JP4837060B2 - Authentication apparatus and program - Google Patents

Description

  The present invention relates to an authentication device and a program, and more particularly to an authentication device that performs an authentication process in response to an authentication request from a terminal device, and an authentication program that causes a computer to function as the authentication device.

  Single sign-on is a system (or technology) that allows all authorized functions to be used once a user is authenticated, and includes a part that performs authentication processing common to single sign-on systems. As a result, software that facilitates the construction of a single sign-on system (hereinafter referred to as “authentication software”) is also sold (for example, IceWall manufactured by Hewlett-Packard Japan).

  In relation to the above, Patent Document 1 uses an identification information management database in a configuration in which a plurality of Web application servers that provide different services and manage users of a provided service using a user information database are provided. By providing an authentication server that uniquely identifies users among a plurality of Web application servers and relays the authentication processing of the users of each Web application server, the user authentication for the plurality of application servers is performed collectively. A technique for providing single sign-on to a user is disclosed.

  Further, in Patent Document 2, the terminal performs authentication using the user's biometric information, transmits the biometric information to the authentication management apparatus, makes an authentication request, and the authentication management apparatus includes the biometric information and the biometric information stored in advance. Authenticate based on the authentication result, request the business device receiving communication access from the terminal to return the access permission information used for permission of the communication access based on the authentication result, and received from the business device in response to the reply request A technique is disclosed in which access permission information is transferred to a terminal, and the terminal transmits the access permission information received from the authentication management apparatus to the business apparatus and transmits an access permission request to the business apparatus.

JP 2005-346570 A JP 2008-9864 A

  By the way, on websites that can provide various services to users with single sign-on, multiple types of login screens are provided, and can be provided to users according to which login screen the user is authenticated through There is a need to switch services. Specifically, in Internet banking, for example, a login screen for a normal terminal such as a PC (Personal Computer) and a login screen for a mobile terminal (for mobile) are provided. Because it is limited, for users who have been authenticated through the login screen for mobile terminals, a service for mobile terminals that is different from users who have been authenticated through the normal login screen is provided. And the like.

  However, when trying to construct a single sign-on system using the above-mentioned authentication software, there is a problem that the management work becomes very complicated due to restrictions of the authentication software. In other words, in order to switch the services that can be provided to the user according to the type of the login screen that has been authenticated as described above, in addition to the authentication information entered by the user via the login screen, It is necessary for the authentication software to perform processing such as notifying the authentication software of the identification information indicating whether authentication is requested through the login screen and switching the service that can be provided in accordance with the content of the identification information. However, in existing authentication software that runs on the authentication server, information other than the authentication information that can be received from the terminal is information (for example, the name of the instance) that specifies the instance (also called process) of the authentication software to be started on the authentication server. Etc.).

  For this reason, when constructing a system using the authentication software as described above, an instance corresponding to each login screen is provided as an instance of the authentication software that runs on the authentication server (an instance that performs authentication processing). When the user inputs authentication information via the login screen, information specifying the instance corresponding to the login screen is transmitted from the terminal to the authentication server together with the authentication information, so that the user inputs the authentication information. An instance corresponding to the screen is activated, and it is necessary to configure the activated instance to perform processing such as authentication processing and setting of a service that can be provided. However, in this case, as many instances as the number of types of login screens run on the authentication server as instances for performing the authentication process, so management work such as setting various parameters related to the operation of each instance becomes very complicated. The problem arises.

  On the other hand, Patent Documents 1 and 2 described above do not disclose a technique for solving the above problem by reducing the number of instances for performing the authentication process when the above-described restrictions are provided in the authentication software. .

  The present invention has been made in consideration of the above facts, and provides an authentication apparatus and an authentication program capable of simplifying management work even when there is a restriction on information that can be received by an authentication means when performing authentication processing. Is the purpose.

  In order to achieve the above object, an authentication apparatus according to claim 1 is provided with a plurality of service providing means for providing different services, user identification information and a password with service identification information added to any one of them. When received, after separating the user identification information from the received user identification information and the information to which the service identification information is added, the combination of the user identification information and the password is stored in the authentication information storage means. It is determined whether or not a combination of the user identification information and the password is registered in the authentication information storage means, and the key information is generated and notified, and the generated key information is at least the service Performs an authentication process to be stored in the authentication management information storage means in association with the identification information, and the key information and access destination information When received, it is determined whether or not the received key information is stored in the authentication management information storage means, and when the received key information is stored in the authentication management information storage means, the received The service identification information stored in the authentication management information storage means in association with the key information is read, and the access destination information of each service providing means is identified as the service identification for which the service provision by the individual service providing means is permitted. It is determined whether or not the read service identification information is stored in association with the received access destination information in the access destination information storage means that stores the information in association with the information, and is associated with the received access destination information. Authentication means for performing an authorization process for notifying access permission when the read service identification information is stored. Based on information stored in a service identification information storage unit that stores each of a plurality of types of screen identification information in association with service identification information when the user identification information, the password, and the screen identification information are received. The received screen identification information is converted into the corresponding service identification information, the service identification information is added to the received user identification information or the password, and the service identification information is added to either one of the usages. Conversion means for transferring the user identification information and the password to the authentication means, and a plurality of types of logins to which different screen identification information from among the plurality of types of screen identification information registered in the service identification information table is given in advance Among the screens, the user identification information and the password entered by the user via any login screen and the previous password When the authentication request including the screen identification information of any login screen is received from the terminal device, the received user identification information, the password and the screen identification information are transmitted to the conversion means, and then the key When the information is notified, an authentication request response means for transmitting the notified key information to the terminal device that is the transmission source of the user identification information, the password and the screen identification information, and the key information is received by the user Each time an access request including key information is received from the terminal device, the received key information and access are requested by performing an operation for requesting access to an arbitrary service providing means via the terminal device. The access destination information of the service providing means is transmitted to the authentication means, and then the access permission information is notified when the access permission is notified from the authentication means. An access request response means for transferring a scan request access to the requested service providing means is configured to include a.

