Merged feature branch mocca-1.2.13-id@r724 back to trunk.

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@725 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4

29 files changed, 2701 insertions, 841 deletions

diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java
deleted file mode 100644
index 5795478b..00000000
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/accesscontroller/SpringSecurityManager.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*

-* Copyright 2008 Federal Chancellery Austria and

-* Graz University of Technology

-*

-* Licensed under the Apache License, Version 2.0 (the "License");

-* you may not use this file except in compliance with the License.

-* You may obtain a copy of the License at

-*

-*     http://www.apache.org/licenses/LICENSE-2.0

-*

-* Unless required by applicable law or agreed to in writing, software

-* distributed under the License is distributed on an "AS IS" BASIS,

-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

-* See the License for the specific language governing permissions and

-* limitations under the License.

-*/

-package at.gv.egiz.bku.online.accesscontroller;

-

-import java.io.IOException;

-

-import org.apache.commons.logging.Log;

-import org.apache.commons.logging.LogFactory;

-import org.springframework.context.ResourceLoaderAware;

-import org.springframework.core.io.Resource;

-import org.springframework.core.io.ResourceLoader;

-

-import at.gv.egiz.bku.accesscontroller.SecurityManagerFacade;

-import at.gv.egiz.bku.conf.Configurator;

-

-public class SpringSecurityManager extends SecurityManagerFacade implements

-		ResourceLoaderAware {

-

-	private ResourceLoader resourceLoader;

-

-	private static Log log = LogFactory.getLog(SpringSecurityManager.class);

-

-	protected Configurator config;

-

-	public void setConfig(Configurator config) {

-		this.config = config;

-	}

-

-	public void init() {

-		String noMatch = config.getProperty("AccessController.acceptNoMatch");

-		if (noMatch != null) {

-			log.debug("Setting allow now match to: " + noMatch);

-			setAllowUnmatched(Boolean.getBoolean(noMatch));

-		}

-		String policy = config.getProperty("AccessController.policyResource");

-		log.info("Loading resource: " + policy);

-		try {

-			Resource res = resourceLoader.getResource(policy);

-			init(res.getInputStream());

-		} catch (IOException e) {

-			log.error(e);

-		}

-	}

-

-	@Override

-	public void setResourceLoader(ResourceLoader loader) {

-		this.resourceLoader = loader;

-	}

-}

diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
deleted file mode 100644
index 6030c1c0..00000000
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/conf/SpringConfigurator.java
+++ /dev/null
@@ -1,127 +0,0 @@
-/*

- * Copyright 2008 Federal Chancellery Austria and

- * Graz University of Technology

- *

- * Licensed under the Apache License, Version 2.0 (the "License");

- * you may not use this file except in compliance with the License.

- * You may obtain a copy of the License at

- *

- *     http://www.apache.org/licenses/LICENSE-2.0

- *

- * Unless required by applicable law or agreed to in writing, software

- * distributed under the License is distributed on an "AS IS" BASIS,

- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

- * See the License for the specific language governing permissions and

- * limitations under the License.

- */

-package at.gv.egiz.bku.online.conf;

-

-import java.io.File;

-import java.io.IOException;

-import java.io.InputStream;

-import java.util.Properties;

-

-import org.apache.commons.logging.Log;

-import org.apache.commons.logging.LogFactory;

-import org.springframework.context.ResourceLoaderAware;

-import org.springframework.core.io.Resource;

-import org.springframework.core.io.ResourceLoader;

-

-import at.gv.egiz.bku.conf.Configurator;

-import at.gv.egiz.bku.online.webapp.SpringBKUServlet;

-import at.gv.egiz.bku.slexceptions.SLRuntimeException;

-import at.gv.egiz.stal.service.impl.RequestBrokerSTALFactory;

-

-public class SpringConfigurator extends Configurator implements

-    ResourceLoaderAware {

-

-  private final static Log log = LogFactory.getLog(SpringConfigurator.class);

-

-  private ResourceLoader resourceLoader;

-

-  public void setResource(Resource resource) {

-    log.debug("Loading config from: " + resource);

-    if (resource != null) {

-      Properties props = new Properties();

-      try {

-        props.load(resource.getInputStream());

-        super.setConfiguration(props);

-      } catch (IOException e) {

-        log.error("Cannot load config", e);

-      }

-    } else {

-      log.warn("Cannot load properties, resource: " + resource);

-    }

-  }

-

-  public void configureNetwork() {

-    super.configureNetwork();

-    String appletTimeout = getProperty("AppletTimeout");

-    if ((appletTimeout != null)) {

-      try {

-        long ato = Long.parseLong(appletTimeout);

-        log.debug("Setting applet timeout to:"+ato);

-        RequestBrokerSTALFactory.setTimeout(ato);

-      } catch (NumberFormatException nfe) {

-        log.error("Cannot set Applettimeout", nfe);

-      }

-

-    }

-  }

-  

-  public void configure() {

-    super.configure();

-    SpringBKUServlet.setConfigurator(this);

-  }

-

-  @Override

-  public void setResourceLoader(ResourceLoader loader) {

-    this.resourceLoader = loader;

-  }

-

-  private File getDirectory(String property) {

-    if (property != null) {

-      Resource certDirRes = resourceLoader.getResource(property);

-      File certDir;

-      try {

-        certDir = certDirRes.getFile();

-      } catch (IOException e) {

-        log.error("Cannot get cert directory", e);

-        throw new SLRuntimeException(e);

-      }

-      if (!certDir.isDirectory()) {

-        log.error("Expecting directory as SSL.certDirectory parameter");

-        throw new SLRuntimeException(

-            "Expecting directory as SSL.certDirectory parameter");

-      }

-      return certDir;

-    }

-    return null;

-

-  }

-

-  @Override

-  protected File getCADir() {

-    String caDirectory = getProperty("SSL.caDirectory");

-    return getDirectory(caDirectory);

-  }

-

-  @Override

-  protected File getCertDir() {

-    String certDirectory = getProperty("SSL.certDirectory");

-    return getDirectory(certDirectory);

-  }

-

-  @Override

-  protected InputStream getManifest() {

-    Resource r = resourceLoader.getResource("META-INF/MANIFEST.MF");

-    if (r != null) {

-      try {

-        return r.getInputStream();

-      } catch (IOException e) {

-        log.error("Cannot read manifest data:", e);

-      }

-    }

-    return null;

-  }

-}
\ No newline at end of file
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java
new file mode 100644
index 00000000..27dfcd92
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/spring/ServletContextPathFactoryBean.java
@@ -0,0 +1,49 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.bku.online.spring;
+
+import javax.servlet.ServletContext;
+
+import org.springframework.beans.factory.FactoryBean;
+import org.springframework.web.context.ServletContextAware;
+
+public class ServletContextPathFactoryBean implements FactoryBean, ServletContextAware {
+
+  private String contextPath;
+
+  @Override
+  public void setServletContext(ServletContext servletContext) {
+    contextPath = servletContext.getContextPath();
+  }
+
+  @Override
+  public Object getObject() throws Exception {
+    return contextPath;
+  }
+
+  @Override
+  public Class<?> getObjectType() {
+    return String.class;
+  }
+
+  @Override
+  public boolean isSingleton() {
+    return true;
+  }
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java
new file mode 100644
index 00000000..019b8efe
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AbstractWebRequestHandler.java
@@ -0,0 +1,327 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.bku.online.webapp;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Arrays;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.slf4j.MDC;
+
+import at.gv.egiz.bku.binding.HTTPBindingProcessor;
+import at.gv.egiz.bku.binding.HttpUtil;
+import at.gv.egiz.bku.binding.Id;
+import at.gv.egiz.bku.binding.IdFactory;
+import at.gv.egiz.bku.binding.InputDecoderFactory;
+import at.gv.egiz.bku.utils.StreamUtil;
+import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage;
+
+public abstract class AbstractWebRequestHandler extends SpringBKUServlet {
+
+  private static final long serialVersionUID = 1L;
+  
+  public static final String APPLET_PAGE_P = "appletPage";
+  public static final String APPLET_PAGE_DEFAULT = "applet.jsp";
+  
+  public static final String PARAM_APPLET_WIDTH = "appletWidth";
+  public static final String ATTR_APPLET_WIDTH = "appletWidth";
+  
+  public static final String PARAM_APPLET_HEIGHT = "appletHeight";
+  public static final String ATTR_APPLET_HEIGHT = "appletHeight";
+  
+  public static final String PARAM_APPLET_BACKGROUND = "appletBackground";
+  public static final String ATTR_APPLET_BACKGROUND = "appletBackground";
+  
+  public static final String PARAM_APPLET_BACKGROUND_COLOR = "appletBackgroundColor";
+  public static final String ATTR_APPLET_BACKGROUND_COLOR = "appletBackgroundColor";
+  
+  public static final Pattern PATTERM_APPLET_BACKGROUND_COLOR = Pattern.compile("\\#[0-9a-fA-F]{6}");
+  public static final String PARAM_APPLET_GUI_STYLE = "appletGuiStyle";
+  public static final String ATTR_APPLET_GUI_STYLE = "appletGuiStyle";
+  
+  public static final String[] VALUES_APPLET_GUI_STYLE = new String[] {"tiny", "simple", "advanced"};
+  public static final String PARAM_APPLET_EXTENSION = "appletExtension";
+  public static final String ATTR_APPLET_EXTENSION = "appletExtension";
+  
+  public static final String[] VALUES_APPLET_EXTENSION = new String[] {"pin", "activation"};
+  public static final String PARAM_LOCALE = "locale";
+  public static final String ATTR_LOCALE = "locale";
+  
+  public static final Pattern PATTERN_LOCALE = Pattern.compile("[a-zA-Z][a-zA-Z](_[a-zA-Z][a-zA-Z]){0,2}");
+  public static final String REDIRECT_URL_SESSION_ATTRIBUTE = "redirectUrl";
+  
+  private final Logger log = LoggerFactory.getLogger(BKURequestHandler.class);
+
+  protected static String getStringFromStream(InputStream is, String encoding)
+      throws IOException {
+    if (is == null) {
+      return null;
+    }
+    if (encoding == null) {
+      encoding = HttpUtil.DEFAULT_CHARSET;
+    }
+    ByteArrayOutputStream os = new ByteArrayOutputStream();
+    StreamUtil.copyStream(is, os);
+    return new String(os.toByteArray(), encoding);
+  }
+  
+  protected abstract String getRequestProtocol(HttpServletRequest req);
+  
+  protected HTTPBindingProcessor getBindingProcessor(Id id, HttpServletRequest req, Locale locale) {
+    
+    // remove existing binding processor if present
+    getBindingProcessorManager().removeBindingProcessor(id);
+    
+    // create new binding processor
+    return (HTTPBindingProcessor) getBindingProcessorManager().createBindingProcessor(getRequestProtocol(req), locale);
+    
+  }
+  
+  @Override
+  protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException,
+      java.io.IOException {
+
+    String msg = (req.getSession(false) == null) ? "New session created."
+        : "Session already established.";
+    
+    Id id = IdFactory.getInstance().createId(req.getSession().getId());
+    MDC.put("id", id.toString());
+    
+    String acceptLanguage = req.getHeader("Accept-Language");
+    Locale locale = AcceptLanguage.getLocale(acceptLanguage);
+    
+    if (log.isInfoEnabled()) {
+      log.info("Recieved request (Accept-Language locale: {}). {}", locale, msg);
+    }
+        
+    try {
+    
+      HTTPBindingProcessor bindingProcessor = getBindingProcessor(id, req, locale);
+      
+      Map<String, String> headerMap = new HashMap<String, String>();
+      for (Enumeration<?> headerName = req.getHeaderNames(); headerName
+          .hasMoreElements();) {
+        String header = (String) headerName.nextElement();
+        if (header != null) {
+          headerMap.put(header, req.getHeader(header));
+        }
+      }
+          
+      InputStream inputStream;
+      String charset;
+      if (req.getMethod().equals("POST")) {
+        charset = req.getCharacterEncoding();
+        String contentType = req.getContentType();
+        if (charset != null) {
+          contentType += ";" + charset;
+        }
+        headerMap.put(HttpUtil.HTTP_HEADER_CONTENT_TYPE, contentType);
+        inputStream = req.getInputStream();
+      } else {
+        charset = "UTF-8";
+        headerMap.put(HttpUtil.HTTP_HEADER_CONTENT_TYPE,
+            InputDecoderFactory.URL_ENCODED);
+        String queryString = req.getQueryString();
+        if (queryString != null) {
+          inputStream = new ByteArrayInputStream(queryString.getBytes(charset));
+        } else {
+          inputStream = new ByteArrayInputStream(new byte[] {});
+        }
+      }
+      bindingProcessor.setHTTPHeaders(headerMap);
+      bindingProcessor.consumeRequestStream(req.getRequestURL().toString(),
+          inputStream);
+  
+      req.getInputStream().close();
+      getBindingProcessorManager().process(id, bindingProcessor);
+  
+      HttpSession session = req.getSession();
+  
+      log.trace("Looking for applet parameters in request.");
+  
+      // appletWidth
+      String width = getStringFromStream(bindingProcessor
+          .getFormData(PARAM_APPLET_WIDTH), charset);
+      if (width != null && !width.isEmpty()) {
+        try {
+          // must be a valid integer
+          session.setAttribute(ATTR_APPLET_WIDTH, Integer.parseInt(width));
+          log.debug("Found parameter " + PARAM_APPLET_WIDTH + "='{}'.", width);
+        } catch (NumberFormatException nfe) {
+          log.warn("Parameter " + PARAM_APPLET_WIDTH
+              + " does not contain a valid value.", nfe);
+        }
+      }
+  
+      // appletHeight
+      String height = getStringFromStream(bindingProcessor
+          .getFormData(PARAM_APPLET_HEIGHT), charset);
+      if (height != null && !height.isEmpty()) {
+        try {
+          // must be a valid integer
+          session.setAttribute(ATTR_APPLET_HEIGHT, Integer.parseInt(height));
+          log.debug("Found parameter " + PARAM_APPLET_HEIGHT + "='{}'.", height);
+        } catch (NumberFormatException nfe) {
+          log.warn("Parameter " + PARAM_APPLET_HEIGHT
+              + " does not contain a valid value.", nfe);
+        }
+      }
+  
+      // appletBackground
+      String background = getStringFromStream(bindingProcessor
+          .getFormData(PARAM_APPLET_BACKGROUND), charset);
+      if (background != null && !background.isEmpty()) {
+        session.setAttribute(ATTR_APPLET_BACKGROUND, background);
+        try {
+          // must be a valid http or https URL
+          URI backgroundURL = new URI(background);
+          if ("http".equals(backgroundURL.getScheme())
+              || "https".equals(backgroundURL.getScheme())) {
+            session.setAttribute(ATTR_APPLET_BACKGROUND, backgroundURL
+                .toASCIIString());
+            log.debug("Found parameter " + PARAM_APPLET_BACKGROUND + "='{}'.",
+                backgroundURL.toASCIIString());
+          } else {
+            log.warn("Parameter " + PARAM_APPLET_BACKGROUND
+                + "='{}' is not a valid http/https URL.", background);
+          }
+        } catch (URISyntaxException e) {
+          log.warn("Parameter " + PARAM_APPLET_BACKGROUND
+              + "='{}' is not a valid http/https URL.", background, e);
+        }
+      }
+  
+      // appletBackgroundColor
+      String backgroundColor = getStringFromStream(bindingProcessor
+          .getFormData(PARAM_APPLET_BACKGROUND_COLOR), charset);
+      if (backgroundColor != null && !backgroundColor.isEmpty()) {
+        // must be a valid color definition
+        if (PATTERM_APPLET_BACKGROUND_COLOR.matcher(backgroundColor).matches()) {
+          session.setAttribute(ATTR_APPLET_BACKGROUND_COLOR, backgroundColor);
+          log.debug("Faund parameter " + PARAM_APPLET_BACKGROUND_COLOR
+              + "='{}'.", backgroundColor);
+        } else {
+          log.warn("Parameter " + PARAM_APPLET_BACKGROUND_COLOR
+              + "='{}' is not a valid color definition "
+              + "(must be of form '#hhhhhh').", backgroundColor);
+        }
+      }
+  
+      // appletGuiStyle
+      String guiStyle = getStringFromStream(bindingProcessor
+          .getFormData(PARAM_APPLET_GUI_STYLE), charset);
+      if (guiStyle != null && !guiStyle.isEmpty()) {
+        // must be one of VALUES_APPLET_GUI_STYLE
+        String style = guiStyle.toLowerCase();
+        if (Arrays.asList(VALUES_APPLET_GUI_STYLE).contains(style)) {
+          session.setAttribute(ATTR_APPLET_GUI_STYLE, style);
+          log.debug("Found parameter " + PARAM_APPLET_GUI_STYLE + "='{}'.", style);
+        } else {
+          StringBuilder sb = new StringBuilder();
+          sb.append("Parameter ").append(PARAM_APPLET_GUI_STYLE).append(
+              "='").append(guiStyle).append("' is not valid (must be one of ")
+              .append(Arrays.toString(VALUES_APPLET_GUI_STYLE)).append(").");
+          log.warn(sb.toString());
+        }
+      }
+  
+      // appletExtension
+      String extension = getStringFromStream(bindingProcessor
+          .getFormData(PARAM_APPLET_EXTENSION), charset);
+      if (extension != null && !extension.isEmpty()) {
+        // must be one of VALUES_APPLET_EXTENSION
+        String ext = extension.toLowerCase();
+        if (Arrays.asList(VALUES_APPLET_EXTENSION).contains(ext)) {
+          session.setAttribute(ATTR_APPLET_EXTENSION, ext);
+          log.debug("Found parameter " + PARAM_APPLET_EXTENSION + "='{}'.", ext);
+        } else {
+          StringBuilder sb = new StringBuilder();
+          sb.append("Parameter ").append(PARAM_APPLET_EXTENSION).append(
+              "='").append(extension).append("' is not valid (must be one of ")
+              .append(Arrays.toString(VALUES_APPLET_EXTENSION)).append(").");
+          log.warn(sb.toString());
+        }
+      }
+  
+      // locale
+      String localeFormParam = getStringFromStream(bindingProcessor
+          .getFormData(PARAM_LOCALE), charset);
+      if (localeFormParam != null && !localeFormParam.isEmpty()) {
+        // must be a valid locale 
+        if (PATTERN_LOCALE.matcher(localeFormParam).matches()) {
+          locale = new Locale(localeFormParam);
+          log.debug("Override accept-language header locale {} "
+              + "with form param {}.", locale, localeFormParam);
+        } else {
+          log.warn("Parameter " + PARAM_LOCALE
+              + "='{}' is not a valid locale definition.", localeFormParam);
+        }
+      }
+      if (locale != null) {
+        log.debug("Using locale {}.", locale);
+        session.setAttribute(ATTR_LOCALE, locale.toString());
+      }
+          
+      beforeAppletPage(req, bindingProcessor);
+          
+      String appletPage = getStringFromStream(bindingProcessor
+          .getFormData(APPLET_PAGE_P), charset);
+      if (appletPage == null || appletPage.isEmpty()) {
+        appletPage = APPLET_PAGE_DEFAULT;
+      }
+      log.debug("Sending redirect to UI page '{}'.", appletPage);
+      resp.sendRedirect(appletPage);
+      
+    } finally {
+      MDC.remove("id");
+    }
+  }
+
+  @Override
+  protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+      throws ServletException, java.io.IOException {
+    doPost(req, resp);
+  }
+
+  /**
+   * Called before the request is forwarded or redirected to the Applet page.
+   * 
+   * @param req
+   * @param bindingProcessor
+   */
+  protected void beforeAppletPage(HttpServletRequest req,
+      HTTPBindingProcessor bindingProcessor) {
+  }
+  
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java
index 24938cd5..9e455621 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/AppletDispatcher.java
@@ -24,8 +24,8 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * prevent applet caching, 
@@ -35,7 +35,9 @@ import org.apache.commons.logging.LogFactory;
  */
 public class AppletDispatcher extends HttpServlet {
 
