JPH0779243A - Network connection device and network connection method - Google Patents

Abstract

PURPOSE:To reduce the burdens of the requests of log-in and log-out of a user in an environment where respectively independently managed networks are mutually connected. CONSTITUTION:When the log-in request or log-out request of the user is received from the client 10 of a first network 7, a network connection interface means 13 which receives the information of the request demands the authentication processing of the user or a log-out processing to both first user authentication means 13 and second user authentication means 3. When authentication is realized, the client 10 is informed of the address of the connection interface means 13 as the address of the respective nodes of a second network 1.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a network connection device and a network connection method for connecting a plurality of networks.

[0002]

2. Description of the Related Art Personal computers (hereinafter abbreviated as PCs), which are originally for personal use, have long been introduced to companies and various schools due to their abundance of software assets. In a PC user environment, it is common practice to connect a large number of PCs via a network such as a LAN to share expensive resources such as a printer and a large-capacity storage device, thereby reducing the overall cost. It is supposed to be.

As a widely used network form,
There is a method of dividing the processing by connecting a computer having a function of providing services such as printing and file management to a computer having a function of requesting these services. This method is called a client / server model from the viewpoint of processing request and service provision.

On the other hand, a workstation (hereinafter, WS)
A high-performance computer called a high-performance computer and CAD / CAM (Computer Aided Design / Computer A
idedManufacturing) has been applied to a wide range of fields, but in this, technology that provides more complex and advanced services has emerged, which is a further development of the client / server model described above. As such a technique, for example, there is so-called RPC (remote procedure call) that calls a procedure or a subroutine on a remote computer via a network.

More recently, it has become possible to support a mixed environment in which the above-mentioned PC network or WS network is removed and WS is incorporated into the PC network as a server or PC is added to the WS network as a client. Technology is being developed. Examples of this type of invention include a local area network system disclosed in Japanese Patent Laid-Open No. 3-191634.

Generally, in order to operate the network environment smoothly, it is necessary to manage the network by applying some restrictions to the user's qualification.
Management is performed in units of one closed network. As an example of the need for management, for example, releasing the right to use the network to an unspecified user puts data in the network at risk such as malicious destruction. Therefore, a method of conserving resources and the like is generally taken by giving a right to use a network environment to a specific user. In this case, when the user uses the network environment, first, an operation for proving that the user is a legitimate user, that is, a so-called login operation is required.

At this time, a method of individually logging in to a plurality of servers arranged in the network as needed, and a single login operation allows all the servers arranged in the network (logged-in user There is a method that allows access to a server to which a usage right is given).

[0008]

By the way, as the above-mentioned network environment spreads, there is a demand for connecting independently managed network environments to each other and mutually utilizing the respective environments. come. When using a complex network environment in which network environments that are managed independently of each other are used in this way, the login operation must be performed for all networks to be used. This is a very troublesome operation for the user. Further, when the connected network environments are located at positions distant from each other and it is physically impossible for a single user to log in to all of those network environments, a means for enabling this is necessary.

In order to solve the above problems, the present invention provides a network connection device which can reduce the burden of login operation for a user who uses a complex network environment in which individually managed networks are connected to each other. The purpose is to

[0010]

In order to solve the above problems, according to the present invention, a first network having a first user authentication means and one or more nodes, a second user authentication means and one or more nodes. Provided is a network connection method for connecting one or more second networks having nodes by a network connection mediating means, which has the following features.

(1) A connection method in which the network connection mediating means requests login to both the first and second networks according to a login instruction from a user of the first network. According to this method, one of the nodes of the first network receives a login request from a user and notifies the network connection mediating means, and the network connection mediating means that has received the notification is the first user. The first authentication requesting step of requesting the authenticating means to perform an authentication process of the user who has made the request, and the notified network connection mediating means to the second user authenticating means of at least one second network. A second authentication request step for requesting user authentication processing, and the first user authentication means confirms the usage right of the first network of the user designated by the request in response to the request, and the usage right If the user has a request, the step of responding to the establishment of authentication and the second user authentication means, in response to the request, of the user designated by the request. Check the right to use the second network, if the user has the right to use, and a step of responding to establishment of authentication.