  In the first aspect of the present invention, a plurality of service providing means for providing different services are provided. The service provided by each service providing unit may be a service that performs different processing according to an instruction from the user, for example, or a service that distributes information on different sites according to an instruction from the user. May be.

  Further, in the invention according to claim 1, the authentication request response means is preliminarily provided with different screen identification information (any one of a plurality of types of screen identification information registered in a service identification information table described later). Received when an authentication request including user identification information and password entered by a user via an arbitrary login screen among multiple types of login screens and screen identification information of an arbitrary login screen is received from a terminal device. When the user identification information, password, and screen identification information are received, the conversion means receives each of the plurality of types of screen identification information as service identification information. The received screen identification information is converted into corresponding service identification information based on the information stored in the service identification information storage means stored in association with And, added to the service receiving the identification information user identification information or password, transfers either one to the service identification information added by the user identification information and the authentication unit password.

  Further, when the authentication means receives the user identification information and the password to which the service identification information is added to either one, the authentication means uses the information from the received user identification information and the password to which the service identification information is added. After separating the user identification information, it is determined whether the combination of the user identification information and the password is registered in the authentication information storage means, and the combination of the user identification information and the password is registered in the authentication information storage means Performs authentication processing for generating and notifying the key information and storing the generated key information in the authentication management information storage unit in association with at least the service identification information. The authentication request response unit includes user identification information, a password, and When the key information is notified after the screen identification information is transmitted to the conversion means, the notified key information is used as the user identification information and the password. And it transmits to the transmission source terminal device word and screen identification information. The notification of the key information from the authentication unit to the authentication request response unit can be performed, for example, via the conversion unit, but the key information is directly notified from the authentication unit to the authentication request response unit. It is also possible to configure as described above.

  As a result, when the user operating the terminal device enters the legitimate user identification information and password via an arbitrary login screen among a plurality of types of login screens, the entered user identification Since the combination of the information and the password is registered in the authentication information storage means, the key information is generated and transmitted to the terminal device, and the generated key information includes at least the user identification information and the password. Is stored in the authentication management information storage means in association with the service identification information corresponding to the screen identification information given to the login screen.

  In the invention according to claim 1, the access request response means performs an operation for requesting access to an arbitrary service providing means via the terminal device that has received the key information by the user. Whenever the access request including the key information is received, the received key information and the access destination information of the service providing means for which access is requested are transmitted to the authentication means, and the authentication means receives the key information and the access destination information. And determining whether the received key information is stored in the authentication management information storage means. If the received key information is stored in the authentication management information storage means, the authentication management is associated with the received key information. The service identification information stored in the information storage means is read out, and the access destination information of each service providing means is read by each service providing means. It is determined whether the read service identification information is stored in association with the received access destination information in the access destination information storage means that stores each of the service identification information that is permitted to provide the service. When the service identification information read in association with the access destination information is stored, an authorization process for notifying access permission is performed. The access request response means transmits the key request and the access destination information to the authentication means, and then transfers the access request to the service providing means requested to access when the access permission is notified from the authentication means.

  As a result, the user who operates the terminal device for which the key information is received by inputting the legitimate user identification information and password through an arbitrary login screen requests access to the arbitrary service providing means. If the user requesting access has already been authenticated based on whether or not the key information included in the access request transmitted from the terminal is stored in the authentication management information storage means And the service identification information stored in the authentication management information storage means in association with the key information is associated with the access destination information of the service providing means requested to be accessed. Based on whether or not it is stored in the storage means, the service provided by the service providing means that is requested to access is available via the login screen. Whether a service providing is allowed for identification information and the user input password is judged. Then, the user requesting access is an already authenticated user, and the service provided by the service providing means requested to access receives the user identification information and password via the login screen. If the service is permitted to be provided to the entered user, the access request is transferred to the service providing means requested to access, so that the user can access the service providing means and It becomes possible to receive provision.

  As described above, according to the first aspect of the invention, when the authentication process is performed by the authentication unit, the user identification information, the password, and the screen identification information are transmitted from the terminal device. The screen identification information is once received by the authentication request response means and then transferred to the conversion means. The screen identification information is converted into service identification information by the conversion means, and the service identification information is added to the user identification information or password. Since the information that can be received by the authentication means is limited (for example, when information other than the user identification information and the password cannot be received) because the information is transferred to the authentication means later, By separating the user identification information from the information to which the service identification information is added, user identification information and pass In addition to receiving service identification information, service authentication information can be received, and the authentication means performs processing for determining whether or not a combination of user identification information and password is registered in the authentication information storage means. By performing processing according to the identification information (processing to store the generated key information in the authentication management information storage means in association with at least the service identification information), according to the login screen where the user identification information and the password are input Available services can be switched.

  This makes it possible to switch the services that can be provided according to the login screen where the user identification information and password are entered, without providing as many instances (processes) as the number of types of login screens that function as authentication means. Accordingly, it is possible to reduce the number of instances functioning as authentication means, and accordingly, management work such as setting various parameters relating to the operation of the instance is also reduced. Further, the access destination information storage means need not be divided for each instance. Therefore, according to the first aspect of the present invention, management work can be simplified even when there is a restriction on information that can be received from the terminal device by the authentication means that performs the authentication process.