-  protected final static Log log = LogFactory.getLog(AppletDispatcher.class);
+  private static final long serialVersionUID = 1L;
+
+  private final Logger log = LoggerFactory.getLogger(AppletDispatcher.class);
 
   public static final String DISPATCH_CTX = "dispatch/";
   public static final String RAND_PREFIX = "__";
@@ -65,10 +67,7 @@ public class AppletDispatcher extends HttpServlet {
       uri = archivePattern.matcher(uri).replaceAll(".jar");
 //      log.trace("removing random suffix " + uri);
       
-      if (log.isTraceEnabled()) {
-        log.trace("dispatching request URI " + request.getRequestURI() +
-                " to " + uri);
-      }
+      log.trace("Dispatching request URI {} to {}.", request.getRequestURI(), uri);
       
       RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(uri);
       dispatcher.forward(request, response);
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
index 7dfec211..d42f911c 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
@@ -16,302 +16,37 @@
  */
 package at.gv.egiz.bku.online.webapp;
 
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.MalformedURLException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
-import java.net.URLEncoder;
-import java.util.Arrays;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Locale;
-import java.util.Map;
-import java.util.regex.Pattern;
-
-import javax.servlet.RequestDispatcher;
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-import at.gv.egiz.bku.binding.BindingProcessor;
 import at.gv.egiz.bku.binding.HTTPBindingProcessor;
-import at.gv.egiz.bku.binding.HttpUtil;
-import at.gv.egiz.bku.binding.IdFactory;
-import at.gv.egiz.bku.utils.StreamUtil;
-import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage;
+import at.gv.egiz.bku.binding.HTTPBindingProcessorImpl;
 
 /**
  * Handles SL requests and instantiates BindingProcessors
  * 
  */
-public class BKURequestHandler extends SpringBKUServlet {
-
-  private static final long serialVersionUID = 1L;
-
-  public static final String APPLET_PAGE_P = "appletPage";
-  public static final String APPLET_PAGE_DEFAULT = "BKUApplet";
-  
-  public static final String PARAM_APPLET_WIDTH = "appletWidth";
-  public static final String ATTR_APPLET_WIDTH = "appletWidth";
-  
-  public static final String PARAM_APPLET_HEIGHT = "appletHeight";
-  public static final String ATTR_APPLET_HEIGHT = "appletHeight";
+public class BKURequestHandler extends AbstractWebRequestHandler {
   
-  public static final String PARAM_APPLET_BACKGROUND = "appletBackground";
-  public static final String ATTR_APPLET_BACKGROUND = "appletBackground";
-  
-  public static final String PARAM_APPLET_BACKGROUND_COLOR = "appletBackgroundColor";
-  public static final String ATTR_APPLET_BACKGROUND_COLOR = "appletBackgroundColor";
-  public static final Pattern PATTERM_APPLET_BACKGROUND_COLOR = Pattern.compile("\\#[0-9a-fA-F]{6}");
-  
-  public static final String PARAM_APPLET_GUI_STYLE = "appletGuiStyle";
-  public static final String ATTR_APPLET_GUI_STYLE = "appletGuiStyle";
-  public static final String[] VALUES_APPLET_GUI_STYLE = new String[] {"tiny", "simple", "advanced"};
+  private static final long serialVersionUID = 1L;
   
-  public static final String PARAM_APPLET_EXTENSION = "appletExtension";
-  public static final String ATTR_APPLET_EXTENSION = "appletExtension";
-  public static final String[] VALUES_APPLET_EXTENSION = new String[] {"pin", "activation"};
+  private final Logger log = LoggerFactory.getLogger(BKURequestHandler.class);
   
-  public static final String PARAM_LOCALE = "locale";
-  public static final String ATTR_LOCALE = "locale";
-  public static final Pattern PATTERN_LOCALE = Pattern.compile("[a-zA-Z][a-zA-Z](_[a-zA-Z][a-zA-Z]){0,2}");
-
-  public final static String REDIRECT_URL_SESSION_ATTRIBUTE = "redirectUrl";
-
-  protected Log log = LogFactory.getLog(BKURequestHandler.class);
-
-  private static String getStringFromStream(InputStream is, String encoding)
-      throws IOException {
-    if (is == null) {
-      return null;
-    }
-    if (encoding == null) {
-      encoding = HttpUtil.DEFAULT_CHARSET;
-    }
-    ByteArrayOutputStream os = new ByteArrayOutputStream();
-    StreamUtil.copyStream(is, os);
-    return new String(os.toByteArray(), encoding);
-  }
-
   @Override
-  protected void doPost(HttpServletRequest req, HttpServletResponse resp)
-      throws ServletException, java.io.IOException {
-    log.debug("Received SecurityLayer request");
-    
-    HttpSession session = req.getSession(false);
-    if (session != null) {
-      log.warn("Already a session with id: " + session.getId()
-          + " active, trying to get Bindingprocessor");
-      BindingProcessor bp = getBindingProcessorManager().getBindingProcessor(
-          IdFactory.getInstance().createId(session.getId()));
-      if (bp != null) {
-        log.debug("Found binding processor, using this one");
-        String appletPage = getStringFromStream(
-                ((HTTPBindingProcessor) bp).getFormData(APPLET_PAGE_P),
-                req.getCharacterEncoding());
-        getDispatcher(appletPage).forward(req, resp);
-        return;
-      }
-      log.debug("Did not find a binding processor, creating new ...");
-    }
-    session = req.getSession(true);
-    if (log.isDebugEnabled()) {
-      log.debug("Using session id: " + session.getId());
-    }
-
-    String acceptLanguage = req.getHeader("Accept-Language");
-    Locale locale = AcceptLanguage.getLocale(acceptLanguage);
-    log.debug("Accept-Language locale: " + locale);
-
-    HTTPBindingProcessor bindingProcessor;
-    bindingProcessor = (HTTPBindingProcessor) getBindingProcessorManager()
-        .createBindingProcessor(req.getRequestURL().toString(),
-            session.getId(), locale);
-
-    Map<String, String> headerMap = new HashMap<String, String>();
-    for (Enumeration<String> headerName = req.getHeaderNames(); headerName
-        .hasMoreElements();) {
-      String header = headerName.nextElement();
-      if (header != null) {
-        headerMap.put(header, req.getHeader(header));
-      }
-    }
-    String charset = req.getCharacterEncoding();
-    String contentType = req.getContentType();
-    if (charset != null) {
-      contentType += ";" + charset;
-    }
-    headerMap.put(HttpUtil.HTTP_HEADER_CONTENT_TYPE, contentType);
-    bindingProcessor.setHTTPHeaders(headerMap);
-    bindingProcessor.consumeRequestStream(req.getInputStream());
-    req.getInputStream().close();
-    getBindingProcessorManager().process(bindingProcessor);
-
-    log.trace("Trying to find applet parameters in request");
-
-    // appletWidth
-    String width = getStringFromStream(bindingProcessor
-        .getFormData(PARAM_APPLET_WIDTH), charset);
-    if (width != null) {
-      try {
-        // must be a valid integer
-        session.setAttribute(ATTR_APPLET_WIDTH, Integer.parseInt(width));
-        log.trace("Found parameter " + PARAM_APPLET_WIDTH + "='" + width +"'.");
-      } catch (NumberFormatException nfe) {
-        log.warn("Applet parameter " + PARAM_APPLET_WIDTH + 
-            " does not contain a valid value.", nfe);
-      }
-    }
-    
-    // appletHeight
-    String height = getStringFromStream(bindingProcessor
-        .getFormData(PARAM_APPLET_HEIGHT), charset);
-    if (height != null) {
-      try {
-        // must be a valid integer
-        session.setAttribute(ATTR_APPLET_HEIGHT, Integer.parseInt(height));
-        log.trace("Found parameter " + PARAM_APPLET_HEIGHT + "='" + height + "'.");
-      } catch (NumberFormatException nfe) {
-        log.warn("Applet parameter " + PARAM_APPLET_HEIGHT + 
-            " does not contain a valid value.", nfe);
-      }
-    }
-    
-    // appletBackground
-    String background = getStringFromStream(bindingProcessor
-        .getFormData(PARAM_APPLET_BACKGROUND), charset);
-    if (background != null) {
-      session.setAttribute(ATTR_APPLET_BACKGROUND, background);
-      try {
-        // must be a valid http or https URL
-        URI backgroundURL = new URI(background);
-        if ("http".equals(backgroundURL.getScheme()) 
-            || "https".equals(backgroundURL.getScheme())) {
-          session.setAttribute(ATTR_APPLET_BACKGROUND, backgroundURL.toASCIIString());
-          log.trace("Found parameter " + PARAM_APPLET_BACKGROUND + "='" 
-              + backgroundURL.toASCIIString() + "'.");
-        } else {
-          log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='" 
-              + background + "' is not a valid http/https URL.");
-        }
-      } catch (URISyntaxException e) {
-        log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='" 
-            + background + "' is not a valid http/https URL.", e);
-      }
-    }
-    
-    // appletBackgroundColor
-    String backgroundColor = getStringFromStream(bindingProcessor
-        .getFormData(PARAM_APPLET_BACKGROUND_COLOR), charset);
-    if (backgroundColor != null) {
-      // must be a valid color definition
-      if (PATTERM_APPLET_BACKGROUND_COLOR.matcher(backgroundColor).matches()) {
-        session.setAttribute(ATTR_APPLET_BACKGROUND_COLOR, backgroundColor);
-        log.trace("Faund parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='" 
-            + backgroundColor + "'.");
-      } else {
-        log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='" 
-            + backgroundColor + "' is not a valid color definition (must be of form '#hhhhhh').");
-      }
-    }
-    
-    // appletGuiStyle
-    String guiStyle = getStringFromStream(bindingProcessor
-        .getFormData(PARAM_APPLET_GUI_STYLE), charset);
-    if (guiStyle != null) {
-      // must be one of VALUES_APPLET_GUI_STYLE
-      String style = guiStyle.toLowerCase();
-      if (Arrays.asList(VALUES_APPLET_GUI_STYLE).contains(style)) {
-        session.setAttribute(ATTR_APPLET_GUI_STYLE, style);
-        log.trace("Found parameter " + PARAM_APPLET_GUI_STYLE + "='" 
-            + style + "'.");
-      } else {
-        StringBuilder sb = new StringBuilder();
-        sb.append("Applet parameter ").append(PARAM_APPLET_GUI_STYLE).append(
-            "='").append(guiStyle).append("' is not valid (must be one of ")
-            .append(Arrays.toString(VALUES_APPLET_GUI_STYLE)).append(").");
-        log.warn(sb);
-      }
-    }
-
-    // appletExtension
-    String extension = getStringFromStream(bindingProcessor
-        .getFormData(PARAM_APPLET_EXTENSION), charset);
-    if (extension != null) {
-      // must be one of VALUES_APPLET_EXTENSION
-      String ext = extension.toLowerCase();
-      if (Arrays.asList(VALUES_APPLET_EXTENSION).contains(ext)) {
-        session.setAttribute(ATTR_APPLET_EXTENSION, ext);
-        log.trace("Found parameter " + PARAM_APPLET_EXTENSION + "='" 
-            + ext + "'.");
-      } else {
-        StringBuilder sb = new StringBuilder();
-        sb.append("Applet parameter ").append(PARAM_APPLET_EXTENSION).append(
-            "='").append(extension).append("' is not valid (must be one of ")
-            .append(Arrays.toString(VALUES_APPLET_EXTENSION)).append(").");
-        log.warn(sb);
-      }
-    }
-
-    // locale
-    String localeFormParam = getStringFromStream(bindingProcessor
-        .getFormData(PARAM_LOCALE), charset);
-    if (localeFormParam != null) {
-      // must be a valid locale
-      if (PATTERN_LOCALE.matcher(localeFormParam).matches()) {
-        locale = new Locale(localeFormParam);
-        log.debug("Overrule accept-language header locale " + locale
-            + " with form param " + localeFormParam + ".");
-      } else {
-        log.warn("Parameter " + PARAM_LOCALE + "='" + localeFormParam
-            + "' is not a valid locale definition.");
-      }
-    }
-    if (locale != null) {
-      log.debug("Using locale " + locale);
-      session.setAttribute(ATTR_LOCALE, locale.toString());
-    }
-    
+  protected void beforeAppletPage(HttpServletRequest req, HTTPBindingProcessor bindingProcessor) {
     // handle server side redirect url after processing
-    String redirectUrl = bindingProcessor.getRedirectURL(); 
+    String redirectUrl = ((HTTPBindingProcessorImpl) bindingProcessor).getRedirectURL(); 
     if ( redirectUrl != null) {
-      log.info("Got redirect URL "+redirectUrl+". Deferring browser redirect.");
-      session.setAttribute(REDIRECT_URL_SESSION_ATTRIBUTE, redirectUrl);
+      log.info("Got redirect URL '{}'. Deferring browser redirect.", redirectUrl);
+      req.getSession().setAttribute(REDIRECT_URL_SESSION_ATTRIBUTE, redirectUrl);
     }
-
-    String appletPage = getStringFromStream(bindingProcessor
-        .getFormData(APPLET_PAGE_P), charset);
-    getDispatcher(appletPage).forward(req, resp);
   }
 