Further, when the network connection mediating means receives a response indicating that the authentication by the second user authenticating means is established, for each node of the second network, the identification information of the node and the network connection mediating means. And sending the request to the node that has notified the request as server information, and the node that has received the server information notification stores the server information in the server information storage means that is a storage area for holding the server information. Storing the server information; and, when the node receives an access request from the user to the second network, the network connection held in the server information storage means corresponding to the node to which the request is sent. Transferring the access request with the address of the intermediary means as a destination, It is desirable to have the al. In this way, all the clients of the first network can access the second network through the network intermediary means, and the clients are as if to use the server of the first network. , A server of the second network can be used.

(2) In response to the logout instruction from the user of the first network, the network connection mediating means sets the first
And a connection method that requests logout from both the second network.

According to this method, the node of the first network receives the logout request from the user and notifies the network connection mediating means, and the network connection mediating means which has received the notification sends the first user authentication means. To the second user authentication means of the at least one second network, the first logout requesting step of requesting the logout processing of the user who has made the request, and the network connection mediating means having received the notification. A second logout requesting step of requesting the performed user logout processing, and the first user authentication means execute the logout processing of the user designated by the request from the first network in response to the request. Step and second
The user authentication means executes the logout process from the second network of the user designated by the request in response to the request, and notifies the processing result to the node via the network connection mediating means. If the notified processing result indicates the success of the logout processing, the node having received the notification deletes the server information of the second network from the server information storage means.

The request for login and logout may be executed in response to an inquiry to the user and an instruction input in response to the inquiry.

Further, according to the present invention, there is provided a first network having a first user authentication means and one or more nodes, and one or more second networks having a second user authentication means and one or more nodes. There is provided a network connection device for connecting a device having the following features.

(1) A network connection mediating means for mediating connection between the first network and the second network, wherein the network connection mediating means is provided by a user by at least one of the nodes of the first network. Means for receiving the notification of the login request, and, upon receiving the notification, requests the first user authentication means for the authentication processing of the user who has made the request, and further, at least the second network of the second network. And a means for requesting the user authentication means for the user authentication processing.

In the authentication processing by the first user authentication means, it is confirmed whether the user specified by the request is permitted to use the first network in advance,
If it is allowed, it is a process of responding to the establishment of authentication,
The authentication process by the second user authentication means is a process of confirming whether the user designated by the request is permitted to use the second network in advance, and if the user is permitted, responds to the establishment of the authentication.

If the response from the second user authentication means indicates that the authentication has been established, the network connection mediating means sends the second request to the node of the first network that has accepted the login request from the user. It is desirable to further include means for notifying the address of the network connection device as the address of the node of the network. In this way, all the clients of the first network can access the second network through the network intermediary means, and the clients are as if to use the server of the first network. , Because the server of the second network can be used.

(2) It has a network connection mediating means for mediating connection between the first network and the second network, and the network connection mediating means is from a user by at least one of the nodes of the first network. Means for receiving a notification of the logout request, and, upon receiving the notification, requests the first user authentication means for the logout processing of the user who has made the request, and further, at least the second network of the second network. There is provided a network connection device comprising a user authentication means and a means for requesting logout processing of the user.

The logout process of the first user authentication means is a process of deleting the registration of the user designated by the request that the first network is in use, and the logout process of the second user authentication means. The process is a process of deleting the registration of the user designated by the request that the second network is in use.

(3) Further, the network connection mediating means for mediating the connection between the first network and the second network, and the usage right in which the presence or absence of the usage right of the second network is registered in advance for each user. There is provided a network connection device having an access management information storage unit having a storage area. In this device, the network connection mediating means refers to the means for receiving the notification of the login request from the user by at least one of the nodes of the first network and the usage right storage area when receiving the notification of the login request. , Check whether the usage right of the user who has made the login request is registered,
If registered, the second user authentication means is requested to authenticate the user, and if not registered, means for notifying the node requesting the login request of the login request rejection. By doing so, the existence of the usage right can be confirmed in advance before accessing the second network, and unnecessary access by a user without the usage right can be avoided.