  According to the first aspect of the present invention, since the screen identification information is converted into service identification information by the conversion means, the service identification information can be concealed from the user, and an operation for requesting access to an arbitrary service providing means is performed. Since the authorization process is performed by the authentication means every time it is performed by the user, the effect of improving the security can be obtained as compared with the techniques described in Patent Documents 1 and 2.

  In the first aspect of the present invention, the authentication means associates the generated key information with the user identification information and the password in addition to the service identification information, as described in the second aspect, for example. You may comprise so that it may memorize | store in a memory | storage means.

  In the invention described in claim 1 or claim 2, for example, as described in claim 3, the authentication unit stores the received key information in the authentication management information storage unit in the authorization process. If not, and if the service identification information read out from the authentication information storage means is not stored in association with the received access destination information, an access disapproval notification is sent, and the access request response means When the access is denied from the means, an error response can be transmitted to the terminal device that is the access request transmission source.

  In the invention according to any one of claims 1 to 3, for example, as described in claim 4, the authentication request response means and the access request response means operate on the first computer, and the authentication means It can operate as a single instance on two computers, and a plurality of service providing means and converting means can be configured to operate on a third computer.

  The authentication program according to the invention of claim 5 is a plurality of service providing means for providing different services to a computer capable of communicating with a terminal device, user identification information and password with service identification information added to any one of them When the user identification information and the password are separated from the information to which the service identification information is added among the received user identification information and password, the combination of the user identification information and the password is an authentication information storage means. If the combination of the user identification information and the password is registered in the authentication information storage means, the key information is generated and notified, and the generated key information is at least the An authentication process for storing the authentication management information storage means in association with the service identification information is performed, and key information and When the access destination information is received, it is determined whether or not the received key information is stored in the authentication management information storage unit, and when the received key information is stored in the authentication management information storage unit The service identification information stored in the authentication management information storage unit is read in association with the received key information, and the access destination information of each service providing unit is permitted to provide the service by the individual service providing unit. It is determined whether or not the read service identification information is stored in association with the received access destination information in the access destination information storage means for storing each associated with the received service identification information, and the received access destination Authorization processing for notifying access permission when the read service identification information is stored in association with information When the authentication means to be performed, the user identification information, the password, and the screen identification information are received, each of the plurality of types of screen identification information is stored in association with the service identification information and stored. The received screen identification information is converted into the corresponding service identification information based on the received information, the service identification information is added to the received user identification information or the password, and the service identification information is added to one of them. Conversion means for transferring the added user identification information and password to the authentication means, and a plurality of screen identification information different from each other among a plurality of types of screen identification information registered in the service identification information table Among the various login screens, the user identification information and the password input by the user via an arbitrary login screen are displayed. When the authentication request including the password and the screen identification information of the arbitrary login screen is received from the terminal device, the received user identification information, the password and the screen identification information are transmitted to the conversion unit, and then When the key information is notified, authentication request response means for transmitting the notified key information to the terminal device that is the transmission source of the user identification information, the password and the screen identification information, and the key by the user Every time an access request including key information is received from the terminal device, an operation for requesting access to an arbitrary service providing unit is performed via the terminal device that has received the information. The access destination information of the requested service providing means is transmitted to the authentication means, and then the access permission is notified from the authentication means. In case, to function as an access request response means for transferring the access request to access the requested service providing means.

  The authentication program according to the invention of claim 5 is a program for causing the computer to function as the plurality of service providing means, authentication means, conversion means, authentication request response means, and access request response means. When the computer executes the authentication program according to the invention described in claim 5, the computer functions as the authentication device described in claim 1, and authentication that performs authentication processing as in the invention described in claim 1 Even when there is a restriction on information that the means can receive from the terminal device, the management work can be simplified.

  As described above, the present invention provides screen identification information when an authentication request including the user identification information and password input by the user via the login screen and the screen identification information of the login screen is received from the terminal device. Is converted into service identification information, the service identification information is added to the user identification information or password and transferred to the authentication means, and the authentication means adds the service identification information among the user identification information and password. Is separated from the user identification information, and it is determined whether or not the combination of the user identification information and the password is registered in the authentication information storage means. If registered, the key information is generated and notified to the terminal device The generated key information is stored in the authentication management information storage means in association with at least the service identification information, and includes the key information from the terminal device. Each time an access request is received, it is determined whether or not the key information is stored in the authentication management information storage means. If it is stored, the service identification information is read in association with the key information, and each service providing means Whether or not the read service identification information is stored in association with the received access destination information in the access destination information storage means for storing the access destination information in association with the service identification information permitted to provide the service. Since the access request is transferred to the corresponding service providing means when it is stored, the management operation can be simplified even when there is a restriction on the information that can be received from the terminal device by the authentication means that performs the authentication process. It has an excellent effect that can be realized.

It is a block diagram which shows schematic structure of the computer system which concerns on this embodiment. It is a sequence diagram which shows the sequence of access to a specific site. It is the schematic for demonstrating the difference when authentication information is input via the login screen of a different application.

  Hereinafter, an example of an embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 shows a computer system 10 according to the present embodiment. The computer system 10 includes a website management system 12 connected to a computer network (Internet) 24 in which a large number of web servers are connected to each other via a communication line. A large number of client terminals 26 including PCs (Personal Computers), PDAs (Personal Digital Assistance) having a function of accessing the Internet 24, and mobile terminals such as mobile phones are connected.