   @Override
-  protected void doGet(HttpServletRequest req, HttpServletResponse resp)
-      throws ServletException, java.io.IOException {
-    doPost(req, resp);
-  }
-
-  private RequestDispatcher getDispatcher(String appletPage) {
-    RequestDispatcher dispatcher = null;
-    if (appletPage != null) {
-      log.trace("requested appletPage " + appletPage);
-      dispatcher = getServletContext().getNamedDispatcher(appletPage);
-    }
-    if (dispatcher == null) {
-      log.debug("no appletPage requested or appletPage not configured, using default");
-      appletPage = APPLET_PAGE_DEFAULT;
-      dispatcher = getServletContext().getNamedDispatcher(appletPage);
-    }
-//    session.setAttribute(APPLET_PAGE_P, appletPage);
-    log.debug("forward to applet " + appletPage);
-
-    return dispatcher;
+  protected String getRequestProtocol(HttpServletRequest req) {
+    return "HTTP";
   }
 
 }
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java
new file mode 100644
index 00000000..8d65c92e
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/MoccaContextListener.java
@@ -0,0 +1,128 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.bku.online.webapp;
+
+import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.provider.IAIK;
+import iaik.xml.crypto.XSecProvider;
+
+import java.security.Provider;
+import java.security.Security;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class MoccaContextListener implements ServletContextListener {
+  
+  public static final String DISABLE_SECURITY_PROVIDER_REGISTRATION = "disableSecurityProviderRegistration";
+  
+  private Logger log = LoggerFactory.getLogger(MoccaContextListener.class);
+
+  private final List<Provider> selfRegisteredProviders = new ArrayList<Provider>(); 
+  
+  @Override
+  public void contextDestroyed(ServletContextEvent sce) {
+    log.info("Deregistering self registered security providers.");
+    
+    for (Provider provider : selfRegisteredProviders) {
+      Security.removeProvider(provider.getName());
+    }
+    selfRegisteredProviders.clear();
+    
+  }
+
+  @Override
+  public void contextInitialized(ServletContextEvent sce) {
+    
+    ServletContext servletContext = sce.getServletContext();
+    if (!Boolean.parseBoolean(servletContext.getInitParameter(DISABLE_SECURITY_PROVIDER_REGISTRATION))) {
+      log.info("Looking for required and registered security providers ...");
+      
+      registerProviders();
+      
+      if (!selfRegisteredProviders.isEmpty()) {
+        log.warn("Security providers have been registered. "
+            + "This may affect other contexts in the same container!");
+      }
+      
+      if (log.isDebugEnabled()) {
+        StringBuilder sb = new StringBuilder();
+        sb.append("Registered providers: ");
+        int i = 1;
+        for (Provider prov : Security.getProviders()) {
+          sb.append("\n" + (i++) + ". : " + prov);
+        }
+        log.debug(sb.toString());
+      }
+    }
+
+
+  }
+
+  
+  protected void registerProvider(Provider provider, int position) {
+    String name = provider.getName();
+    if (Security.getProvider(name) == null) {
+      // register IAIK provider at first position
+      try {
+        if (position > 0) {
+          position = Security.insertProviderAt(provider, position);
+        } else {
+          position = Security.addProvider(provider);
+        }
+        log.info("Required security Provider {} was not yet registered. "
+            + "Now registered at position {}.", name, position);
+        selfRegisteredProviders.add(provider);
+      } catch (SecurityException e) {
+        log.info("Failed to register required security Provider.", e);
+      }
+    } else {
+      log.info("Required security Provider {} already registered.", name);
+    }
+    
+  }
+  
+  protected void registerProviders() {
+
+    registerProvider(new IAIK(), 1);
+    registerProvider(new ECCProvider(false), 2);
+    
+    final String name = XSecProvider.NAME;
+    if (Security.getProvider(XSecProvider.NAME) == null) {
+      // register XML Security provider
+      try {
+        XSecProvider.addAsProvider(false);
+        log.info("Required security Provider {} was not yet registered. "
+            + "Now registered.", name);
+        selfRegisteredProviders.add(Security.getProvider(name));
+      } catch (SecurityException e) {
+        log.info("Failed to register required security Provider.", e);
+      }
+    } else {
+      log.info("Required security Provider {} already registered.", name);
+    }
+    
+  }
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java
index 5ffe2399..5fd01775 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ResultServlet.java
@@ -25,13 +25,14 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.slf4j.MDC;
 
+import at.gv.egiz.bku.binding.BindingProcessor;
 import at.gv.egiz.bku.binding.HTTPBindingProcessor;
-import at.gv.egiz.bku.binding.HttpUtil;
+import at.gv.egiz.bku.binding.Id;
 import at.gv.egiz.bku.binding.IdFactory;
-import at.gv.egiz.bku.conf.Configurator;
 import at.gv.egiz.bku.utils.NullOutputStream;
 
 /**
@@ -40,7 +41,9 @@ import at.gv.egiz.bku.utils.NullOutputStream;
  */
 public class ResultServlet extends SpringBKUServlet {
 
-  private final static Log log = LogFactory.getLog(ResultServlet.class);
+  private static final long serialVersionUID = 1L;
+
+  private final Logger log = LoggerFactory.getLogger(ResultServlet.class);
 
   private String encoding = "UTF-8";
   private String expiredPage = "./expiredError.jsp";
@@ -51,12 +54,12 @@ public class ResultServlet extends SpringBKUServlet {
   private void myInit() {
     String enc = getServletContext().getInitParameter("responseEncoding");
     if (enc != null) {
-      log.debug("Init default encoding to: " + enc);
+      log.trace("Init default encoding to: {}.", enc);
       encoding = enc;
     }
     String expP = getServletConfig().getInitParameter("expiredPage");
     if (expP != null) {
-      log.debug("Init expired page to: " + expP);
+      log.trace("Init expired page to: {}.", expP);
       expiredPage = expP;
     }
   }
@@ -80,75 +83,65 @@ public class ResultServlet extends SpringBKUServlet {
 
   protected void doGet(HttpServletRequest req, HttpServletResponse resp)
       throws ServletException, java.io.IOException { 
-    String version = configurator.getProperty(Configurator.SIGNATURE_LAYOUT);
-    if ((version != null) && (!"".equals(version.trim()))) {
-      log.debug("setting SignatureLayout header to " + version);
-      resp.setHeader(Configurator.SIGNATURE_LAYOUT, version);
-    } else {
-      log.debug("do not set SignatureLayout header");
-    }
-      
-    if (configurator.getProperty(Configurator.USERAGENT_CONFIG_P) != null) {
-      resp.setHeader(HttpUtil.HTTP_HEADER_SERVER, configurator
-          .getProperty(Configurator.USERAGENT_CONFIG_P));
-    } else {
-      resp.setHeader(HttpUtil.HTTP_HEADER_SERVER,
-              Configurator.USERAGENT_DEFAULT);
-    }
 
     HttpSession session = req.getSession(false);
     if (session == null) {
       resp.sendRedirect(expiredPage);
       return;
     }
-    String sessionId = session.getId();
-    if (sessionId == null) {
-      resp.sendRedirect(expiredPage);
-      return;
-    }
-    log.debug("Got a result request for session: " + sessionId);
-    HTTPBindingProcessor bp = (HTTPBindingProcessor) getBindingProcessorManager()
-        .getBindingProcessor(IdFactory.getInstance().createId(sessionId));
-    if (bp == null) {
+
+    Id id = IdFactory.getInstance().createId(session.getId());
+
+    HTTPBindingProcessor bp;
+    BindingProcessor bindingProcessor = getBindingProcessorManager().getBindingProcessor(id);
+    if (bindingProcessor instanceof HTTPBindingProcessor) {
+      bp = (HTTPBindingProcessor) bindingProcessor;
+    } else {
       session.invalidate();
       resp.sendRedirect(expiredPage);
       return;
     }
-    String redirectUrl = (String) session
-        .getAttribute(BKURequestHandler.REDIRECT_URL_SESSION_ATTRIBUTE);
-    if (redirectUrl == null) {
-      redirectUrl = bp.getRedirectURL();
-    }
-    if (redirectUrl != null) {
-      try {
-        bp.writeResultTo(new NullOutputStream(), encoding);
-        getBindingProcessorManager().removeBindingProcessor(bp.getId());
-      } finally {
-          log.info("Executing deferred browser redirect to: " + redirectUrl);
-        resp.sendRedirect(redirectUrl);
-        session.invalidate();
+    MDC.put("id", id.toString());
+    
+    try {
+      String redirectUrl = (String) session
+          .getAttribute(AbstractWebRequestHandler.REDIRECT_URL_SESSION_ATTRIBUTE);
+      if (redirectUrl == null) {
+        redirectUrl = bp.getRedirectURL();
       }
-      return;
-    }
-
-    log.trace("setting response code: " + bp.getResponseCode());
-    resp.setStatus(bp.getResponseCode());
-    resp.setHeader("Cache-Control", "no-store"); // HTTP 1.1
-    resp.setHeader("Pragma", "no-cache"); // HTTP 1.0
-    resp.setDateHeader("Expires", 0);
-    for (Iterator<String> it = bp.getResponseHeaders().keySet().iterator(); it
-        .hasNext();) {
-      String header = it.next();
-      if (log.isTraceEnabled()) {
-        log.trace("setting response header " + header + ": " + bp.getResponseHeaders().get(header));
+      if (redirectUrl != null) {
+        try {
+          bp.writeResultTo(new NullOutputStream(), encoding);
+          getBindingProcessorManager().removeBindingProcessor(bp.getId());
+        } finally {
+          log.info("Sending deferred redirect, RedirectURL={}.", redirectUrl);
+          resp.sendRedirect(redirectUrl);
+          session.invalidate();
+        }
+        return;
+      }
+  
+      log.trace("Setting response code: {}.", bp.getResponseCode());
+      resp.setStatus(bp.getResponseCode());
+      resp.setHeader("Cache-Control", "no-store"); // HTTP 1.1
+      resp.setHeader("Pragma", "no-cache"); // HTTP 1.0
+      resp.setDateHeader("Expires", 0);
+      for (Iterator<String> it = bp.getResponseHeaders().keySet().iterator(); it
+          .hasNext();) {
+        String header = it.next();
+        log.trace("Setting response header {}: {}.", header, bp.getResponseHeaders().get(header));
+        resp.setHeader(header, bp.getResponseHeaders().get(header));
       }
-      resp.setHeader(header, bp.getResponseHeaders().get(header));
+      resp.setContentType(bp.getResultContentType());
+      resp.setCharacterEncoding(encoding);
+      log.info("Sending result.");
+      bp.writeResultTo(resp.getOutputStream(), encoding);
+      resp.getOutputStream().flush();
+      session.invalidate();
+      getBindingProcessorManager().removeBindingProcessor(bp.getId());
+      
+    } finally {
+      MDC.remove("id");
     }
-    resp.setContentType(bp.getResultContentType());
-    resp.setCharacterEncoding(encoding);
-    bp.writeResultTo(resp.getOutputStream(), encoding);
-    resp.getOutputStream().flush();
-    session.invalidate();
-    getBindingProcessorManager().removeBindingProcessor(bp.getId());
   }
 }
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionTimeout.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionListener.java
index 2b56166c..1bec31b6 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionTimeout.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SessionListener.java
@@ -14,36 +14,34 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-package at.gv.egiz.bku.online.webapp;

-

-import javax.servlet.http.HttpSessionEvent;

-import javax.servlet.http.HttpSessionListener;

-

-import org.apache.commons.logging.Log;

-import org.apache.commons.logging.LogFactory;

-

-import at.gv.egiz.bku.binding.BindingProcessorManager;

-import at.gv.egiz.bku.binding.IdFactory;

-

-/**

- * Session listener to trigger the removal of the BindingProcessor

- *

- */

-public class SessionTimeout implements HttpSessionListener {

-  

-  private static Log log = LogFactory.getLog(SessionTimeout.class);

-

-  @Override

-  public void sessionCreated(HttpSessionEvent arg0) {

-    // TODO Auto-generated method stub

-

-  }

-

-  @Override

-  public void sessionDestroyed(HttpSessionEvent event) {

-    BindingProcessorManager manager = (BindingProcessorManager) event.getSession().getServletContext().getAttribute(SpringBKUServlet.BEAN_NAME);

-    log.info("Removing session: "+event.getSession().getId());

-    manager.removeBindingProcessor(IdFactory.getInstance().createId(event.getSession().getId()));

-  }

-

-}

+package at.gv.egiz.bku.online.webapp;
+
+import javax.servlet.http.HttpSessionEvent;
+import javax.servlet.http.HttpSessionListener;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.gv.egiz.bku.binding.BindingProcessorManager;
+import at.gv.egiz.bku.binding.IdFactory;
+
+/**
+ * Session listener to trigger the removal of the BindingProcessor
+ *
+ */
+public class SessionListener implements HttpSessionListener {
+  
+  private final Logger log = LoggerFactory.getLogger(SessionListener.class);
+
+  @Override
+  public void sessionCreated(HttpSessionEvent event) {
+  }
+
+  @Override
+  public void sessionDestroyed(HttpSessionEvent event) {
+    BindingProcessorManager manager = (BindingProcessorManager) event.getSession().getServletContext().getAttribute(SpringBKUServlet.BEAN_NAME);
+    manager.removeBindingProcessor(IdFactory.getInstance().createId(event.getSession().getId()));
+    log.info("Session {} destroyed.", event.getSession().getId());
+  }
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java
index 741b5e32..39d7368d 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/ShutdownHandler.java
@@ -1,48 +1,48 @@
-/*

- * Copyright 2008 Federal Chancellery Austria and

- * Graz University of Technology

- * 

- * Licensed under the Apache License, Version 2.0 (the "License");

- * you may not use this file except in compliance with the License.