The access management information storage means further includes a use state storage area for holding information on whether or not the second network is being used for each user, and the network connection mediating means is the second user. If the response of the authentication process notified from the authentication means indicates that the authentication is successful,
A means for storing information indicating that the second network is in use in the use state storage area corresponding to the user who has issued the login request, and at least one of the nodes of the first network, Means for receiving a notification of a logout request from a user, and information indicating that the second network is being used in the usage state storage area corresponding to the user who made the request when the notification of the logout request is received. If is held, the second user authentication means is requested to log out the user, and if not held, means for notifying the node that has notified the request of refusal of the logout request; If the response indicates the success of the logout process, the user who issued the logout request of the above-mentioned usage status storage area. In areas corresponding to The, and means for storing information indicating that it is not in use the second network, it is desirable that further comprising. By doing so, it is possible to avoid a wasteful logout request due to an erroneous logout request of a user who is not logged in.

Furthermore, in this apparatus, the network connection mediating means receives the notification of the access request from the user to the second network by at least one of the nodes of the first network, and the access request notification. Accepting, if the information indicating that the second network is in use is held in the usage status storage area corresponding to the user who made the request, the request is transferred to the second network, If it is not held, it is desirable to further comprise means for notifying the node that has notified the request of refusal of the access request. By doing so, it is possible to avoid wasteful access due to an incorrect access request by a user who is not logged in.

[0025]

When the user is authenticated by the second user authentication means, the network connection mediating means provided in the network connection device performs an authentication request procedure for the first authentication means. Therefore, the user only needs to perform one login operation to be authenticated by the second authenticating means, and if the network mediating means performs the login operation to the first authenticating means and is authenticated, the first authentication operation is performed. You can get access to the network. As a result, in a complex network environment in which networks that are independently managed are connected to each other,
The user who wants to use the network environment does not need to perform the login operation multiple times, and the burden is reduced.

The access management information storage means provided in the network connection device of the present invention has information as to whether or not the user of the second network is given an access right to the first network. The network connection control means refers to the information indicating the presence or absence of the usage right held in the usage right storage area of the access management information storage means, and performs an authentication request procedure from the second network to the first network. Control. As a result, in a complex network environment in which individually managed networks are connected to each other, a user who wants to use the network environment does not need to perform the login operation multiple times, and the burden is reduced, and the mutual connection is established. The management of giving the right to use the specified plurality of networks to a specific user can be performed independently on the network connection device instead of managing it for each network, which facilitates network management.

[0027]

Embodiments of the present invention will be described below with reference to the drawings. (Example 1) A. Configuration of Network System FIG. 1 shows a configuration example of the network system of the present embodiment. The network system of this embodiment uses the network connection device 13 of the present invention to connect two network environments 1 and 7 that are managed independently of each other. In this embodiment, for convenience of description, one of the two networks (network 1) is a network configured by WS (hereinafter referred to as WS network), and the other (network 7) is a network configured by PC (hereinafter, referred to as WS network). However, the present invention is not limited to this combination and may be a system to which only one of the networks is connected. It can also be applied to a system in which three or more networks are connected. In this case, the network connection device 13 is provided at a place for connecting the networks.

(1) Configuration of WS Network 1 The WS network 1 includes nodes (management server 3, server 4, clients 5, 6) and a communication line 2 connecting the nodes 3 to 6. The communication line 2 connects components 3 to 6 and 13 described later in the WS network 1 and serves as a medium for various data transfers.

The clients 5 and 6 provide the user of the WS network 1 with a command interface and an application program, and in response to a request issued by the user through the command interface and the application program, the management server 3, the server 4,
Alternatively, it communicates with the network connection device 13.

The management server 3 includes the elements 3 to 6 and 13,
Holds information about users of the WS network 1,
The WS network 1 is managed based on this information. The management server 3 is a user authentication unit of the WS network 1 and is a server that authenticates a user who makes a login request to the WS network 1. The server 4 provides various services in response to requests from the clients 5 and 6.