 The website management system 12 is a system that operates and manages a specific website, and provides a plurality of types of services by single sign-on to users who access the specific website via the client terminal 26. A server 14, an authentication server 16, an application server 18, and a DB (database) server 20 are connected to each other via an intranet (LAN) 22.

  The application server 18 includes a CPU 18A, a memory 18B including a ROM and a RAM, a nonvolatile storage unit 18C including a hard disk drive (HDD), and a network interface (I / F) unit 18D. The storage unit 18C is installed with a plurality of application programs that provide different services to the user and an ID conversion program for performing an ID conversion process (to be described later) by the CPU 18A. A service ID table (described later) is also provided. It is remembered. In this embodiment, different URLs (Uniform Resource Locators) are assigned to individual applications whose programs are installed in the storage unit 18C of the application server 18, and the user wants to receive a desired service. Access the URL of the application that provides the service. The storage unit 18C for storing the service ID table corresponds to the service identification information storage unit according to the present invention.

  Note that the application server 18 corresponds to the third computer described in claim 4, and a plurality of application programs installed in the storage unit 18 </ b> C are the application server 18 among the authentication programs according to the present invention. The ID conversion program installed in the storage unit 18C is a program for causing a server to function as a plurality of service providing means according to the present invention. The ID conversion program installed in the storage unit 18C includes the application server 18 among the authentication programs according to the present invention. Each corresponds to a program for functioning as a means. In the present embodiment, an arbitrary service can be applied as a service provided by each application. However, as an example, a specific website operated and managed by the website operating system 12 is an online service from a user. A mode for providing an online financial transaction website that accepts an instruction to execute a financial transaction, in which each application provides a service for performing different financial transactions (for example, balance inquiry and transfer) according to an instruction from a user will be described.

  Further, the forwarder server 14 includes a CPU 14A, a memory 14B, a nonvolatile storage unit 14C, and a network I / F unit 14D. The storage unit 14C has an authentication for the CPU 14A to perform an authentication request processing described later. A request-time program and an access-request-time program for performing access request-time processing are installed. The network I / F unit 14D of the forwarder server 14 is directly connected to the Internet 24, and information transmitted from the client terminal 26 to the online financial transaction website via the Internet 24 is received by the forwarder server 14. The

  The forwarder server 14 corresponds to the first computer according to claim 4, and the authentication request time program installed in the storage unit 14 </ b> C includes the forwarder server 14 in the authentication program according to the present invention. The access request program installed in the storage unit 14C as a program for functioning as an authentication request response means includes the forwarder server 14 among the authentication programs according to the present invention as the access request response means according to the present invention. Each program corresponds to a function.

The authentication server 16 includes a CPU 16A, a memory 16B, a nonvolatile storage unit 16C, and a network I / F unit 16D. The storage unit 16C includes an authentication / authorization process for the CPU 16A to perform authentication / authorization processing to be described later. An authorization program is installed, and an authentication management table and an ACL file (both described later) are also stored. The storage unit 16C that stores the authentication management table and the ACL file corresponds to the authentication management information storage unit and the access destination information storage unit according to the present invention.
The authentication / authorization program is executed by the CPU 16A as a single instance on the authentication server 16. The authentication server 16 corresponds to the second computer according to claim 4, and the authentication / authorization program installed in the storage unit 16 </ b> C includes the authentication server 16 as an authentication unit among the authentication programs according to the present invention. It corresponds to the program to make it function as.

  Furthermore, the DB server 20 also includes a CPU, a memory, a storage unit 20C, and a network I / F unit (not shown except for the storage unit 20C), and an authentication information DB is stored in the storage unit 20C. The online financial transaction website according to the present embodiment is a website that provides a predetermined service to an authorized user who has applied in advance to use the online financial transaction website. A user ID (this user ID corresponds to the user identification information according to the present invention) is given to each user who has applied for the use of the site in advance. In the authentication information DB stored in the storage unit 20C, user IDs assigned to individual users are registered in advance as authentication information together with passwords set by the individual users. The storage unit 20C that stores the authentication information DB corresponds to the authentication information storage unit according to the present invention.

  In the present embodiment, each program corresponding to the authentication program according to the present invention (a plurality of application programs and ID conversion programs installed in the storage unit 18C of the application server 18, and a storage unit 14C of the forwarder server 14). Authentication request program, access request program, and authentication / authorization program installed in storage unit 16C of authentication server 16), authentication request program, access request program, and authentication / authorization The program is constructed using existing authentication software (software in which an authentication process common to a single sign-on system is packaged, for example, IceWall manufactured by Hewlett-Packard Japan). Further, the ID conversion program can be configured by, for example, a Java (registered trademark) agent.

  Next, the operation of this embodiment will be described. If it is desired to use the online financial transaction website operated by the website management system 12 to instruct the execution of a specific financial transaction online, the user first uses the online financial transaction via the client terminal 26. An operation for instructing access to the homepage (top page) of the transaction website is performed (see also step 30 in FIG. 2). In the present embodiment, the homepage (top page) of the online financial transaction website is provided with input fields for user ID and password, and a message requesting input of information in each input field is displayed. Login screen. In this embodiment, as a login screen of the online financial transaction website, a login screen when the access source client terminal 26 is a normal PC, a login screen when the access source client terminal 26 is a mobile terminal, or the like. A plurality of types of login screens are provided, and the user instructs access to the URL of the login screen corresponding to the type of the client terminal 26 operated by the user, for example.