- * You may obtain a copy of the License at

- * 

- *     http://www.apache.org/licenses/LICENSE-2.0

- * 

- * Unless required by applicable law or agreed to in writing, software

- * distributed under the License is distributed on an "AS IS" BASIS,

- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

- * See the License for the specific language governing permissions and

- * limitations under the License.

- */

-

-package at.gv.egiz.bku.online.webapp;

-

-import org.apache.commons.logging.Log;

-import org.apache.commons.logging.LogFactory;

-import org.springframework.context.ApplicationEvent;

-import org.springframework.context.ApplicationListener;

-import org.springframework.context.event.ContextClosedEvent;

-

-import at.gv.egiz.bku.binding.BindingProcessorManager;

-

-public class ShutdownHandler implements ApplicationListener {

-

-	private static Log log = LogFactory.getLog(ShutdownHandler.class);

-

-	private BindingProcessorManager bindingProcessorManager;

-

-	public void setBindingProcessorManager(

-			BindingProcessorManager bindingProcessorManager) {

-		this.bindingProcessorManager = bindingProcessorManager;

-	}

-

-	@Override

-	public void onApplicationEvent(ApplicationEvent event) {

-		if (event instanceof ContextClosedEvent) {

-			log.info("Shutting down BKU");

-			bindingProcessorManager.shutdownNow();

-		}

-

-	}

-

-}

+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package at.gv.egiz.bku.online.webapp;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.context.ApplicationListener;
+import org.springframework.context.event.ContextClosedEvent;
+
+import at.gv.egiz.bku.binding.BindingProcessorManager;
+
+public class ShutdownHandler implements ApplicationListener {
+
+	private final Logger log = LoggerFactory.getLogger(ShutdownHandler.class);
+
+	private BindingProcessorManager bindingProcessorManager;
+
+	public void setBindingProcessorManager(
+			BindingProcessorManager bindingProcessorManager) {
+		this.bindingProcessorManager = bindingProcessorManager;
+	}
+
+	@Override
+	public void onApplicationEvent(ApplicationEvent event) {
+		if (event instanceof ContextClosedEvent) {
+			log.info("Shutting down MOCCA.");
+			bindingProcessorManager.shutdownNow();
+		}
+
+	}
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java
index 2c6f522e..6a6f11e8 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/SpringBKUServlet.java
@@ -19,19 +19,15 @@ package at.gv.egiz.bku.online.webapp;
 import javax.servlet.http.HttpServlet;
 
 import at.gv.egiz.bku.binding.BindingProcessorManager;
-import at.gv.egiz.bku.conf.Configurator;
 

 public abstract class SpringBKUServlet extends HttpServlet {

 

+  private static final long serialVersionUID = 1L;
+
   public final static String BEAN_NAME="bindingProcessorManager";
   
-  protected static Configurator configurator; 
-  
   protected BindingProcessorManager getBindingProcessorManager() {

     return (BindingProcessorManager) getServletContext().getAttribute(BEAN_NAME);

   }
   
-  public static void setConfigurator(Configurator conf) {
-    configurator = conf;
-  }