Incidentally, the above-mentioned respective elements 3 to 6 and 13
Are all information processing devices 150 having at least a main storage device 151 and a central processing unit (CPU) 152, as shown in FIG. The means and functions of each element are
It is realized by the CPU 152 executing an instruction previously held in the main storage device 151.

(2) Structure of PC Network The PC network 7 is managed independently of the WS network 1 and has nodes (server 9, clients 10-1).
2), the network connection device 13, and each element 9 to
And a communication line 8 for connecting 13 to each other. The network connection device 13 is connected to the communication line 2 of the WS network 1.
It is connected to the.

The communication line 8 connects the respective constituent elements 9 to 13 of the PC network 7 and serves as a medium for transferring various data. The communication lines 2 and 8 are wired lines in this embodiment, but may be wired or wireless as long as they serve as a medium for transferring signals. Client 10
A reference numeral 12 provides a user of the PC network 7 with a command interface and an application program, and communicates with the server 9 or the network connection device 13 in response to a request issued by the user through the command interface and the application program. The server 9 provides various services in response to requests from clients 10 to 12 described later.

The network connection device 13 connects the WS network 1 and the PC network 7. The network connection device 13 also has a function as a management server of the PC network 7. That is, each element 9
To 12 and information about the user of the PC network 7, and manages the PC network 7 based on this information. Therefore, the network connection device 13 has means for authenticating the user of the PC network 7.

It should be noted that all of the above-mentioned elements 9 to 13 are at least the main memory 151, as shown in FIG.
And an information processing device 150 having a central processing unit (CPU) 152. The means / functions of the respective elements are realized by the CPU 152 executing instructions held in advance in the main storage device 151.

(3) Communication Method Here, a method for communication between the server and the client will be briefly described. In the communication between the server and the client, commands and data are sent from the sending side to the transmission line as a group called a packet. The destination address and the source address are added to the packet. On the receiving side, all the packets flowing on the transmission path are once taken in, and the destination address added to the packet is compared with its own address. As a result, the data held in the packet having the matching address is passed to the upper processing system, and the packet having no matching address is discarded. As a result, even in a network system to which a plurality of clients and servers are connected, it is possible to transfer information (commands and data) only to the information processing device designated as the destination.

(4) Configuration of Network Connection Device 13 FIG. 2 shows an example of the configuration of the network connection device 13 of the first embodiment. The network connection device 13 of the first embodiment is
Communication control unit 2 that manages communication with networks 1 and 7
1, 29, access switching unit 22, login processing unit 24,
It has a user authentication unit 25, a password management table 26, a server address table 27, and a command processing unit 28. Each of these units 21 to 29 stores instructions stored in the main storage device 151 in advance in the CPU 1
It is realized by executing 52.

The communication control unit 21 includes clients 10-1.
2 receives a communication packet, extracts a command or data from this packet, and accesses the switching unit 22 described later.
Hand over to. The access switching unit 22 switches the command or data passed from the communication control unit 21 depending on whether it is a login request, notifies the login processing unit 24 of the login request, and notifies the command processing unit 28 otherwise.
The login processing unit 24 is a network connection mediating unit, and causes the user authentication unit 25 to perform authentication in the PC network 7 of a user who has made a login request.
The login request to the S network 1 is performed on behalf. The user authentication unit 25 is a user authentication unit of the PC network 7, and authenticates the notified user ID and password. The authentication is a procedure in which the user is authorized to use the network in advance and proves that the user is a registered and authorized user.

The password management table 26 is a table managed by the user authentication unit 25. The data structure of the password management table 26 is schematically shown in FIG. The password management table 26 includes a plurality of rows provided for each user who is permitted to use the PC network 7. Each row shows a user ID storage area 261 for holding a user ID, a password storage area 262 for holding an encrypted password of the user, and a usage state indicating whether the PC network 7 is logged in or not logged in. And a usage state storage area 263 for holding. The contents of the areas 261 to 263 are registered in advance by the network administrator.

The server address table 27 is a server information storage means, and is a storage area for holding information such as the name and address of a server in the WS network 1. The command processing unit 28 transfers the access request from the PC network 7 to the WS network 1. The communication control unit 29 includes a login processing unit 24 and a command processing unit 28.
Receives a login request and an access request from the WS network 1 to the WS network 1, packetizes the request, and sends the packet to the WS network 1, and receives the processing result returned from the WS network 1.