  When the above operation is performed by the user, an access request message is transmitted from the client terminal 26, and this message is received by the forwarder server 14 via the Internet 24. When the forwarder server 14 receives an access request message and recognizes that the screen requested to be distributed by the message is a login screen based on the accessed URL, the received message is sent to the application server 18. Forward. Further, when the application server 18 recognizes that the distribution target screen in the message of the access request transferred from the forwarder server 14 is one of a plurality of types of login screens, the application server 18 displays the login screen for which distribution is requested. Information is generated and transmitted (distributed) to the client terminal 26 that is the transmission source of the access request message (see also step 32 in FIG. 2). As a result, the login screen information transmitted from the application server 18 is received by the client terminal 26 via the forwarder server 14 and the Internet 24, whereby the login screen is displayed on the display of the client terminal 26. (See also step 34 in FIG. 2).

  As an example, as shown in FIG. 3 (A) or (B), a plurality of types of login screens on the online financial transaction website are each provided with a user ID input field and a password input field, When an authorized user of an online financial transaction website in which authentication information (user ID and password) is stored in the authentication information DB, when the login screen is displayed on the display of the client terminal 26, each entry field of the login screen The user ID and password are input to and an operation for instructing login to the online financial transaction website is performed (see also step 36 in FIG. 2).

  In this embodiment, different screen IDs (screen IDs are expressed as “SID” in FIGS. 2 and 3) are set in advance for a plurality of types of login screens, and are generated by the application server 18. In the login screen information distributed by the user, when an operation for instructing login is performed by the user, the login with the user ID and password entered in addition to the user ID and password entered in the input field of the login screen. A program (script or the like) that performs processing for transmitting the screen ID of the screen is embedded. For this reason, when an operation for instructing login is performed by the user, the client terminal 26 displays the user input by the user as shown as “authentication request (UID, PW, SID)” in FIG. An authentication request message in which the screen ID of the login screen is added to the ID and password is transmitted. Further, the screen ID included in the message of this authentication request is SID = 001 in the authentication request shown in FIG. 3A, whereas SID = 002 in the authentication request shown in FIG. 3B. As is clear from the above, it differs depending on the type of login screen on which the user has entered the user ID and password.

  When the forwarder server 14 receives an authentication request message including a user ID, a password, and a screen ID from the client terminal 26, the authentication request time program stored in the storage unit 14C is executed by the CPU 14A. Processing is performed. In this authentication request processing, the user ID, password, and screen ID included in the authentication request received from the client terminal 26 are transferred to the application server 18 (see also step 38 in FIG. 2).

  When the application server 18 receives the user ID, password, and screen ID transferred from the forwarder server 14, the ID conversion program stored in the storage unit 18C is executed by the CPU 18A to perform ID conversion processing. . In this ID conversion processing, first, processing for converting the screen ID received from the forwarder server 14 into a corresponding service ID is performed using the service ID table stored in the storage unit 18C (step 40 in FIG. 2). See also). In the online financial transaction website according to the present embodiment, the type of service provided to the user and the conditions (for example, the type of financial transaction that can be instructed by the user and the limit amount, etc.), the user can use the authentication information ( Switching is made according to the type of login screen used to input the user ID and password, and the above service ID represents the type and condition of the service provided to the user. The service ID corresponds to the service identification information according to the present invention.

  In the service ID table, different screen IDs set for a plurality of types of login screens represent different types and conditions of services provided to users who have entered authentication information via the login screens of the individual screen IDs. The service ID corresponding to the received screen ID is registered in association with the ID, and the service ID table is searched using the received screen ID as a key and is registered in association with the screen ID extracted by the search. The service ID that has been set can be obtained by reading it from the service ID table. By the above processing, for example, the screen ID (SID) = 001 shown in FIG. 3A is converted to the service ID (SVID) = A, and the screen ID (SID) = 002 shown in FIG. ) = B is converted.

  In the ID conversion process, the service ID converted from the screen ID is added to the end of the user ID received from the forwarder server 14, and the user ID with the service ID added to the end is received from the forwarder server 14. A process of transmitting to the authentication server 16 together with the password is performed (see also step 42 in FIG. 2). By the above processing, for example, in the example shown in FIG. 3A, the user ID (UID) = user1 + A with the service ID (SVID) = A added to the end is authenticated together with the password (PW) = ****. In the example shown in FIG. 3B, the user ID (UID) = user1 + B with the service ID (SVID) = B added to the end is sent together with the password (PW) = ****. It is transmitted to the authentication server 16.

  As described above, in the present embodiment, because the authentication / authorization program is constructed using existing authentication software, the information that can be received by the authentication / authorization program operating on the authentication server 16 during the authentication process is the user ID. However, by adding the service ID to the end of the user ID and sending it to the authentication server 16 as described above, the authentication / authorization program receives the service ID in addition to the user ID and password. It becomes possible. In addition, the screen ID can be extracted from the information on the login screen and may be leaked to the user. By converting this screen ID into a service ID, the service ID is prevented from leaking to the user. Compared with the configuration in which the service ID is transmitted from the client terminal 26 when an operation to instruct login is performed by the user, the authentication is performed by leaking the service ID to a malicious third party. The possibility of unauthorized access to the server 16 can be reduced, and security can be improved.

  On the other hand, when the authentication server 16 receives the user ID (the user ID with the service ID added at the end) and the password from the application server 18, the authentication / authorization program stored in the storage unit 16C is executed by the CPU 16A. The authentication / authorization process is started. When a user ID and password (with a service ID added at the end) are received from the application server 18, the authentication / authorization process first extracts the service ID from the end of the user ID received from the application server 18, and the original By removing the service ID from the end of the user ID, the received user ID is separated into the user ID and the service ID (see also step 44 in FIG. 2). Next, the user ID after separating the service ID is transferred to the DB server 20, and information registered in the authentication information DB is requested in association with the transferred user ID (see also step 46 in FIG. 2).