 }

diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java
new file mode 100644
index 00000000..897ec227
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java
@@ -0,0 +1,123 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import java.util.Collections;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.gv.egiz.bku.binding.AbstractBindingProcessor;
+import at.gv.egiz.bku.slcommands.SLCommand;
+import at.gv.egiz.bku.slcommands.SLCommandContext;
+import at.gv.egiz.bku.slcommands.SLResult;
+import at.gv.egiz.bku.slexceptions.SLCommandException;
+import at.gv.egiz.bku.slexceptions.SLException;
+import at.gv.egiz.stal.QuitRequest;
+
+public abstract class AbstractCommandSequenceBindingProcessor extends AbstractBindingProcessor {
+
+  protected static Logger log = LoggerFactory.getLogger(AbstractCommandSequenceBindingProcessor.class);
+  
+  /**
+   * @return the error
+   */
+  protected Exception getError() {
+    return error;
+  }
+
+  /**
+   * @param error the error to set
+   */
+  protected void setError(Exception error) {
+    this.error = error;
+  }
+
+  private Exception error;
+
+  private SLCommandBrocker commandBrocker = new SLCommandBrocker();
+  
+  /**
+   * External processing?
+   */
+  private boolean external;
+  
+  /**
+   * Constructs a new instance of this IdBindingProcessorImpl with
+   * the given ID.
+   */
+  public AbstractCommandSequenceBindingProcessor() {
+    super();
+  }
+
+  /**
+   * @return the external
+   */
+  public boolean isExternal() {
+    return external;
+  }
+
+  /**
+   * @param external the external to set
+   */
+  public void setExternal(boolean external) {
+    this.external = external;
+  }
+
+  protected abstract SLCommand getNextCommand();
+  
+  protected abstract void processResult(SLResult result);
+  
+  @Override
+  public synchronized void process() {
+
+    try {
+    
+      SLCommand command;
+      do {
+        command = getNextCommand();
+        SLCommandContext context = new SLCommandContext(getSTAL(), getUrlDereferencer(), locale);
+        SLResult result = null;
+        if (external) {
+          result = commandBrocker.execute(command, context, 3 * 60 * 1000);
+        } else {
+          if (command != null) {
+            result = command.execute(context);
+          } else {
+            stal.handleRequest(Collections.singletonList(new QuitRequest()));
+          }
+        }
+        if (result != null) {
+          processResult(result);
+        }
+      } while (command != null);
+      
+    } catch (InterruptedException e) {
+      setError(new SLException(6000));
+    } catch (Exception e) {
+      log.info("BindingProcessor error.", e);
+      setError(e);
+    }
+    
+  }
+
+  public SLCommand setExternalResult(SLResult slResult) throws SLCommandException, InterruptedException {
+    return commandBrocker.nextCommand(slResult, 3 * 60 * 1000);
+  }
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
new file mode 100644
index 00000000..b40fd35f
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
@@ -0,0 +1,225 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Iterator;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.XMLConstants;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Marshaller;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
+
+import at.gv.egiz.bku.binding.BindingProcessor;
+import at.gv.egiz.bku.binding.FormParameter;
+import at.gv.egiz.bku.binding.IdFactory;
+import at.gv.egiz.bku.binding.InputDecoder;
+import at.gv.egiz.bku.binding.InputDecoderFactory;
+import at.gv.egiz.bku.online.webapp.SpringBKUServlet;
+import at.gv.egiz.bku.slcommands.SLCommand;
+import at.gv.egiz.bku.slcommands.SLMarshallerFactory;
+import at.gv.egiz.bku.slcommands.SLResult;
+import at.gv.egiz.bku.slcommands.impl.DomCreateXMLSignatureResultImpl;
+import at.gv.egiz.bku.slcommands.impl.DomErrorResultImpl;
+import at.gv.egiz.bku.slcommands.impl.DomInfoboxReadResultImpl;
+import at.gv.egiz.bku.slcommands.impl.ErrorResultImpl;
+import at.gv.egiz.bku.slcommands.impl.SLCommandImpl;
+import at.gv.egiz.bku.slexceptions.SLCommandException;
+import at.gv.egiz.bku.utils.DebugInputStream;
+import at.gv.egiz.bku.utils.StreamUtil;
+import at.gv.egiz.slbinding.SLUnmarshaller;
+
+public class DataURLServerServlet extends SpringBKUServlet {
+  
+  private static Logger log = LoggerFactory.getLogger(DataURLServerServlet.class);
+  
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 1L;
+
+  /* (non-Javadoc)
+   * @see javax.servlet.http.HttpServlet#doPost(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+   */
+  @Override
+  protected void doPost(HttpServletRequest req, HttpServletResponse resp)
+      throws ServletException, IOException {
+    
+    String userAgent = req.getHeader("User-Agent");
+    String contentType = req.getContentType();
+    log.debug("Content-Type: " + contentType + " User-Agent: " + userAgent);
+
+    InputDecoder dec = InputDecoderFactory.getDecoder(contentType, req.getInputStream());
+    
+    String sessionId = null;
+    Element respElement = null;
+    
+    Iterator<FormParameter> formParams = dec.getFormParameterIterator();
+    while(formParams.hasNext()) {
+      FormParameter parameter = formParams.next();
+      String name = parameter.getFormParameterName();
+      if ("SessionID_".equals(name)) {
+        sessionId = StreamUtil.asString(parameter.getFormParameterValue(), "UTF-8");
+        log.debug("SessionID: {}", sessionId);
+      } else if ("ResponseType".equals(name)) {
+        String parameterContentType = parameter.getFormParameterContentType();
+        if (log.isDebugEnabled()) {
+          log.debug("ResponseType: ({}) {}.", parameterContentType, StreamUtil.asString(parameter.getFormParameterValue(), "UTF-8"));
+        }
+      } else if ("XMLResponse".equals(name)) {
+        InputStream inputStream = parameter.getFormParameterValue();
+        
+        DebugInputStream di = null;
+        if (log.isDebugEnabled()) {
+          di = new DebugInputStream(inputStream);
+          inputStream = di;
+        }
+        
+        SLUnmarshaller slUnmarshaller = new SLUnmarshaller();
+        
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setNamespaceAware(true);
+        dbf.setSchema(slUnmarshaller.getSlSchema());
+        try {
+          dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (ParserConfigurationException e) {
+          log.warn("Failed to enable secure processing.", e);
+        }
+        
+        // http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization
+        try {
+          dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE);
+        } catch (IllegalArgumentException e) {
+          log.warn("Failed to disable schema normalization " +
+                "(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e);
+        }
+        
+        DocumentBuilder documentBuilder;
+        try {
+          documentBuilder = dbf.newDocumentBuilder();
+        } catch (ParserConfigurationException e) {
+          log.error("Failed to create parser for Security Layer response." , e);
+          resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+          return;
+        }
+        
+        try {
+          Document doc = documentBuilder.parse(inputStream);
+          respElement = doc.getDocumentElement();
+        } catch (SAXException e) {
+          log.info("Failed to parse Security Layer response.", e);
+          // TODO set error and redirect 
+          resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+          return;
+        }
+
+        if (di != null) {
+          log.debug("XMLResponse:\n{}", new String(di.getBufferedBytes(), "UTF-8"));
+        }
+        
+      }
+      
+    }
+
+    SAMLBindingProcessorImpl bindingProcessor = null;
+    if (sessionId != null) {
+      bindingProcessor = getBindingProcessor(sessionId);
+    }
+    
+    if (bindingProcessor != null && respElement != null) {
+      
+      SLResult slResult = null;
+      if ("http://www.buergerkarte.at/namespaces/securitylayer/1.2#".equals(respElement.getNamespaceURI())) {
+        if ("NullOperationResponse".equals(respElement.getLocalName())) {
+          slResult = null;
+        } else if ("InfoboxReadResponse".equals(respElement.getLocalName())) {
+          slResult = new DomInfoboxReadResultImpl(respElement);
+        } else if ("CreateXMLSignatureResponse".equals(respElement.getLocalName())) {
+          slResult = new DomCreateXMLSignatureResultImpl(respElement);
+        } else if ("ErrorResponse".equals(respElement.getLocalName())) {
+          slResult = new DomErrorResultImpl(respElement);
+        } else {
+          // TODO: report proper error
+          at.gv.egiz.bku.slexceptions.SLException slException = new at.gv.egiz.bku.slexceptions.SLException(0);
+          slResult = new ErrorResultImpl(slException, null);
+        }
+        
+      }
+      
+      SLCommand slCommand = null;
+      try {
+        slCommand = bindingProcessor.setExternalResult(slResult);
+      } catch (SLCommandException e) {
+        log.debug(e.getMessage());
+      } catch (InterruptedException e) {
+        // interrupted 
+      }
+       
+      if (slCommand instanceof SLCommandImpl<?>) {
+        JAXBElement<?> request = ((SLCommandImpl<?>) slCommand).getRequest();
+        Marshaller marshaller = SLMarshallerFactory.getInstance().createMarshaller(false, false);
+        try {
+
+          resp.setCharacterEncoding("UTF-8");
+          resp.setContentType("text/xml");
+          
+          marshaller.marshal(request, resp.getOutputStream());
+          
+          return;
+          
+        } catch (JAXBException e) {
+          log.error("Failed to marshall Security Layer request.", e);
+        }
+        
+      }
+
+    }
+
+    resp.sendRedirect("bkuResult");
+    
+  }    
+
+  protected SAMLBindingProcessorImpl getBindingProcessor(String sessionId) {
+    
+    BindingProcessor bp = getBindingProcessorManager().getBindingProcessor(
+        IdFactory.getInstance().createId(sessionId));
+    
+    if (bp instanceof SAMLBindingProcessorImpl) {
+      log.debug("Found active BindingProcessor, using this one.");
+      return (SAMLBindingProcessorImpl) bp;
+    }
+    
+    return null;
+    
+  }
+
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java
new file mode 100644
index 00000000..fd4ef8e7
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLink.java
@@ -0,0 +1,346 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import iaik.xml.crypto.dom.DOMCryptoContext;
+import iaik.xml.crypto.dsig.keyinfo.KeyValueType;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.text.ParseException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dom.DOMStructure;
+import javax.xml.crypto.dsig.Manifest;
+import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.XMLObject;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.dom.DOMValidateContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.X509Data;
+
+import oasis.names.tc.saml._1_0.assertion.AnyType;
+import oasis.names.tc.saml._1_0.assertion.AssertionType;
+import oasis.names.tc.saml._1_0.assertion.AttributeStatementType;
+import oasis.names.tc.saml._1_0.assertion.AttributeType;
+import oasis.names.tc.saml._1_0.assertion.StatementAbstractType;
+import oasis.names.tc.saml._1_0.assertion.SubjectConfirmationType;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
+import at.gv.egiz.bku.utils.StreamUtil;
+
+public class IdLink {
+  
+  protected Logger log = LoggerFactory.getLogger(IdLink.class);
+  
+  /**
+   * The IdLink is backed by a DOM.
+   */
+  protected Node node;
+  
+  /**
+   * The <code>Assertion</code> (root element) of the IdLink.
+   */
+  protected AssertionType assertion;
+  
+  /**
+   * The citizen's asserted public keys.
+   */
+  protected List<PublicKey> citizenPublicKeys;
+  
+  /**
+   * The XMLSignature.
+   */
+  protected XMLSignature signature;
+  
+  /**
+   * The assertion's signer certificate.
+   */
+  protected X509Certificate signerCert;
+  
+  /**
+   * Is the assertion's signature manifest valid?
+   */
+  protected Boolean manifestValid;
+  
+  /**
+   * Is the assertion's signature valid?
+   */
+  protected Boolean signatureValid;
+  
+  /**
+   * The personal identifier
+   */
+  protected IdLinkPersonData personData;
+ 
+  public IdLink(Element node, AssertionType assertion) throws JAXBException {
+    this.node = node;
+    this.assertion = assertion;
+  }
+  
+  public PhysicalPersonType getPhysicalPerson() {
+
+    AttributeStatementType attributeStatement = getAttributeStatement();
+    if (attributeStatement != null) {
+      JAXBElement<?> subjectConfirmation = attributeStatement.getSubject().getContent().get(0);
+      if (subjectConfirmation.getDeclaredType() == SubjectConfirmationType.class) {
+        Object data = ((SubjectConfirmationType) subjectConfirmation.getValue())
+            .getSubjectConfirmationData().getContent().get(0);
+        if (data instanceof JAXBElement<?>
+            && ((JAXBElement<?>) data).getValue() instanceof PhysicalPersonType) {
+          return (PhysicalPersonType) ((JAXBElement<?>) data).getValue();
+        }
+      }
+    }
+
+    return null;
+  }
+  
+  public AttributeStatementType getAttributeStatement() {
+    
+    StatementAbstractType statement = 
+      assertion.getStatementOrSubjectStatementOrAuthenticationStatement().get(0);
+    
+    if (statement instanceof AttributeStatementType) {
+      return (AttributeStatementType) statement;
+    }
+
+    return null;
+    
+  }
+
+  public IdLinkPersonData getPersonData() throws MarshalException {
+    if (personData == null) {
+      try {
+        personData = new IdLinkPersonData(getPhysicalPerson());
+      } catch (ParseException e) {
+        throw new MarshalException(e);
+      }
+    }
+    return personData;
+  }
+  
+  public List<PublicKey> getCitizenPublicKeys() throws MarshalException {
+    if (citizenPublicKeys == null) {
+      
+      citizenPublicKeys = new ArrayList<PublicKey>();
+
+      AttributeStatementType attributeStatement = getAttributeStatement();
+      if (attributeStatement != null) {
+        List<AttributeType> attributes = attributeStatement.getAttribute();
+        for (AttributeType attribute : attributes) {
+          if ("urn:publicid:gv.at:namespaces:identitylink:1.2".equals(attribute.getAttributeNamespace())
+              && "CitizenPublicKey".equals(attribute.getAttributeName())) {
+            List<AnyType> value = attribute.getAttributeValue();
+            if (value.size() == 1 && value.get(0).getContent().size() == 1) {
+              Object object = value.get(0).getContent().get(0);
+              if (object instanceof Element) {
+                Element element = (Element) object;
+                DOMStructure structure = iaik.xml.crypto.dom.DOMStructure.getInstance(element, new DOMCryptoContext());
+                if (structure instanceof KeyValueType) {
+                  citizenPublicKeys.add(((KeyValueType) structure).getPublicKey());
+                }
+              }
+            }
+          }
+        }
+      }
+      
+    }
+    return citizenPublicKeys;
+  }
+  
+  public XMLSignature getXMLSignature() throws MarshalException {
+    if (signature == null) {
+
+      Node n = node.getLastChild();
+      while (n != null && n.getNodeType() != Node.ELEMENT_NODE) {
+        n = n.getPreviousSibling();
+      }
+
+      if (n != null 
+          && XMLSignature.XMLNS.equals(n.getNamespaceURI())
+          && "Signature".equals(n.getLocalName())) {
+        
+        XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance();
+        signature = signatureFactory.unmarshalXMLSignature(new DOMStructure(n));
+      }
+      
+      
+    }
+    return signature;
+  }
+  
+  public X509Certificate getSignerCert() throws MarshalException {
+    if (signerCert == null) {
+
+      if (getXMLSignature() != null) {
+
+        KeyInfo keyInfo = signature.getKeyInfo();
+        if (keyInfo != null) {
+          List<?> content = keyInfo.getContent();
+          for (Object data : content) {
+            if (data instanceof X509Data) {
+              List<?> x509Data = ((X509Data) data).getContent();
+              for (Object object : x509Data) {
+                if (object instanceof X509Certificate) {
+                  signerCert = (X509Certificate) object;
+                  return signerCert;
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+    return signerCert;
+  }
+  
+  
+  @SuppressWarnings("unchecked")
+  public boolean verifySignature() throws MarshalException, XMLSignatureException {
+    if (signatureValid == null) {
+      if (getXMLSignature() != null && getSignerCert() != null) {
+        
+        DOMValidateContext validateContext = new DOMValidateContext(signerCert.getPublicKey(), node);
+        validateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
+        
+        signatureValid = signature.validate(validateContext);
+        
+        // logging
+        if (!signatureValid && log.isTraceEnabled()) {
+          List<Reference> references = signature.getSignedInfo().getReferences();
+          for (Reference reference : references) {
+            if (!Manifest.TYPE.equals(reference.getType())) {
+              if (!reference.validate(validateContext)) { 
+                InputStream digestInputStream = reference.getDigestInputStream();
+                if (digestInputStream != null) {
+                  try {
+                    log.trace("SignedInfo's reference digest input:\n{}",
+                        StreamUtil.asString(digestInputStream, "UTF-8"));
+                  } catch (IOException e) {
+                    log.info("Failed to get SignedInfos's reference digest input", e.toString());
+                  }
+                }
+              } else {
+                try {
+                  log.trace("Signature canonicalized data:\n{}", StreamUtil.asString(signature
+                      .getSignedInfo().getCanonicalizedData(), "UTF-8"));
+                } catch (IOException e) {
+                  log.info("Failed to get canonicalized data.", e);
+                }
+              }
+              break;
+            }
+          }
+        }
+        
+      }
+    } 
+    return signatureValid;
+  }
+  
+  @SuppressWarnings("unchecked")
+  public boolean verifyManifest() throws MarshalException, XMLSignatureException {
+    if (manifestValid == null) {
+      if (getXMLSignature() != null && getSignerCert() != null) {
+
+        DOMValidateContext validateContext = new DOMValidateContext(signerCert.getPublicKey(), node);
+        if (log.isTraceEnabled()) {
+          // enable reference caching in trace log-level
+          validateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
+        }
+        boolean valid = false;
+        
+        // validate manifest
+        List<XMLObject> objects = signature.getObjects();
+        for (XMLObject object : objects) {
+          List<?> content = object.getContent();
+          if (content.get(0) instanceof Manifest) {
+            Manifest manifest = (Manifest) content.get(0);
+            List<Reference> references = manifest.getReferences();
+            for (Reference reference : references) {
+              
+              valid = reference.validate(validateContext);
+              
+              // logging
+              if (!valid && log.isTraceEnabled()) {
+                InputStream digestInputStream = reference.getDigestInputStream();
+                if (digestInputStream != null) {
+                  try {
+                    log.trace("Manifest's reference digest input:\n{}",
+                        StreamUtil.asString(digestInputStream, "UTF-8"));
+                  } catch (IOException e) {
+                    log.info("Failed to get Manifest's reference digest input", e.toString());
+                  }
+                }
+              }
+              break;
+            }
+          }
+        }
+
+        // validate reference to manifest
+        if (valid) {
+          List<Reference> references = signature.getSignedInfo().getReferences();
+          for (Reference reference : references) {
+            if (Manifest.TYPE.equals(reference.getType())) {
+              
+              boolean refValid = reference.validate(validateContext);
+
+              // logging
+              if (!refValid && log.isTraceEnabled()) {
+                InputStream digestInputStream = reference.getDigestInputStream();
+                if (digestInputStream != null) {
+                  try {
+                    log.trace("SignedInfo's manifest reference digest input:\n{}",
+                        StreamUtil.asString(digestInputStream, "UTF-8"));
+                  } catch (IOException e) {
+                    log.info("Failed to get SignedInfos's manifest reference digest input", e.toString());
+                  }
+                }
+              }
+
+              valid &= refValid;
+              
+            }
+          }
+        }
+        
+        manifestValid = valid;
+        
+      }
+      
+    }
+    return manifestValid;
+  }
+  
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java
new file mode 100644
index 00000000..12383861
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkException.java
@@ -0,0 +1,43 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+public class IdLinkException extends Exception {
+
+  /**
+   * 
+   */
+  private static final long serialVersionUID = 1L;
+
+  public IdLinkException() {
+    super();
+  }
+
+  public IdLinkException(String message, Throwable cause) {
+    super(message, cause);
+  }
+
+  public IdLinkException(String message) {
+    super(message);
+  }
+
+  public IdLinkException(Throwable cause) {
+    super(cause);
+  }
+  
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java
new file mode 100644
index 00000000..90312af3
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkFactory.java
@@ -0,0 +1,154 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import java.io.IOException;
+import java.net.URL;
+
+import javax.xml.XMLConstants;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.namespace.QName;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.Source;
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+
+import oasis.names.tc.saml._1_0.assertion.AssertionType;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+public class IdLinkFactory {
+  
+  protected static Logger log = LoggerFactory.getLogger(IdLinkFactory.class);
+  
+  public static final String[] SCHEMA_FILES = new String[] {
+    "at/gv/egiz/mocca/id/idlschema/xmldsig-more.xsd",
+    "at/gv/egiz/mocca/id/idlschema/xmldsig-core-schema.xsd",
+    "at/gv/egiz/mocca/id/idlschema/PersonData.xsd",
+    "at/gv/egiz/mocca/id/idlschema/oasis-sstc-saml-schema-assertion-1.0.xsd"};
+
+  private static class InstanceHolder {
+    private static final IdLinkFactory INSTANCE = new IdLinkFactory();
+  }
+
+  public static IdLinkFactory getInstance() {
+    return InstanceHolder.INSTANCE;
+  }
+  
+  static {
+//    InitDOMStructure.init();
+  }
+
+  private final Schema idlSchema;
+
+  private final JAXBContext jaxbContext;
+
+  
+  private IdLinkFactory() {
+    
+    try {
+      SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+      ClassLoader cl = Thread.currentThread().getContextClassLoader();
+      Source[] sources = new Source[SCHEMA_FILES.length];
+      for (int i = 0; i < SCHEMA_FILES.length; i++) {
+          String schemaFile = SCHEMA_FILES[i];
+          URL schemaURL = cl.getResource(schemaFile);
+          if (schemaURL == null) {
+              throw new RuntimeException("Failed to load schema file " + schemaFile + ".");
+          }
+          log.debug("Schema location: " + schemaURL);
+          sources[i] = new StreamSource(schemaURL.openStream());
+      }
+      idlSchema = schemaFactory.newSchema(sources);
+    } catch (IOException e) {
+      log.error("Failed to load identity link schema.", e);
+      throw new RuntimeException(e);
+    } catch (SAXException e) {
+      log.error("Failed to load identity link schema.", e);
+      throw new RuntimeException(e);
+    }
+
+    StringBuffer packageNames = new StringBuffer();
+    packageNames.append(at.gv.e_government.reference.namespace.persondata._20020228_.ObjectFactory.class.getPackage().getName());
+    packageNames.append(":");
+    packageNames.append(oasis.names.tc.saml._1_0.assertion.ObjectFactory.class.getPackage().getName());
+
+    try {
+      jaxbContext = JAXBContext.newInstance(packageNames.toString());
+    } catch (JAXBException e) {
+      // we should not get an JAXBException initializing the JAXBContext
+      throw new RuntimeException(e);
+    }
+    
+  }
+
+  public IdLink unmarshallIdLink(InputSource source) throws IdLinkException,
+      ParserConfigurationException, SAXException, IOException, JAXBException {
+    
+    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+    dbf.setNamespaceAware(true);
+    dbf.setSchema(idlSchema);
+    dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+    
+    // http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization
+    try {
+      dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE);
+    } catch (IllegalArgumentException e) {
+      log.warn("Failed to disable schema normalization " +
+      		"(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e);
+    }
+    
+    DocumentBuilder documentBuilder = dbf.newDocumentBuilder();