(5) Configuration of Clients 10-12 In this embodiment, the client 10 of the PC network 7 is
To 12 have the same configuration. As an example, the configuration of the client 10 of the first embodiment is shown in FIG. Client 1
0 is a keyboard 51, a data input unit 52, a command analysis unit 53, a login processing unit 54, a command processing unit 56,
A server address table 57, a communication control unit 58, and a data output unit 59 are provided. These parts 51 to 59
Are realized by the CPU 152 executing instructions stored in the main storage device 151 in advance.

The keyboard 51 is an input means for receiving an input of a character string, a numerical value or the like from the user. Although the keyboard 51 is used as the input means in the first embodiment, the input may be received by another means such as a mouse or a touch sensor. The data input section 52 is the keyboard 5
Data such as a character string or a numerical value input from 1 is sent to the command analysis unit 53.

The command analysis section 53 includes a data input section 52.
The character string or numerical value notified by the above is analyzed and classified into a login / logout request and another service request, and the login processing unit 54 or the command processing unit 56 respectively.
Transfer to. The login processing unit 54 includes the command analysis unit 5
Pre-processing for executing the login request notified from the server 3 to the security server (corresponding to the network connection device 13 in this embodiment) that executes user authentication. The login processing unit 54 includes an encryption unit 55 that encrypts the password notified from the command analysis unit 53 during the user login process. The command processing unit 56 transfers the service request notified from the command analysis unit 53 to the server and receives the result.

The server address table 57 is a storage area for holding information such as the name and address of a server in the network which is the request destination when issuing a login request or a service request. FIG. 7 schematically shows an example of the data structure of the server address table 57. The server address table 57 has a table structure including a row for each type of service. Each row has an area 71 for storing the name of the service, an area 72 for storing the name of the server providing the service, and an area 73 for storing the address of the server. The server address table 27 of the network connection device 13 also has the same structure as the server address table 57 shown in FIG.

The communication control unit 58 generates a packet for transmitting a command or data required for a login request or a service request to the server, and receives a response packet returned as a result of the request to the server. Data output unit 59
Controls to convert display data such as a message sent to the user from the login processing unit 54 and the command processing unit 56 into a display signal and output the display signal to the data display device 60.

The client 10 further includes a data display device 60. The data display device 60 is an output device for displaying the display signal sent from the data output section 59, and in the present embodiment, it is a CRT (Catho
Although it has a de Ray Tube (cathode ray tube), the output may be performed by other means such as a liquid crystal display device.

B. Independent operation of each network The WS network 1 and the PC network 7 are configured so that they can be operated independently. The operation for independent operation will be briefly described. Although only the WS network 1 will be described here, a PC
The operation in independent operation of the network 7 is similar to that in the WS network 1.

(1) User Authentication Normally, in a network system in which a plurality of information processing devices are connected and resources managed by each information processing device can be used by other information processing devices,
To use network resources, a user is first required to perform an operation called login. This is a procedure for proving to the network system that the user himself is a legitimate network user.

An identifier (hereinafter referred to as a user ID) for identifying the user by the network is given to the authorized user. The clients 5 and 6 log in using the input user ID in response to an instruction from the user.

The user ID is open to the public because it is secret and not personal. Therefore, merely checking the input user ID does not prove that the user is the person who has the user ID. Therefore,
A code called a password is used to confirm the legitimacy of the user. When logging in, the clients 5 and 6 accept the input of the password and transfer it together with the user ID to the management server 3 via the communication line 2.

The password is encrypted and managed by the management server 3. The management server 3 determines the legitimacy of the user by collating the transferred password with the password held in advance. In this embodiment, the algorithm used for encryption is irreversible, and the encrypted result cannot be decrypted into the original password. Therefore, in order to confirm that the user who requested login is a legitimate user, the password entered by the user is checked in advance using the above encryption algorithm (the password to be verified (managed by the management server 3). It is necessary to encrypt it in the same way as the one).