  Upon receiving the above request from the authentication server 16, the DB server 20 searches the authentication information DB using the user ID received from the authentication server 16 as a key, and associates the authentication information DB with the user ID extracted by the search. Is transmitted to the authentication server 16 (see also step 48 in FIG. 2). The authentication server 16 determines whether the password received from the DB server 20 matches the password received from the application server 18, so that the combination of the user ID and password received from the application server 18 is the authentication information. It is determined whether or not it is registered in the DB, that is, whether or not the user requesting authentication is a regular user (see also step 50 in FIG. 2). When the combination of the user ID and password received from the application server 18 is not registered in the authentication information DB (when the determination in step 50 of FIG. 2 is denied), the application server 18 and the forwarder server 14 are Then, an error response is transmitted to the client terminal 26 that is the authentication request source. In this case, an operation such as re-input of the user ID and password is performed by the user.

  Further, when the combination of the user ID and password transferred to the DB server 20 is registered in the authentication information DB, the user requesting the authentication can be determined as a legitimate user (determination in step 50 in FIG. 2 is performed). Therefore, as a process for a regular user, a session ID is first generated using a random number or the like (see also step 52 in FIG. 2). This session ID corresponds to the key information according to the present invention. Next, the user ID, password, and service ID received from the application server 18 are associated with the previously generated session ID and registered as authentication management information in the authentication management table stored in the storage unit 16C (FIG. 2). (See also step 54). With this processing, for example, in the example shown in FIG. 3A, user ID (UID) = user1, password (PW) = ****, and service ID (SVID) = A correspond to session ID (Session) = xxxx. In the example shown in FIG. 3B, the user ID (UID) = user1, the password (PW) = ****, and the service ID (SVID) = B are the session ID (Session). = yyyy and registered in the authentication management table. The authentication management information registered in the authentication management table is referred to during the authorization process described later. Then, the previously generated session ID is notified to the application server 18 (see also step 56 in FIG. 2), and the authentication / authorization process is temporarily ended.

  When the session ID is notified from the authentication server 16, the application server 18 notifies the forwarder server 14 of the notified session ID (see also step 57 in FIG. 2). In the authentication request processing performed in the forwarder server 14, the user ID, password and screen ID included in the authentication request received from the client terminal 26 are transferred to the application server 18 (see also step 38 in FIG. 2). ) Until the session ID is notified from the application server 18, and when the session ID is notified from the application server 18, the notified session ID is notified to the client terminal 26 that is the authentication request source. (See also step 58 in FIG. 2), and ends the authentication request process.

  Upon receiving the session ID from the forwarder server 14, the client terminal 26 that has transmitted the authentication request displays a message notifying that the login to the online financial transaction website has been successful on the display, and the received session ID is displayed. , A predetermined file stored in the memory or HDD is set. Thereafter, when an access request to the online financial transaction website is transmitted in accordance with an instruction from the user, a session ID is added to the message of the access request to be transmitted.

  The user who recognizes that the login to the online financial transaction website has been successful by referring to a message displayed on the display of the client terminal 26, etc. Among them, a specific web page for instructing execution of a specific financial transaction that the user desires to execute (a specific financial out of a plurality of applications in which a program is installed in the storage unit 18A of the application server 18) An operation for instructing access to a web page of a URL assigned to a specific application providing a service for performing a transaction is performed (see also step 60 in FIG. 2). As a result, the client terminal 26 sends an access request message requesting access to a specific web page, with the above-mentioned session ID added, as indicated by “access request (Session)” in FIG. Is done.

  When the forwarder server 14 receives the access request message to which the session ID is added from the client terminal 26, the access request time program stored in the storage unit 14C is executed by the CPU 14A so that the access request time processing is performed. Is called. In this access request processing, the session ID added to the access request message received from the client terminal 26 is transferred to the authentication server 16 (see also step 62 in FIG. 2).

  On the other hand, when the authentication server 16 receives the session ID from the forwarder server 14, the authentication / authorization process is activated by the CPU 16A executing the authentication / authorization program stored in the storage unit 16C. When a session ID is received from the forwarder server 14, the authentication / authorization process first searches the authentication management table using the received session ID as a key (see also step 64 in FIG. 2). Next, in the authentication / authorization process, it is determined whether or not corresponding authentication management information (authentication management information including the received session ID) has been extracted by the above search (see also step 66 in FIG. 2). When the corresponding authentication management information is not extracted by the above search (when the determination in step 66 in FIG. 2 is negative), the access request message received by the forwarder server 14 is not authenticated. Since it can be determined that the message is an access request message from the client terminal 26 operated by the user, processing for transmitting an error response to the access request source client terminal 26 via the forwarder server 14 is performed.

  If the corresponding authentication management information is extracted by the above search (if the determination in step 66 in FIG. 2 is affirmative), the access request message received by the forwarder server 14 has already been authenticated. Since it can be determined that the message is an access request message from the client terminal 26 operated by the user, in the authentication / authorization processing, first, the service ID included in the corresponding authentication management information is read from the authentication management table (step 68 in FIG. 2). See also). In the authentication / authorization processing, the ACL file is searched using the service ID read from the authentication management table as a key, and all URLs registered in the ACL file in association with the service ID are read from the ACL file (FIG. (See also step 70 of 2).