+    Document doc = documentBuilder.parse(source);
+    
+    return unmarshallIdLink(doc.getDocumentElement());
+    
+  }
+  
+  public IdLink unmarshallIdLink(Element element) throws IdLinkException, JAXBException {
+
+    Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
+    unmarshaller.setSchema(idlSchema);
+    
+    Object object = unmarshaller.unmarshal(element);
+    
+    IdLink idLink;
+    if (object instanceof JAXBElement<?>
+        && ((JAXBElement<?>) object).getDeclaredType() == AssertionType.class) {
+       idLink = new IdLink(element, (AssertionType) ((JAXBElement<?>) object).getValue());
+    } else {
+      throw new IllegalArgumentException("Parameter node is not a "
+          + new QName("urn:oasis:names:tc:SAML:1.0:assertion", "Assertion"));
+    }
+
+    return idLink;
+    
+  }
+    
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java
new file mode 100644
index 00000000..493b92af
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkKeySelector.java
@@ -0,0 +1,88 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import java.security.Key;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+
+import javax.xml.crypto.AlgorithmMethod;
+import javax.xml.crypto.KeySelector;
+import javax.xml.crypto.KeySelectorException;
+import javax.xml.crypto.KeySelectorResult;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.XMLCryptoContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.X509Data;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class IdLinkKeySelector extends KeySelector {
+  
+  private static Logger log = LoggerFactory.getLogger(IdLinkKeySelector.class);
+  
+  private IdLink idLink;
+  
+  public IdLinkKeySelector(IdLink idLink) {
+    super();
+    if (idLink == null) {
+      throw new NullPointerException("Parameter 'idLink' must not be null.");
+    }
+    this.idLink = idLink;
+  }
+
+  @Override
+  public KeySelectorResult select(KeyInfo keyInfo, Purpose purpose,
+      AlgorithmMethod method, XMLCryptoContext context)
+      throws KeySelectorException {
+    
+    if (purpose != Purpose.VERIFY) {
+      throw new KeySelectorException("KeySelector does not support purpose "
+          + purpose + ".");
+    }
+    
+    try {
+      for (Object ki : keyInfo.getContent()) {
+        if (ki instanceof X509Data) {
+          for (Object xd : ((X509Data) ki).getContent()) {
+            if (xd instanceof X509Certificate) {
+              final PublicKey publicKey = ((X509Certificate) xd).getPublicKey();
+              if (idLink.getCitizenPublicKeys().contains(publicKey)) {
+                log.trace("Found matching key {} in identiy link and KeyInfo.", publicKey);
+                return new KeySelectorResult() {
+                  @Override
+                  public Key getKey() {
+                    return publicKey;
+                  }
+                };
+              }
+            }
+          }
+        }
+      }
+    } catch (MarshalException e) {
+      log.info("Failed to get public keys from identity link.", e);
+      throw new KeySelectorException(e);
+    }
+    
+    log.info("Did not find matching public keys in the identity link and the KeyInfo.");
+    return null;
+  }
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java
new file mode 100644
index 00000000..5b6f4453
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/IdLinkPersonData.java
@@ -0,0 +1,76 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import java.text.DateFormat;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+
+import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType;
+import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType;
+
+public class IdLinkPersonData {
+
+  private static final DateFormat DATE_FORMAT = new SimpleDateFormat("yyyy-MM-dd");
+  
+  protected PersonalIdentifier identifier;
+  
+  protected String familyName;
+  
+  protected String givenName;
+  
+  protected Date dateOfBirth;
+
+  public IdLinkPersonData(PhysicalPersonType physicalPerson) throws ParseException {
+    familyName = physicalPerson.getName().getFamilyName().get(0).getValue();
+    givenName = physicalPerson.getName().getGivenName().get(0);
+    dateOfBirth = DATE_FORMAT.parse(physicalPerson.getDateOfBirth());
+    IdentificationType identificationType = physicalPerson.getIdentification().get(0);
+    if (identificationType != null) {
+      identifier = new PersonalIdentifier(identificationType.getType(),
+          identificationType.getValue().getValue());
+    }
+  }
+
+  public String getGivenName() {
+    return givenName;
+  }
+
+  public String getFamilyName() {
+    return familyName;
+  }
+
+  public Date getDateOfBirth() throws ParseException {
+    return dateOfBirth;
+  }
+  
+  public PersonalIdentifier getIdentifier() {
+    return identifier;
+  }
+
+  /* (non-Javadoc)
+   * @see java.lang.Object#toString()
+   */
+  @Override
+  public String toString() {
+    return familyName + ", " + givenName + ", " + DATE_FORMAT.format(dateOfBirth);
+  }
+  
+  
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java
new file mode 100644
index 00000000..ad108dc2
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/PersonalIdentifier.java
@@ -0,0 +1,81 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import iaik.utils.Base64OutputStream;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+public class PersonalIdentifier {
+  
+  public static final String PREFIX = "urn:publicid:gv.at:";
+  
+  public static final String BASE_ID = PREFIX + "baseid";
+  
+  
+  protected String type;
+  
+  protected String value;
+
+  public PersonalIdentifier(String type, String value) {
+    this.type = type;
+    this.value = value;
+  }
+
+  /**
+   * @return the type
+   */
+  public String getType() {
+    return type;
+  }
+
+  /**
+   * @return the value
+   */
+  public String getValue() {
+    return value;
+  }
+  
+  public PersonalIdentifier getDerivedValue(String domainId) {
+    
+    if (BASE_ID.equals(type)) {
+      try {
+        MessageDigest md = MessageDigest.getInstance("SHA");
+        ByteArrayOutputStream os = new ByteArrayOutputStream();
+        Base64OutputStream bos = new Base64OutputStream(os);
+        bos.write(md.digest((value + '+' + domainId).getBytes("ISO-8859-1")));
+        bos.flush();
+        return new PersonalIdentifier(domainId, os.toString("ASCII"));
+      } catch (NoSuchAlgorithmException e) {
+        throw new RuntimeException(e);
+      } catch (UnsupportedEncodingException e) {
+        throw new RuntimeException(e);
+      } catch (IOException e) {
+        throw new RuntimeException(e);
+      }
+    }
+    return null;
+
+  }
+  
+  
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java
new file mode 100644
index 00000000..8737d39c
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/QESTemplates.java
@@ -0,0 +1,115 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import java.io.InputStream;
+import java.io.StringWriter;
+import java.text.DateFormat;
+import java.text.ParseException;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+
+import javax.xml.crypto.MarshalException;
+import javax.xml.transform.Templates;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
+
+import at.gv.egiz.bku.slexceptions.SLRuntimeException;
+
+public class QESTemplates {
+
+  private Map<String, Templates> templatesMap = Collections.synchronizedMap(new HashMap<String, Templates>());
+  
+  private synchronized Templates getTemplates(String id) {
+    
+    Templates templates = templatesMap.get(id);
+    if (templates == null) {
+      templates = loadTemplates(id);
+      templatesMap.put(id, templates);
+    }
+    return templates;
+    
+  }
+
+  protected Templates loadTemplates(String id) {
+    
+    InputStream xsl = QESTemplates.class.getResourceAsStream("/templates/template.xsl");
+    if (xsl == null) {
+      throw new IllegalArgumentException("Template not found.");
+    }
+    TransformerFactory transformerFactory = TransformerFactory.newInstance();
+    try {
+      return transformerFactory.newTemplates(new StreamSource(xsl));
+    } catch (TransformerConfigurationException e) {
+      throw new SLRuntimeException(e);
+    }
+    
+  }
+  
+  public String createQESTemplate(String id, Locale locale, IdLink idLink, String url, PersonalIdentifier derivedIdentifier, Date dateTime) {
+
+    Templates templates = getTemplates(id);
+    try {
+      Transformer transformer = templates.newTransformer();
+      
+      DateFormat dateFormat = DateFormat.getDateInstance(DateFormat.MEDIUM, locale);
+      DateFormat timeFormat = DateFormat.getTimeInstance(DateFormat.MEDIUM, locale);
+
+      IdLinkPersonData personData = idLink.getPersonData();
+      
+      transformer.setParameter("givenName", personData.getGivenName());
+      transformer.setParameter("familyName", personData.getFamilyName());
+      transformer.setParameter("dateOfBirth", dateFormat.format(personData.getDateOfBirth()));
+      
+      transformer.setParameter("url", url);
+      transformer.setParameter("identifierType", derivedIdentifier.getType());
+      transformer.setParameter("identifierValue", derivedIdentifier.getValue());
+      
+      transformer.setParameter("date", dateFormat.format(dateTime));
+      transformer.setParameter("time", timeFormat.format(dateTime));
+      
+      
+      StringWriter writer = new StringWriter();
+      transformer.transform(new StreamSource(), new StreamResult(writer));
+      
+      
+      return writer.toString();
+    } catch (TransformerConfigurationException e) {
+      throw new SLRuntimeException(e);
+    } catch (TransformerException e) {
+      // TODO Auto-generated catch block
+      e.printStackTrace();
+    } catch (MarshalException e) {
+      // TODO Auto-generated catch block
+      e.printStackTrace();
+    } catch (ParseException e) {
+      // TODO Auto-generated catch block
+      e.printStackTrace();
+    }
+    return null;
+    
+  }
+  
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java
new file mode 100644
index 00000000..9a71b32f
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorFactory.java
@@ -0,0 +1,44 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import java.util.Collections;
+import java.util.Set;
+
+import at.gv.egiz.bku.binding.AbstractBindingProcessorFactory;
+import at.gv.egiz.bku.binding.BindingProcessor;
+import at.gv.egiz.bku.binding.BindingProcessorFactory;
+import at.gv.egiz.bku.utils.binding.Protocol;
+
+public class SAMLBindingProcessorFactory extends AbstractBindingProcessorFactory implements BindingProcessorFactory {
+
+  private Set<Protocol> supportedProtocols = Collections.singleton(Protocol.SAML);
+  
+  @Override
+  public Set<Protocol> getSupportedProtocols() {
+    return supportedProtocols;
+  }
+
+  @Override
+  public BindingProcessor createBindingProcessor() {
+    SAMLBindingProcessorImpl bindingProcessor = new SAMLBindingProcessorImpl();
+    configureBindingProcessor(bindingProcessor);
+    return bindingProcessor;
+  }
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java
new file mode 100644
index 00000000..ce4ac425
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLBindingProcessorImpl.java
@@ -0,0 +1,357 @@
+/*
+ * Copyright 2009 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package at.gv.egiz.mocca.id;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.charset.Charset;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.dom.DOMValidateContext;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import at.buergerkarte.namespaces.securitylayer._1.AnyChildrenType;
+import at.buergerkarte.namespaces.securitylayer._1.Base64XMLLocRefOptRefContentType;
+import at.buergerkarte.namespaces.securitylayer._1.CreateXMLSignatureRequestType;
+import at.buergerkarte.namespaces.securitylayer._1.DataObjectInfoType;
+import at.buergerkarte.namespaces.securitylayer._1.InfoboxReadParamsBinaryFileType;
+import at.buergerkarte.namespaces.securitylayer._1.InfoboxReadRequestType;
+import at.buergerkarte.namespaces.securitylayer._1.MetaInfoType;
+import at.buergerkarte.namespaces.securitylayer._1.ObjectFactory;
+import at.buergerkarte.namespaces.securitylayer._1.TransformsInfoType;
+import at.gv.egiz.bku.binding.FormParameter;
+import at.gv.egiz.bku.binding.HTTPBindingProcessor;
+import at.gv.egiz.bku.binding.HttpUtil;
+import at.gv.egiz.bku.binding.InputDecoder;
+import at.gv.egiz.bku.binding.InputDecoderFactory;
+import at.gv.egiz.bku.slcommands.CreateXMLSignatureResult;
+import at.gv.egiz.bku.slcommands.ErrorResult;
+import at.gv.egiz.bku.slcommands.InfoboxReadResult;
+import at.gv.egiz.bku.slcommands.SLCommand;
+import at.gv.egiz.bku.slcommands.SLCommandFactory;
+import at.gv.egiz.bku.slcommands.SLResult;
+import at.gv.egiz.bku.slexceptions.SLCommandException;
+import at.gv.egiz.bku.slexceptions.SLVersionException;
+
+public class SAMLBindingProcessorImpl extends
+    AbstractCommandSequenceBindingProcessor implements HTTPBindingProcessor {
+
+  private static final Logger log = LoggerFactory
+      .getLogger(SAMLBindingProcessorImpl.class);
+
+  private String requestContentType;
+
+  private String domainIdentifier = "urn:publicid:gv.at:wbpk+FN+468924i";
+
+  private String keyBoxIdentifier = "SecureSignatureKeypair";
+  
+  private String url = "www.egiz.gv.at";
+
+  private QESTemplates templates = new QESTemplates();
+
+  private IdLink idLink;
+
+  private Element signature;
+
+  private SLResult errorResponse;
+
+  @Override
+  protected void processResult(SLResult result) {
+    if (result instanceof ErrorResult) {
+      ErrorResult errorResult = (ErrorResult) result;
+      log.info("Got ErrorResponse {}: {}", errorResult.getErrorCode(),
+          errorResult.getInfo());
+      errorResponse = result;
+      return;
+    } else if (result instanceof InfoboxReadResult) {
+      try {
+        processInfoboxReadResult((InfoboxReadResult) result);
+        if (idLink != null) {
+          try {
+            IdLinkPersonData personData = idLink.getPersonData();
+            log.info("Got idLink for {}.", personData);
+          } catch (MarshalException e) {
+            log.info("Failed to unmarshal idLink.");
+          }
+        }
+      } catch (JAXBException e) {
+        log.info("InfoboxReadResult contains unexpected data.", e);
+        errorResponse = result;
+      } catch (IdLinkException e) {
+        log.info("InfoboxReadResult contains invalid identity link.", e);
+        errorResponse = result;
+      }
+    } else if (result instanceof CreateXMLSignatureResult) {
+      signature = ((CreateXMLSignatureResult) result).getContent();
+      log.info("Got signature.");
+      boolean valid = validate(signature) && validate(idLink);
+      log.info("Signature is valid: " + valid);
+    }
+  }
+
+  @Override
+  protected SLCommand getNextCommand() {
+
+    JAXBElement<?> request = null;
+    if (errorResponse == null) {
+      if (idLink == null) {
+        request = createReadInfoboxRequest(domainIdentifier);
+      } else if (signature == null) {
+        request = createXMLSignatureRequest();
+      }
+    }
+
+    if (request != null) {
+      SLCommandFactory commandFactory = SLCommandFactory.getInstance();
+      try {
+        return commandFactory.createSLCommand(request);
+      } catch (SLCommandException e) {
+        log.error("Failed to create SLCommand.", e);
+        setError(e);
+      } catch (SLVersionException e) {
+        log.error("Failed to create SLCommand.", e);
+        setError(e);
+      }
+    }
+
+    return null;
+  }
+
+  protected void processInfoboxReadResult(InfoboxReadResult result)
+      throws JAXBException, IdLinkException {
+
+    Object object = result.getContent();
+    if (object instanceof byte[]) {
+      log.info("InfoboxReadResult contains unexpected binary data.");
+      errorResponse = result;
+      return;
+    } else if (object instanceof List<?>) {
+      JAXBException exception = null;
+      for (Object content : (List<?>) object) {
+        if (content instanceof Element) {
+          try {
+            idLink = IdLinkFactory.getInstance().unmarshallIdLink(
+                (Element) content);
+            return;
+          } catch (JAXBException e) {
+            exception = e;
+          }
+        }
+      }
+      if (exception != null) {
+        throw exception;
+      }
+    }
+
+  }
+
+  @Override
+  public void setHTTPHeaders(Map<String, String> headerMap) {
+    for (String header : headerMap.keySet()) {
+      if (HttpUtil.HTTP_HEADER_CONTENT_TYPE.equalsIgnoreCase(header)) {
+        requestContentType = headerMap.get(header);
+      }
+    }
+  }
+
+  @Override
+  public void consumeRequestStream(String url, InputStream is) {
+    InputDecoder inputDecoder = InputDecoderFactory.getDecoder(
+        requestContentType, is);
+    Iterator<FormParameter> fpi = inputDecoder.getFormParameterIterator();
+    while (fpi.hasNext()) {
+      FormParameter formParameter = fpi.next();
+      if ("BKUUrl".equals(formParameter.getFormParameterName())) {
+        setExternal(true);
+      }
+    }
+  }
+
+  @Override
+  public String getResultContentType() {
+    // TODO Auto-generated method stub
+    return null;
+  }
+
+  @Override
+  public void writeResultTo(OutputStream os, String encoding)
+      throws IOException {
+    // TODO Auto-generated method stub
+
+  }
+
+  protected JAXBElement<InfoboxReadRequestType> createReadInfoboxRequest(
+      String domainIdentifier) {
+
+    ObjectFactory factory = new ObjectFactory();
+
+    InfoboxReadRequestType infoboxReadRequestType = factory
+        .createInfoboxReadRequestType();
+    infoboxReadRequestType.setInfoboxIdentifier("IdentityLink");
+
+    InfoboxReadParamsBinaryFileType infoboxReadParamsBinaryFileType = factory
+        .createInfoboxReadParamsBinaryFileType();
+    infoboxReadParamsBinaryFileType.setContentIsXMLEntity(true);
+    infoboxReadRequestType
+        .setBinaryFileParameters(infoboxReadParamsBinaryFileType);
+
+    if (domainIdentifier != null) {
+      JAXBElement<String> identityLinkDomainIdentifier = factory
+          .createIdentityLinkDomainIdentifier(domainIdentifier);
+      AnyChildrenType anyChildrenType = factory.createAnyChildrenType();
+      anyChildrenType.getAny().add(identityLinkDomainIdentifier);
+
+      infoboxReadRequestType.setBoxSpecificParameters(anyChildrenType);
+    }
+
+    return factory.createInfoboxReadRequest(infoboxReadRequestType);
+
+  }
+
+  protected JAXBElement<CreateXMLSignatureRequestType> createXMLSignatureRequest() {
+
+    ObjectFactory factory = new ObjectFactory();
+
+    CreateXMLSignatureRequestType createXMLSignatureRequest = factory
+        .createCreateXMLSignatureRequestType();
+    createXMLSignatureRequest.setKeyboxIdentifier(keyBoxIdentifier);
+
+    DataObjectInfoType dataObjectInfoType = factory.createDataObjectInfoType();
+    dataObjectInfoType.setStructure("enveloping");
+
+    TransformsInfoType transformsInfoType = factory.createTransformsInfoType();
+    MetaInfoType metaInfoType = factory.createMetaInfoType();
+    metaInfoType.setMimeType("application/xhtml+xml");
+    transformsInfoType.setFinalDataMetaInfo(metaInfoType);
+
+    dataObjectInfoType.getTransformsInfo().add(transformsInfoType);
+
+    Base64XMLLocRefOptRefContentType contentType = factory
+        .createBase64XMLLocRefOptRefContentType();
+
+    PersonalIdentifier identifier;
+    try {
+      identifier = idLink.getPersonData().getIdentifier();
+    } catch (MarshalException e) {
+      setError(e);
+      return null;
+    }
+    if ("urn:publicid:gv.at:baseid".equals(identifier.getType())) {
+      identifier = identifier.getDerivedValue(domainIdentifier);
+    }
+    String template = templates.createQESTemplate("test", locale, idLink, "",
+        identifier, new Date());
+
+    contentType.setBase64Content(template.getBytes(Charset.forName("UTF-8")));
+
+    dataObjectInfoType.setDataObject(contentType);
+
+    createXMLSignatureRequest.getDataObjectInfo().add(dataObjectInfoType);
+
+    return factory.createCreateXMLSignatureRequest(createXMLSignatureRequest);
+
+  }
+
+  protected boolean validate(IdLink idLink) {
+    try {
+      if (domainIdentifier != null && domainIdentifier.startsWith("urn:publicid:gv.at:ccid")) {
+        if (!idLink.verifyManifest()) {
+          log.info("Identity link manifest verification failed.");
+          return false;
+        }
+      }
+      if (idLink.verifySignature()) {
+        return true;
+      }
+    } catch (MarshalException e) {
+      log.info("Identity link signature verification failed.", e);
+    } catch (XMLSignatureException e) {
+      log.info("Identity link signature verification failed.", e);
+    } 
+    log.info("Identity link signature verification failed.");
+    return false;
+  }
+  
+  
+  protected boolean validate(Element signature) {
+
+    Document doc = signature.getOwnerDocument();
+    if (signature != signature.getOwnerDocument().getDocumentElement()) {
+      doc.replaceChild(signature, doc.getDocumentElement());
+    }
+
+    XMLSignatureFactory xmlSignatureFactory = XMLSignatureFactory.getInstance();
+
+    try {
+      IdLinkKeySelector keySelector = new IdLinkKeySelector(idLink);
+      DOMValidateContext validateContext = new DOMValidateContext(keySelector, signature);
+      
+      XMLSignature xmlSignature = xmlSignatureFactory
+          .unmarshalXMLSignature(validateContext);
+
+      return xmlSignature.validate(validateContext);
+    } catch (MarshalException e) {
+      log.info("Failed to unmarshall signature.", e);
+    } catch (XMLSignatureException e) {
+      log.info("Failed to validate signature.", e);
+    }
+    return false;
+  }
+
+  @Override
+  public InputStream getFormData(String parameterName) {
+    if ("appletPage".equals(parameterName)) {
+      String appletPage = (isExternal()) ? "local.jsp" : "applet.jsp";
+      return new ByteArrayInputStream(appletPage.getBytes());
+    }
+    return null;
+  }
+
+  @Override
+  public String getRedirectURL() {
+    return null;
+  }
+
+  @Override
+  public int getResponseCode() {
+    return HttpServletResponse.SC_OK;
+  }
+
+  @Override
+  public Map<String, String> getResponseHeaders() {
+    return Collections.emptyMap();
+  }
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java
new file mode 100644
index 00000000..0209ca79
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SAMLRequestHandler.java
@@ -0,0 +1,33 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import javax.servlet.http.HttpServletRequest;
+
+import at.gv.egiz.bku.online.webapp.AbstractWebRequestHandler;
+
+public class SAMLRequestHandler extends AbstractWebRequestHandler {
+  
+  private static final long serialVersionUID = 1L;
+  
+  @Override
+  protected String getRequestProtocol(HttpServletRequest req) {
+    return "SAML";
+  }
+  
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java
new file mode 100644
index 00000000..2e46a220
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/SLCommandBrocker.java
@@ -0,0 +1,100 @@
+/*
+* Copyright 2009 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.mocca.id;
+
+import at.gv.egiz.bku.slcommands.SLCommand;
+import at.gv.egiz.bku.slcommands.SLCommandContext;
+import at.gv.egiz.bku.slcommands.SLResult;
+import at.gv.egiz.bku.slcommands.impl.ErrorResultImpl;
+import at.gv.egiz.bku.slexceptions.SLCommandException;
+
+public class SLCommandBrocker {
+  
+  private Sync<SLCommand> commandSync = new Sync<SLCommand>();
+  
+  private Sync<SLResult> resultSync = new Sync<SLResult>();
+
+  public SLResult execute(SLCommand command, SLCommandContext context, long timeout) throws InterruptedException {
+    try {
+      commandSync.put(command, timeout);
+      if (command != null) {
+        return resultSync.get(timeout);
+      } else {
+        return null;
+      }
+    } catch (SLCommandException e) {
+      return new ErrorResultImpl(e, context.getLocale());
+    }
+  }
+  
+  public SLCommand nextCommand(SLResult result, long timeout) throws SLCommandException, InterruptedException {
+    if (result != null) {
+      resultSync.put(result, timeout);
+    }
+    return commandSync.get(timeout);
+  }
+  
+  public class Sync<R> {
+    
+    private boolean available;
+    
+    private R r;
+    
+    public synchronized R get(long timeout) throws SLCommandException, InterruptedException {
+      
+      long t0 = System.currentTimeMillis();
+      long elapsed = 0;
+
+      while (!available) {
+        wait(timeout - elapsed);
+        elapsed = System.currentTimeMillis() - t0;
+        if (elapsed > timeout) {
+          notifyAll();
+          throw new SLCommandException(6000);
+        }
+      }
+
+      R r = this.r;
+      this.r = null;
+      available = false;
+      notifyAll();
+      return r;
+    }
+    
+    public synchronized void put(R r, long timeout) throws SLCommandException, InterruptedException {
+      
+      long t0 = System.currentTimeMillis();
+      long elapsed = 0;
+
+      while (available) {
+        wait(timeout - elapsed);
+        elapsed = System.currentTimeMillis() - t0;
+        if (elapsed > timeout) {
+          notifyAll();
+          throw new SLCommandException(6000);
+        }
+      }
+      
+      this.r = r;
+      available = true;
+      notifyAll();
+    }
+    
+  }
+  
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java
index 305d8c1c..5940f505 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/RequestBrokerSTALFactory.java
@@ -19,27 +19,50 @@ package at.gv.egiz.stal.service.impl;
 
