diff --git a/src/main/java/it/inaf/oats/vospace/BaseNodeController.java b/src/main/java/it/inaf/oats/vospace/BaseNodeController.java
index 1b317c3cb7780a069e299b6def4c105fe8db1b7f..81e2a8b6c5eb1021e55cdcd9b76176c57b54be2b 100644
--- a/src/main/java/it/inaf/oats/vospace/BaseNodeController.java
+++ b/src/main/java/it/inaf/oats/vospace/BaseNodeController.java
@@ -10,8 +10,10 @@ import it.inaf.oats.vospace.exception.InvalidArgumentException;
 import it.inaf.oats.vospace.exception.InvalidURIException;
 import javax.servlet.http.HttpServletRequest;
 import net.ivoa.xml.vospace.v2.LinkNode;
+import net.ivoa.xml.vospace.v2.Node;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import static org.springframework.web.servlet.function.RequestPredicates.path;
 
 public abstract class BaseNodeController {
 
@@ -19,8 +21,8 @@ public abstract class BaseNodeController {
     private HttpServletRequest servletRequest;
     
     @Value("${vospace-authority}")
-    protected String authority;     
-    
+    protected String authority;
+        
     protected String getPath() {       
         String requestURL = servletRequest.getRequestURL().toString();
         try {
@@ -34,6 +36,18 @@ public abstract class BaseNodeController {
         return NodeUtils.getParentPath(path);
     }
     
+    protected void validateAndCheckPayloadURIConsistence(Node node) {
+        // Get Node path (and validates it too)
+        String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority);
+
+        // Check if payload URI is consistent with http request
+        String requestPath = this.getPath();
+        if (!decodedURIPathFromNode.equals(this.getPath())) {
+            throw new InvalidURIException(decodedURIPathFromNode, requestPath);
+        }
+        
+    }
+    
     protected void validateInternalLinkNode(LinkNode linkNode) {
         String target = linkNode.getTarget();
         // I validate it here to add context easily
diff --git a/src/main/java/it/inaf/oats/vospace/CreateNodeController.java b/src/main/java/it/inaf/oats/vospace/CreateNodeController.java
index e115d1565ffc6d5f9a60a7d75e530ec006bf9125..4cd2860cf793f73eb7c04a0e4243e3db7f835573 100644
--- a/src/main/java/it/inaf/oats/vospace/CreateNodeController.java
+++ b/src/main/java/it/inaf/oats/vospace/CreateNodeController.java
@@ -33,16 +33,7 @@ public class CreateNodeController extends BaseNodeController {
         String path = getPath();
 
         LOG.debug("createNodeController called for node with URI {} and PATH {}", node.getUri(), path);
-
-        // Get Node path (and validates it too)
-        String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority);
-
-        LOG.debug("createNodeController URI: {} decoded as {}", node.getUri(), decodedURIPathFromNode);
-
-        // Check if payload URI is consistent with http request
-        if (!decodedURIPathFromNode.equals(path)) {
-            throw new InvalidURIException(decodedURIPathFromNode, path);
-        }
+        this.validateAndCheckPayloadURIConsistence(node);
 
         // validate format of input node
         this.validateInputNode(node);
diff --git a/src/main/java/it/inaf/oats/vospace/SetNodeController.java b/src/main/java/it/inaf/oats/vospace/SetNodeController.java
index 88621d4b571522272e1a06bdf0a0862b6183209b..36b2957ac46731f014a23a5335068b7422a059ed 100644
--- a/src/main/java/it/inaf/oats/vospace/SetNodeController.java
+++ b/src/main/java/it/inaf/oats/vospace/SetNodeController.java
@@ -42,6 +42,9 @@ public class SetNodeController extends BaseNodeController {
 
         String path = getPath();
         LOG.debug("setNode called for path {}", path);
+        
+        // Validate and check payload node URI consistence with request 
+        this.validateAndCheckPayloadURIConsistence(node);
 
         //The service SHALL throw a HTTP 404 status code including a NodeNotFound 
         //fault in the entity-body if the target Node does not exist
diff --git a/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java b/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java
index 00221be4b66a3c3fd0432f2e753b94b51211fd8f..c3cce783faaae04da850644848235b3438cd7bf4 100644
--- a/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java
+++ b/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java
@@ -129,7 +129,30 @@ public class SetNodeControllerTest {
                 .andDo(print())
                 .andExpect(status().isForbidden());
     }
+    
+    /* Test case:
+       request and payload URIs don't match
+       Forbidden.
+     */
+    @Test
+    public void testRequestPayloadURIMismatch() throws Exception {
 
+        String requestBody = getResourceFileContent("modify-data-node-1_type.xml");
+
+        // Create node
+        when(nodeDao.listNode(eq("/")))
+                .thenReturn(Optional.of(getContainerParentNode("/")));
+        when(nodeDao.listNode(eq("/mydata1"))).thenReturn(Optional.of(getWritableDataNode("/mydata1")));
+
+        mockMvc.perform(post("/nodes/mydataPippo1")
+                .header("Authorization", "Bearer user2_token")
+                .content(requestBody)
+                .contentType(MediaType.APPLICATION_XML)
+                .accept(MediaType.APPLICATION_XML))
+                .andDo(print())
+                .andExpect(status().isBadRequest());
+    }
+    
     /* Test case:
        try to add accepted views to a node without views. 
        Forbidden