  As shown in FIG. 3 as an example, in the ACL file, a plurality of URLs assigned to individual applications installed with the program in the storage unit 18C of the application server 18 are services provided by the individual applications (this book). In the embodiment, each service ID is registered in association with a service ID that is permitted to receive a service that executes a specific financial transaction. In the ACL file shown in FIG. 3, “http: // aaaa”, “http: // bbbb”, and “http: // cccc” are assigned as URLs for service ID (SVID) = A. It is permitted to receive three types of services provided by the three applications, and for service ID (SVID) = B, “http: // dddd” and “http: // eeee” are used as URLs, respectively. An example is shown in which two types of services provided by two assigned applications are permitted. Service IDs (SVID) = A and B are registered in an ACL file in association with a plurality of URLs. ing.

  In the authentication / authorization processing, subsequently, it is determined whether or not the URL read from the ACL file includes the URL to be accessed in the access request message received by the forwarder server 14 (step in FIG. 2). 72). When the URL to be accessed does not exist in the URL read from the ACL file (when the determination at step 72 in FIG. 2 is negative), the client terminal 26 that is the source of the current access request is operated. It can be determined that a user who has entered authentication information via the login screen used when logging in is not permitted to receive the service provided by the application to which the URL to be accessed this time is assigned. Therefore, a process of notifying the forwarder server 14 of access denial is performed.

  If the URL to be accessed exists in the URL read from the ACL file (if the determination in step 72 in FIG. 2 is affirmative), the client terminal 26 that is the source of the current access request is operated. A user who has entered authentication information via the login screen used when logging in is permitted to receive the service provided by the application assigned the URL to be accessed this time. Since the determination can be made, the access permission is notified to the forwarder server 14 (see also step 74 in FIG. 2), and the authentication / authorization processing is terminated.

  The above process will be described with a specific example. For example, for the ACL file shown in FIG. 3, the user who has registered the authentication management information shown in FIG. When an access request to an application to which “/ aaaa” is assigned is received, the corresponding authentication management information is specified using session ID (Session) = xxxx as a key, and the service ID (SVID) = A in the specified authentication management information is specified. Is associated with the URL to be accessed (http: // aaaa) and registered in the ACL file, the access relating to the received access request is permitted. For example, when an access request to an application to which “http: // dddd” is assigned as the URL is received from the same user, the service ID (SVID) = A is the URL to be accessed (http: // dddd) is not registered in the ACL file in association with it, and access related to the received access request is not permitted.

  Further, for example, for the ACL file shown in FIG. 3, from the user whose authentication management information shown in FIG. 3B is registered in the authentication management table, to the application assigned “http: // dddd” as the URL. When an access request is received, the corresponding authentication management information is specified using session ID (Session) = yyyy as a key, and service ID (SVID) = B in the specified authentication management information is the URL (http: // dddd) is registered in the ACL file in association with the access request, and access related to the received access request is permitted. For example, when an access request to an application to which “http: // cccc” is assigned as the URL is received from the same user, the service ID (SVID) = B is the URL to be accessed (http: // cccc) is not registered in the ACL file in association with it, and access related to the received access request is not permitted.

  Further, in the access request processing performed in the forwarder server 14, after transferring the session ID added to the access request received from the client terminal 26 to the authentication server 16 (see also step 62 in FIG. 2), The system waits until receiving some notification from the authentication server 16. When the access denial is notified from the authentication server 16, an error response is transmitted to the client terminal 26 that is the access request source (not shown). When the access permission is notified from, the access request received from the client terminal 26 is transferred to the access target application (application server 18) (see also step 76 in FIG. 2).

  As a result, the application server 18 that has received the access request from the forwarder server 14 activates the application to be accessed in the received access request, and the activated application performs processing in accordance with the access request (see FIG. 2 (see also step 78 in FIG. 2), the service desired by the user (a service that enables online execution of a specific financial transaction) is provided to the user.

  In the present embodiment, every time an access request is transmitted from the client terminal 26, the above-described authorization process based on the session ID added to the access request (the authentication management information including the session ID added to the access request is used for authentication management). Whether the service ID included in the authentication management information is registered in the ACL file in association with the URL to be accessed is checked by the authentication server 16. Therefore, after the authentication process using the user ID and password is confirmed to be an authorized user, the access request from the client terminal 26 is simply transferred to the application server 18 (no authorization process is performed). Compared with, security can be improved.

  In the above description, in the ID conversion process by the application server 18, the aspect in which the service ID is added to the end of the user ID has been described. However, the addition method for adding the service ID to the user ID is temporarily added to the user ID It is only necessary that the service ID can be separated. For example, an arbitrary addition method such as adding the service ID to the head of the user ID or alternately connecting the user ID and the service ID one by one is applicable. The service ID is not limited to being added to the user ID, and the service ID can be added to the password. In this case, the authentication server 16 may perform a process of separating the service ID from the password to which the service ID is added.

Further, in the above description, the mode in which the session ID is simply notified to the client terminal 26 when it is confirmed that the user is an authorized user by the authentication process using the user ID and password has been described. Instead, the ACL file is searched using the service ID in the authentication management information registered in the authentication management table as a key, and all URLs registered in the ACL file in association with the service ID are read from the ACL file and read. A menu screen pasted as a link to a service that can use a URL may be generated and transmitted to the client terminal 26 together with a session ID. In the above, a specific website operated and managed by the website operating system 12 Receives instructions for executing online financial transactions from users The online financial transaction website has been described in which each application provides a service for performing different financial transactions (for example, balance inquiry and transfer) according to instructions from the user. Needless to say, the service provided by the service providing means according to the present invention may be a service other than a financial transaction.