 import java.util.Locale;
 
+import org.apache.commons.configuration.Configuration;
+
+import at.gv.egiz.bku.conf.MoccaConfigurationFacade;
+import at.gv.egiz.bku.jmx.ComponentMXBean;
+import at.gv.egiz.bku.jmx.ComponentState;
 import at.gv.egiz.stal.STAL;
 import at.gv.egiz.stal.STALFactory;
 
 /**
  *
- * @author clemens
+ * @author clemens, mcentner
  */
-public class RequestBrokerSTALFactory implements STALFactory {
-
-  private static long timeout = -1;
+public class RequestBrokerSTALFactory implements STALFactory, ComponentMXBean {
   
-    @Override
-    public STAL createSTAL() {
-      return new STALRequestBrokerImpl(timeout);
-    }
+  public final ConfigurationFacade configurationFacade = new ConfigurationFacade();
+
+  public class ConfigurationFacade implements MoccaConfigurationFacade {
+
+    private Configuration configuration;
+
+    public static final String APPLET_TIMEOUT = "AppletTimeout";
 
-    @Override
-    public void setLocale(Locale locale) {
+    public int getAppletTimeout() {
+      return configuration.getInteger(APPLET_TIMEOUT, -1);
     }
+
+  }
+
+  public void setConfiguration(Configuration configuration) {
+    configurationFacade.configuration = configuration;
+  }
+  
+  @Override
+  public STAL createSTAL() {
+    return new STALRequestBrokerImpl(configurationFacade.getAppletTimeout());
+  }
+
+  @Override
+  public void setLocale(Locale locale) {
+  }
+
+  @Override
+  public ComponentState checkComponentState() {
+    return new ComponentState(true);
+  }
     
-    public static void setTimeout(long millisec) {
-      timeout = millisec;
-    }
 }
diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java
index a2447ab7..5705a9f7 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALRequestBrokerImpl.java
@@ -34,8 +34,8 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import javax.xml.bind.JAXBElement;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * An instance of STALRequestBroker is shared between a producer thread (SLCommand)
@@ -50,7 +50,7 @@ import org.apache.commons.logging.LogFactory;
  */
 public class STALRequestBrokerImpl implements STALRequestBroker {
 
-    private static final Log log = LogFactory.getLog(STALRequestBrokerImpl.class);
+    private final Logger log = LoggerFactory.getLogger(STALRequestBrokerImpl.class);
 
     private ObjectFactory of = new ObjectFactory();
     private STALTranslator translator = new STALTranslator();
@@ -173,7 +173,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker {
                 log.trace("waiting to consume response");
                 responses.wait(timeout);
                 if (System.currentTimeMillis() - beforeWait >= timeout) {
-                    log.warn("timeout while waiting to consume response, cleanup requests");
+                    log.warn("Timeout while waiting to consume response, cleanup requests.");
                     requests.clear(); 
                     hashDataInputs.clear();
                     return Collections.singletonList((STALResponse) new ErrorResponse(ERR_4500));
@@ -218,7 +218,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker {
                 log.trace("waiting to consume request");
                 requests.wait(timeout);
                 if (System.currentTimeMillis() - beforeWait >= timeout) {
-                    log.warn("timeout while waiting to consume request");
+                    log.warn("Timeout while waiting to consume request.");
                     return createSingleQuitRequest();
                 }
             }
@@ -250,11 +250,11 @@ public class STALRequestBrokerImpl implements STALRequestBroker {
       }
         try {
           synchronized (requests) {
-            log.trace("received responses, now consume request");
+            log.trace("Received responses, now consume request.");
             if (requests.size() != 0) {
               requests.clear();
             } else {
-              log.warn("requests queue is empty, response might have already been produced previously ");
+              log.warn("Requests queue is empty, response might have already been produced previously.");
               // return QUIT?
             }
           }
@@ -266,7 +266,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker {
                     log.trace("waiting to produce response");
                     responses.wait(timeout);
                     if (System.currentTimeMillis() - beforeWait >= timeout) {
-                        log.warn("timeout while waiting to produce response");
+                        log.warn("Timeout while waiting to produce response.");
                         return createSingleQuitRequest();
                     }
                 }
@@ -281,7 +281,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker {
                 log.trace("notifying response consumers");
                 responses.notify();
             } else {
-              log.error("Received NextRequest without responses, return QUIT");
+              log.error("Received NextRequest without responses, return QUIT.");
               return createSingleQuitRequest();
             }
           }
@@ -292,11 +292,11 @@ public class STALRequestBrokerImpl implements STALRequestBroker {
                 log.trace("waiting to consume request");
                 requests.wait(timeout);
                 if (System.currentTimeMillis() - beforeWait >= timeout) {
-                    log.warn("timeout while waiting to consume request");
+                    log.warn("Timeout while waiting to consume request.");
                     return createSingleQuitRequest();
                 }
             }
-            log.trace("don't consume request now, but on next response delivery");
+            log.trace("Don't consume request now, but on next response delivery.");
             return requests;
           }
         } catch (InterruptedException ex) {
@@ -309,7 +309,7 @@ public class STALRequestBrokerImpl implements STALRequestBroker {
     @Override
     public List<HashDataInput> getHashDataInput() {
       synchronized (requests) {
-        log.trace("return " + hashDataInputs.size() + " current HashDataInput(s) ");
+        log.trace("Return {} current HashDataInput(s).", hashDataInputs.size());
         return hashDataInputs;
       }
     }
diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java
index c8ab280f..e32dad8f 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALServiceImpl.java
@@ -16,13 +16,30 @@
  */
 package at.gv.egiz.stal.service.impl;
 
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.annotation.Resource;
+import javax.jws.WebService;
+import javax.servlet.ServletContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.ws.WebServiceContext;
+import javax.xml.ws.handler.MessageContext;
+
+import org.slf4j.MDC;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import at.buergerkarte.namespaces.cardchannel.service.CommandAPDUType;
 import at.buergerkarte.namespaces.cardchannel.service.ScriptType;
 import at.gv.egiz.bku.binding.BindingProcessor;
 import at.gv.egiz.bku.binding.BindingProcessorManager;
 import at.gv.egiz.bku.binding.Id;
 import at.gv.egiz.bku.binding.IdFactory;
-
 import at.gv.egiz.stal.HashDataInput;
 import at.gv.egiz.stal.service.GetHashDataInputFault;
 import at.gv.egiz.stal.service.STALPortType;
@@ -38,25 +55,8 @@ import at.gv.egiz.stal.service.types.RequestType;
 import at.gv.egiz.stal.service.types.ResponseType;
 import at.gv.egiz.stal.service.types.SignRequestType;
 import at.gv.egiz.stal.service.types.GetHashDataInputType.Reference;
-//import at.gv.egiz.stal.service.types.GetHashDataInputResponseType.Reference;
 
 import com.sun.xml.ws.developer.UsesJAXBContext;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.charset.Charset;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import javax.annotation.Resource;
-import javax.jws.WebService;
-import javax.servlet.ServletContext;
-import javax.xml.bind.JAXBElement;
-import javax.xml.ws.WebServiceContext;
-import javax.xml.ws.handler.MessageContext;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 
 /**
  * 
@@ -68,10 +68,10 @@ public class STALServiceImpl implements STALPortType {
 
   public static final String BINDING_PROCESSOR_MANAGER = "bindingProcessorManager";
   public static final Id TEST_SESSION_ID = IdFactory.getInstance().createId("TestSession");
-  protected static final Log log = LogFactory.getLog(STALServiceImpl.class);
-
+  private final Logger log = LoggerFactory.getLogger(STALServiceImpl.class);
 
   static {
+    Logger log = LoggerFactory.getLogger(STALServiceImpl.class);
     if (log.isTraceEnabled()) {
       log.trace("enabling webservice communication dump");
       System.setProperty("com.sun.xml.ws.transport.http.HttpAdapter.dump", "true");
@@ -91,227 +91,242 @@ public class STALServiceImpl implements STALPortType {
   public GetNextRequestResponseType connect(String sessId) {
 
     if (sessId == null) {
-      throw new NullPointerException("No session id provided");
+      throw new NullPointerException("No session id provided.");
     }
 
     Id sessionId = idF.createId(sessId);
+    MDC.put("id", sessionId.toString());
 
-    if (log.isDebugEnabled()) {
-      log.debug("Received Connect [" + sessionId + "]");
-    }
-
-    if (TEST_SESSION_ID.equals(sessionId)) {
-      return getTestSessionNextRequestResponse(null);
-    }
-
-    GetNextRequestResponseType response = new GetNextRequestResponseType();
-    response.setSessionId(sessionId.toString());
-
-    STALRequestBroker stal = getStal(sessionId);
-
-    if (stal != null) {
-
-      List<JAXBElement<? extends RequestType>> requestsOut = ((STALRequestBroker) stal).connect();
-      response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut);
-
-      if (log.isDebugEnabled()) {
-        StringBuilder sb = new StringBuilder("Returning initial GetNextRequestResponse [");
-        sb.append(sessionId.toString());
-        sb.append("] containing ");
-        sb.append(requestsOut.size());
-        sb.append(" requests: ");
-        for (JAXBElement<? extends RequestType> reqOut : requestsOut) {
-          sb.append(reqOut.getValue().getClass());
-          sb.append(' ');
+    try {
+      log.debug("Received Connect.");
+  
+      if (TEST_SESSION_ID.equals(sessionId)) {
+        return getTestSessionNextRequestResponse(null);
+      }
+  
+      GetNextRequestResponseType response = new GetNextRequestResponseType();
+      response.setSessionId(sessionId.toString());
+  
+      STALRequestBroker stal = getStal(sessionId);
+  
+      if (stal != null) {
+  
+        List<JAXBElement<? extends RequestType>> requestsOut = ((STALRequestBroker) stal).connect();
+        response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut);
+  
+        if (log.isDebugEnabled()) {
+          StringBuilder sb = new StringBuilder("Returning initial GetNextRequestResponse containing ");
+          sb.append(requestsOut.size());
+          sb.append(" requests: ");
+          for (JAXBElement<? extends RequestType> reqOut : requestsOut) {
+            sb.append(reqOut.getValue().getClass());
+            sb.append(' ');
+          }
+          log.debug(sb.toString());
         }
-        log.debug(sb.toString());
+      } else {
+        log.error("Failed to get STAL, returning QuitRequest.");
+        QuitRequestType quitT = stalObjFactory.createQuitRequestType();
+        JAXBElement<QuitRequestType> quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT);
+        response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit);
       }
-    } else {
-      log.error("Failed to get STAL for session " + sessionId + ", returning QuitRequest");
-      QuitRequestType quitT = stalObjFactory.createQuitRequestType();
-      JAXBElement<QuitRequestType> quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT);
-      response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit);
+      return response;
+      
+    } finally {
+      MDC.remove("id");
     }
-    return response;
   }
 
   @Override
   public GetNextRequestResponseType getNextRequest(GetNextRequestType request) {
 
     if (request.getSessionId() == null) {
-      throw new NullPointerException("No session id provided");
+      throw new NullPointerException("No session id provided.");
     }
 
     Id sessionId = idF.createId(request.getSessionId());
+    MDC.put("id", sessionId.toString());
 
-    List<JAXBElement<? extends ResponseType>> responsesIn = request.getInfoboxReadResponseOrSignResponseOrErrorResponse();
-//    List<ResponseType> responsesIn = request.getInfoboxReadResponseOrSignResponseOrErrorResponse();//getResponse();
+    try {
 
