAApplicationException("4002", new Object[]{host});
+							}
+						}
+						else {
+							// check host and port
+							int iport = new Integer(bport).intValue();
+							if (bhost.equalsIgnoreCase(host) && (iport == port)) {
+								System.out.println("Blacklist check: " + host + ":" + port + " blacklisted");
+								throw new MOAApplicationException("4002", new Object[]{host + ":" + port});							
+							}
+								
+						}
+					}
+				}
+				else {
+					if (port == -1) {
+						System.out.println("No external URI allowed (" + host + ")");
+						throw new MOAApplicationException("4001", new Object[]{host});
+					}
+					else {
+						System.out.println("No external URI allowed (" + host + ":" + port +  ")");
+						throw new MOAApplicationException("4001", new Object[]{host + ":" + port});
+					}
+				}
+			  	  
+			} catch (ConfigurationException e) {
+				throw new MOAApplicationException("config.10", null);
+			}
+			
+			
+		
+	}
+
+}
diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
index 3920da4d9..61ad9444e 100644
--- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
+++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties
@@ -88,6 +88,10 @@
 3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
 3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
 
+4001=Externe URI ({0}) darf nicht geladen werden (externe URIs generell verboten)
+4002=Externe URI ({0}) befindet sich auf der Blackliste und darf nicht geladen werden
+ 
+
 9900=Nicht klassifizierter Fehler in Subsystem
 9901=Nicht klassifizierter Laufzeitfehler in Subsystem
 9999=Nicht klassifizierter Fehler
@@ -134,6 +138,10 @@ config.28=Einen detaillierten Fehlerbericht entnehmen Sie bitte der Log-Datei.
 config.29=Es sind folgende leichte Fehler aufgetreten: 
 config.31=Fehler in der Konfiguration der KeyGroup mit id={0}: Der Schlüssel im KeyModule id={1} mit IssuerName={2} und SerialNumber={3} konnte nicht geladen werden
 config.32=Fehler in der Konfiguration: Verzeichnisangabe für den Zertifikatsspeicher ist ungültig ({0}).
+config.33=External URIs are allowed. Maybe a URI blacklist exists.
+config.34=Blacklisted URI: {0}.
+config.35=External URIs not allowed.
+config.36=No blacklisted URIs given.
 
 handler.00=Starte neue Transaktion: TID={0}, Service={1}
 handler.01=Aufruf von Adresse={0}
-- 
cgit v1.2.3