  In the above description, among the authentication programs according to the present invention, a plurality of application programs and an ID conversion program are installed in the application server 18, the authentication request program is in the forwarder server 14, and the authentication / authorization program is in the authentication server 16. However, the present invention is not limited to this, and a single computer can be used as the authentication apparatus according to the present invention. Can be made to function as an authentication apparatus according to the present invention.

  In the above description, among the authentication programs according to the present invention, a plurality of application programs and ID conversion programs are stored (installed) in the application server 18 in advance, and the authentication request program is stored in the forwarder server 14. The aspect in which the authentication / authorization program is stored (installed) in advance and the authentication / authorization program is stored (installed) in advance in the authentication server 16 has been described. It is also possible to provide it in the form recorded in

DESCRIPTION OF SYMBOLS 10 Computer system 12 Website management system 14 Forwarder server 16 Authentication server 18 Application server 20 DB server 26 Client terminal

Claims (5)

A plurality of service providing means for providing different services;
When receiving user identification information and password with service identification information added to either one, the user identification information is separated from the received user identification information and password with service identification information added Later, it is determined whether or not the combination of the user identification information and the password is registered in the authentication information storage means, and if the combination of the user identification information and the password is registered in the authentication information storage means, the key Generates and notifies information, performs authentication processing for storing the generated key information in association with at least the service identification information and storing it in the authentication management information storage means, and receives the key information and access destination information. It is determined whether or not the key information is stored in the authentication management information storage means, and the received key information is When stored in the authentication management information storage means, the service identification information stored in the authentication management information storage means is read in association with the received key information, and the access destination information of each service providing means In the access destination information storage means for storing each of the service identification information in association with the service identification information permitted to provide the service by the individual service providing means in association with the received access destination information. Authentication means for performing an authorization process of notifying access permission when the read service identification information is stored in association with the received access destination information;
Based on information stored in a service identification information storage unit that stores each of a plurality of types of screen identification information in association with service identification information when the user identification information, the password, and the screen identification information are received. The received screen identification information is converted into the corresponding service identification information, the service identification information is added to the received user identification information or the password, and the service identification information is added to either one of the usages. Conversion means for transferring the person identification information and the password to the authentication means;
Of the plurality of types of login screens pre-assigned with different screen identification information among the plurality of types of screen identification information registered in the service identification information table, the user input via any login screen When the authentication request including the user identification information and the password and the screen identification information of the arbitrary login screen is received from the terminal device, the received user identification information, the password and the screen identification information are converted into the conversion unit. Authentication request response means for transmitting the notified key information to the terminal device that is the transmission source of the user identification information, the password, and the screen identification information.
Received each time an access request including key information is received from the terminal device by performing an operation for requesting access to an arbitrary service providing means via the terminal device that has received the key information by the user. Service information for which access is requested when the access information is transmitted to the authentication means after the key information and the access destination information for which access is requested are transmitted to the authentication means. An access request response means for transferring to the means;
Authentication device including   2. The authentication apparatus according to claim 1, wherein the authentication unit stores the generated key information in an authentication management information storage unit in association with the user identification information and the password in addition to the service identification information. In the authorization process, the authentication unit includes the access destination information received by the service identification information read from the authentication information storage unit when the received key information is not stored in the authentication management information storage unit If it is not stored in association, notify access denied,
The authentication apparatus according to claim 1, wherein the access request response unit transmits an error response to the terminal device that is the access request transmission source when the access denial is notified from the authentication unit. The authentication request response means and the access request response means operate on the first computer,
The authenticator operates as a single instance on the second computer;
The authentication apparatus according to any one of claims 1 to 3, wherein the plurality of service providing means and the converting means operate on a third computer. A computer that can communicate with the terminal device
A plurality of service providing means for providing different services;
When receiving user identification information and password with service identification information added to either one, the user identification information is separated from the received user identification information and password with service identification information added Later, it is determined whether or not the combination of the user identification information and the password is registered in the authentication information storage means, and if the combination of the user identification information and the password is registered in the authentication information storage means, the key Generates and notifies information, performs authentication processing for storing the generated key information in association with at least the service identification information and storing it in the authentication management information storage means, and receives the key information and access destination information. It is determined whether or not the key information is stored in the authentication management information storage means, and the received key information is When stored in the authentication management information storage means, the service identification information stored in the authentication management information storage means is read in association with the received key information, and the access destination information of each service providing means In the access destination information storage means for storing each of the service identification information in association with the service identification information permitted to provide the service by the individual service providing means in association with the received access destination information. Authentication means for performing an authorization process for notifying access permission when the read service identification information is stored in association with the received access destination information;
Based on information stored in a service identification information storage unit that stores each of a plurality of types of screen identification information in association with service identification information when the user identification information, the password, and the screen identification information are received. The received screen identification information is converted into the corresponding service identification information, the service identification information is added to the received user identification information or the password, and the service identification information is added to either one of the usages. Conversion means for transferring person identification information and the password to the authentication means,
Of the plurality of types of login screens pre-assigned with different screen identification information among the plurality of types of screen identification information registered in the service identification information table, the user input via any login screen When the authentication request including the user identification information and the password and the screen identification information of the arbitrary login screen is received from the terminal device, the received user identification information, the password and the screen identification information are converted into the conversion unit. Authentication request response means for transmitting the notified key information to the terminal device that is the transmission source of the user identification information, the password, and the screen identification information when the key information is notified.
And every time an access request including key information is received from the terminal device by performing an operation to request access to any service providing means via the terminal device that has received the key information by the user, The received key information and the access destination information of the service providing means for which access is requested are transmitted to the authentication means, and when the access permission is notified from the authentication means, access to the access request is requested. An authentication program for functioning as an access request response means for transferring to a service providing means.

Images