-    if (log.isDebugEnabled()) {
-      StringBuilder sb = new StringBuilder("Received GetNextRequest [");
-      sb.append(sessionId.toString());
-      sb.append("] containing ");
-      sb.append(responsesIn.size());
-      sb.append(" responses: ");
-      for (JAXBElement<? extends ResponseType> respIn : responsesIn) {
-        sb.append(respIn.getValue().getClass());
-        sb.append(' ');
-      }
-      log.debug(sb.toString());
-    }
-
-    if (TEST_SESSION_ID.equals(sessionId)) {
-      return getTestSessionNextRequestResponse(responsesIn);
-    }
-
-    GetNextRequestResponseType response = new GetNextRequestResponseType();
-    response.setSessionId(sessionId.toString());
-
-    STALRequestBroker stal = getStal(sessionId);
-
-    if (stal != null) {
-
-      List<JAXBElement<? extends RequestType>> requestsOut = ((STALRequestBroker) stal).nextRequest(responsesIn);
-      response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut);
+      List<JAXBElement<? extends ResponseType>> responsesIn = request.getInfoboxReadResponseOrSignResponseOrErrorResponse();
 
       if (log.isDebugEnabled()) {
-        StringBuilder sb = new StringBuilder("Returning GetNextRequestResponse [");
-        sb.append(sessionId.toString());
-        sb.append("] containing ");
-        sb.append(requestsOut.size());
-        sb.append(" requests: ");
-        for (JAXBElement<? extends RequestType> reqOut : requestsOut) {
-          sb.append(reqOut.getValue().getClass());
+        StringBuilder sb = new StringBuilder("Received GetNextRequest containing ");
+        sb.append(responsesIn.size());
+        sb.append(" responses: ");
+        for (JAXBElement<? extends ResponseType> respIn : responsesIn) {
+          sb.append(respIn.getValue().getClass());
           sb.append(' ');
         }
         log.debug(sb.toString());
       }
-    } else {
-      log.error("Failed to get STAL for session " + sessionId + ", returning QuitRequest");
-      QuitRequestType quitT = stalObjFactory.createQuitRequestType();
-      JAXBElement<QuitRequestType> quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT);
-      response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit);
+  
+      if (TEST_SESSION_ID.equals(sessionId)) {
+        return getTestSessionNextRequestResponse(responsesIn);
+      }
+  
+      GetNextRequestResponseType response = new GetNextRequestResponseType();
+      response.setSessionId(sessionId.toString());
+  
+      STALRequestBroker stal = getStal(sessionId);
+  
+      if (stal != null) {
+  
+        List<JAXBElement<? extends RequestType>> requestsOut = ((STALRequestBroker) stal).nextRequest(responsesIn);
+        response.getInfoboxReadRequestOrSignRequestOrQuitRequest().addAll(requestsOut);
+  
+        if (log.isDebugEnabled()) {
+          StringBuilder sb = new StringBuilder("Returning GetNextRequestResponse containing ");
+          sb.append(requestsOut.size());
+          sb.append(" requests: ");
+          for (JAXBElement<? extends RequestType> reqOut : requestsOut) {
+            sb.append(reqOut.getValue().getClass());
+            sb.append(' ');
+          }
+          log.debug(sb.toString());
+        }
+      } else {
+        log.error("Failed to get STAL, returning QuitRequest.");
+        QuitRequestType quitT = stalObjFactory.createQuitRequestType();
+        JAXBElement<QuitRequestType> quit = stalObjFactory.createGetNextRequestResponseTypeQuitRequest(quitT);
+        response.getInfoboxReadRequestOrSignRequestOrQuitRequest().add(quit);
+      }
+      return response;
+      
+    } finally {
+      MDC.remove("id");
     }
-    return response;
   }
 
   @Override
   public GetHashDataInputResponseType getHashDataInput(GetHashDataInputType request) throws GetHashDataInputFault {
 
     if (request.getSessionId() == null) {
-      throw new NullPointerException("No session id provided");
+      throw new NullPointerException("No session id provided.");
     }
 
     Id sessionId = idF.createId(request.getSessionId());
+    MDC.put("id", sessionId.toString());
 
-    if (log.isDebugEnabled()) {
-      log.debug("Received GetHashDataInputRequest for session " + sessionId + " containing " + request.getReference().size() + " reference(s)");
-    }
-
-    if (TEST_SESSION_ID.equals(sessionId)) {
-      return getTestSessionHashDataInputResponse(request.getReference());
-    }
-    
-    GetHashDataInputResponseType response = new GetHashDataInputResponseType();
-    response.setSessionId(sessionId.toString());
-
-    STALRequestBroker stal = getStal(sessionId);
-
-    if (stal != null) {
-      List<HashDataInput> hashDataInputs = stal.getHashDataInput();
-
-      if (hashDataInputs != null) {
-
-        Map<String, HashDataInput> hashDataIdMap = new HashMap<String, HashDataInput>();
-        for (HashDataInput hdi : hashDataInputs) {
-          if (log.isTraceEnabled()) {
-            log.trace("Provided HashDataInput for reference " + hdi.getReferenceId());
-          }
-          hashDataIdMap.put(hdi.getReferenceId(), hdi);
-        }
-
-        List<GetHashDataInputType.Reference> reqRefs = request.getReference();
-        for (GetHashDataInputType.Reference reqRef : reqRefs) {
-          String reqRefId = reqRef.getID();
-          HashDataInput reqHdi = hashDataIdMap.get(reqRefId);
-          if (reqHdi == null) {
-            String msg = "Failed to resolve HashDataInput for reference " + reqRefId;
-            log.error(msg);
-            GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType();
-            faultInfo.setErrorCode(1);
-            faultInfo.setErrorMessage(msg);
-            throw new GetHashDataInputFault(msg, faultInfo);
-          }
-
-          InputStream hashDataIS = reqHdi.getHashDataInput();
-          if (hashDataIS == null) {
-            //HashDataInput not cached?
-            String msg = "Failed to obtain HashDataInput for reference " + reqRefId + ", reference not cached";
-            log.error(msg);
-            GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType();
-            faultInfo.setErrorCode(1);
-            faultInfo.setErrorMessage(msg);
-            throw new GetHashDataInputFault(msg, faultInfo);
+    try {
+      
+      if (log.isDebugEnabled()) {
+        log.debug("Received GetHashDataInputRequest containing {} reference(s).", request.getReference().size());
+      }
+  
+      if (TEST_SESSION_ID.equals(sessionId)) {
+        return getTestSessionHashDataInputResponse(request.getReference());
+      }
+      
+      GetHashDataInputResponseType response = new GetHashDataInputResponseType();
+      response.setSessionId(sessionId.toString());
+  
+      STALRequestBroker stal = getStal(sessionId);
+  
+      if (stal != null) {
+        List<HashDataInput> hashDataInputs = stal.getHashDataInput();
+  
+        if (hashDataInputs != null) {
+  
+          Map<String, HashDataInput> hashDataIdMap = new HashMap<String, HashDataInput>();
+          for (HashDataInput hdi : hashDataInputs) {
+            if (log.isTraceEnabled()) {
+              log.trace("Provided HashDataInput for reference {}.", hdi.getReferenceId());
+            }
+            hashDataIdMap.put(hdi.getReferenceId(), hdi);
           }
-          ByteArrayOutputStream baos = null;
-          try {
-            if (log.isDebugEnabled()) {
-              log.debug("Resolved HashDataInput " + reqRefId + " (" + reqHdi.getMimeType() + ";charset=" + reqHdi.getEncoding() + ")");
+  
+          List<GetHashDataInputType.Reference> reqRefs = request.getReference();
+          for (GetHashDataInputType.Reference reqRef : reqRefs) {
+            String reqRefId = reqRef.getID();
+            HashDataInput reqHdi = hashDataIdMap.get(reqRefId);
+            if (reqHdi == null) {
+              String msg = "Failed to resolve HashDataInput for reference " + reqRefId;
+              log.error(msg);
+              GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType();
+              faultInfo.setErrorCode(1);
+              faultInfo.setErrorMessage(msg);
+              throw new GetHashDataInputFault(msg, faultInfo);
             }
-            baos = new ByteArrayOutputStream(hashDataIS.available());
-            int c;
-            while ((c = hashDataIS.read()) != -1) {
-              baos.write(c);
+  
+            InputStream hashDataIS = reqHdi.getHashDataInput();
+            if (hashDataIS == null) {
+              //HashDataInput not cached?
+              String msg = "Failed to obtain HashDataInput for reference " + reqRefId + ", reference not cached";
+              log.error(msg);
+              GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType();
+              faultInfo.setErrorCode(1);
+              faultInfo.setErrorMessage(msg);
+              throw new GetHashDataInputFault(msg, faultInfo);
             }
-            GetHashDataInputResponseType.Reference ref = new GetHashDataInputResponseType.Reference();
-            ref.setID(reqRefId);
-            ref.setMimeType(reqHdi.getMimeType());
-            ref.setEncoding(reqHdi.getEncoding());
-            ref.setFilename(reqHdi.getFilename());
-            ref.setValue(baos.toByteArray());
-            response.getReference().add(ref);
-          } catch (IOException ex) {
-            String msg = "Failed to get HashDataInput for reference " + reqRefId;
-            log.error(msg, ex);
-            GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType();
-            faultInfo.setErrorCode(1);
-            faultInfo.setErrorMessage(msg);
-            throw new GetHashDataInputFault(msg, faultInfo, ex);
-          } finally {
+            ByteArrayOutputStream baos = null;
             try {
-              baos.close();
+              if (log.isDebugEnabled()) {
+                Object[] args = {reqRefId, reqHdi.getMimeType(), reqHdi.getEncoding()};
+                log.debug("Resolved HashDataInput {} ({};charset={}).", args);
+              }
+              baos = new ByteArrayOutputStream(hashDataIS.available());
+              int c;
+              while ((c = hashDataIS.read()) != -1) {
+                baos.write(c);
+              }
+              GetHashDataInputResponseType.Reference ref = new GetHashDataInputResponseType.Reference();
+              ref.setID(reqRefId);
+              ref.setMimeType(reqHdi.getMimeType());
+              ref.setEncoding(reqHdi.getEncoding());
+              ref.setFilename(reqHdi.getFilename());
+              ref.setValue(baos.toByteArray());
+              response.getReference().add(ref);
             } catch (IOException ex) {
+              String msg = "Failed to get HashDataInput for reference " + reqRefId;
+              log.error(msg, ex);
+              GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType();
+              faultInfo.setErrorCode(1);
+              faultInfo.setErrorMessage(msg);
+              throw new GetHashDataInputFault(msg, faultInfo, ex);
+            } finally {
+              try {
+                baos.close();
+              } catch (IOException ex) {
+              }
             }
           }
+          return response;
+        } else {
+          String msg = "Failed to resolve any HashDataInputs.";
+          log.error(msg);
+          GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType();
+          faultInfo.setErrorCode(1);
+          faultInfo.setErrorMessage(msg);
+          throw new GetHashDataInputFault(msg, faultInfo);
         }
-        return response;
       } else {
-        String msg = "Failed to resolve any HashDataInputs for session " + sessionId;
+        String msg = "Session timeout."; //Failed to get STAL for session " + sessionId;
         log.error(msg);
         GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType();
         faultInfo.setErrorCode(1);
         faultInfo.setErrorMessage(msg);
         throw new GetHashDataInputFault(msg, faultInfo);
       }
-    } else {
-      String msg = "Session timeout"; //Failed to get STAL for session " + sessionId;
-      log.error(msg + " " + sessionId);
-      GetHashDataInputFaultType faultInfo = new GetHashDataInputFaultType();
-      faultInfo.setErrorCode(1);
-      faultInfo.setErrorMessage(msg);
-      throw new GetHashDataInputFault(msg, faultInfo);
+      
+    } finally {
+      MDC.remove("id");
     }
   }
 
   private STALRequestBroker getStal(Id sessionId) {
-    if (log.isTraceEnabled()) {
-      log.trace("resolve STAL for session " + sessionId);
-    }
+    log.trace("Resolve STAL for session [{}].", sessionId);
     MessageContext mCtx = wsContext.getMessageContext();
     ServletContext sCtx = (ServletContext) mCtx.get(MessageContext.SERVLET_CONTEXT);
     BindingProcessorManager bpMgr = (BindingProcessorManager) sCtx.getAttribute(BINDING_PROCESSOR_MANAGER);
-    BindingProcessor bp = bpMgr.getBindingProcessor(sessionId);
-    return (bp == null) ? null : (bp.isFinished() ? null : (STALRequestBroker) bp.getSTAL());
+    BindingProcessor bindingProcessor = bpMgr.getBindingProcessor(sessionId);
+    if (bindingProcessor != null) {
+      if (bindingProcessor.getSTAL() instanceof STALRequestBroker) {
+        return (STALRequestBroker) bindingProcessor.getSTAL();
+      }
+    }
+    return null;
   }
 
   private GetNextRequestResponseType getTestSessionNextRequestResponse(List<JAXBElement<? extends ResponseType>> responsesIn) {
@@ -359,6 +374,7 @@ public class STALServiceImpl implements STALPortType {
     return response;
   }
   
+  @SuppressWarnings("unused")
   private void addTestCardChannelRequest(List<JAXBElement<? extends RequestType>> requestList) {
     log.info("[TestSession] add CARDCHANNEL request");
     ScriptType scriptT = ccObjFactory.createScriptType();
@@ -368,6 +384,7 @@ public class STALServiceImpl implements STALPortType {
     requestList.add(ccObjFactory.createScript(scriptT));
   }
 
+  @SuppressWarnings("unused")
   private void addTestInfoboxReadRequest(String infoboxIdentifier, List<JAXBElement<? extends RequestType>> requestList) {
     log.info("[TestSession] add READ "+ infoboxIdentifier + " request");
     InfoboxReadRequestType ibrT = stalObjFactory.createInfoboxReadRequestType();
diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java
index 9caf950f..300f01d0 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/STALXJAXBContextFactory.java
@@ -23,8 +23,8 @@ import com.sun.xml.ws.developer.JAXBContextFactory;
 import java.util.ArrayList;
 import java.util.List;
 import javax.xml.bind.JAXBException;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  *
@@ -32,8 +32,9 @@ import org.apache.commons.logging.LogFactory;
  */
 public class STALXJAXBContextFactory implements JAXBContextFactory {
 
-  private static final Log log = LogFactory.getLog(STALXJAXBContextFactory.class);
+  private final Logger log = LoggerFactory.getLogger(STALXJAXBContextFactory.class);
 
+  @SuppressWarnings("unchecked")
   @Override
   public JAXBRIContext createJAXBContext(SEIModel sei, List<Class> classesToBind, List<TypeReference> typeReferences) throws JAXBException {
     if (log.isTraceEnabled()) {
diff --git a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java
index 2f58bb3d..45efc890 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/stal/service/impl/TestSignatureData.java
@@ -6,13 +6,11 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public final class TestSignatureData {
   
-  protected final static Log log = LogFactory.getLog(TestSignatureData.class);
-  
   public static final String[] ID = new String[] {"signed-data-reference-0-1214921968-27971781-24309", "signed-data-reference-1"};
   public static final String ENCODING = "UTF-8";
   
@@ -22,6 +20,7 @@ public final class TestSignatureData {
       HASHDATA_INPUT.put(ID[0], "Ich bin ein einfacher Text. lläöü߀".getBytes(ENCODING));
       HASHDATA_INPUT.put(ID[1], "2te referenz".getBytes(ENCODING));
     } catch (UnsupportedEncodingException ex) {
+      Logger log = LoggerFactory.getLogger(TestSignatureData.class);
       log.error("failed to init signature test data", ex);
     }
   }