Therefore, in this embodiment, the client 5 is
6 encrypts the password by the above encryption algorithm and then transfers it. Management server 3 that received the transfer
Executes the verification of the user ID and the password to authenticate the user who made the login request. When the authentication is successful, the user can obtain the right to use the service provided by the server 4, and to that effect (permit: indicates that the user is already permitted to use the network). Information) is notified to the client 5.

The authenticated user can receive the service by presenting the permit to the server 4 each time the service is requested. This method has an advantage that even if there are a plurality of servers in the network, the service provided by any server can be used by presenting the permit, so that the login operation only needs to be performed once.

C. Login Request Processing Next, in the present embodiment, the login when the user of the PC network 7 uses the resources of the WS network 1 via the network connection device 13 will be described. The process performed at the time of login will be simply referred to as a login operation. Figure 11 shows the flow of login operation
Shown in.

Here, it is assumed that the user has the ID "A", the user "A" is registered as a user in both the WS network 1 and the PC network 7, and the same password is registered in both networks. The explanation will proceed assuming that it has been done.

(1) Processing of Client of PC Network In the present embodiment, when there is no user logged in to the PC network 7 from the client 10, the login processing unit 54 performs the initial login operation shown in FIG. The screen data is output to the data output unit 59. The data output unit 59 converts this data into a display signal, outputs it to the data display device 40, and notifies the command analysis unit 53 that it is in the login waiting state. FIG. 6 shows an example of the screen at the time of login displayed on the console screen of the data display device 60 of the clients 10 to 12 as a result. In the first embodiment, the initial screen 61 has two windows (small areas surrounded by a frame which are displayed in an overlapping manner on the already displayed) 62 and 63. Then, the user ID or password for which the input is accepted is displayed.

When the data output section 59 causes the data display device 40 to display the login screen 61 and notifies the command analysis section 53 that the login is waiting, the command analysis section 53 uses the keyboard 51 to operate the PC network 7.
User I of user "A" trying to log in to
Input of D and a password is accepted via the data input unit 52 (step 1101).

The input user ID and password are sent to the command analysis section 53 via the data input section 52. Since the command analysis unit 53 has been notified that it is in the login waiting state, it can recognize that the input data is the user ID and password. Therefore, the user ID and password are transferred to the login processing unit 54.

Upon receiving the user ID and password, the login processing unit 54 encrypts the password with the internal encryption unit 55 (step 1102). Next, the login processing unit 54 adds the encrypted password (hereinafter, referred to as an encrypted password), the input user ID, and the management server (book) to which the request is sent to the predetermined login command. In this embodiment, the address of the network connection device 13 also serves as the address) and the result is passed to the communication control unit 58.

The server address table 57 (see FIG. 7)
In the figure), “Login” is stored in the service name storage area 71, and the name of the management server (in the first embodiment, the network connection device 13) is stored in the service name storage area 71 as a line corresponding to “Login”. Server address storage area 7
3 is provided with a row in which the address of the management server (in the first embodiment, the network connection device 13) is held. The login processing unit 54 detects the line that holds “login” in the service name storage area 71 of the server address table 57, and detects the address of the management server by referring to the server address storage area 73 of the line. .

Communication control unit 5 to which the login command has been passed
Of the data sent from the login processing unit 54, 8 is
The login command, the user ID, and the password are packetized, and the address of the network connection device 13 and the address of the client (client 10) passed from the login processing unit 54 are added to the packet and transferred via the communication line 8. (Step 1103).

(2) Processing of network connection device-1 The communication control unit 21 of the network connection device 13 receives a login command,
The user ID and the encrypted password are taken out and passed to the access switching unit 22 (step 1104).
The communication control unit 21 does not interpret the logical meaning of the data contained in the packet, and simply handles the user ID / encrypted password as a group of data. The communication control unit 21 is the transmission source (the client 10 in this example).
Is stored, and this address is used when returning a response to the client 10. In the following description, packets are delivered using a method similar to this, but for convenience of description, description of addition of source and destination addresses, storage of addresses in the communication control units 21, 29, 58, etc. is omitted. I have something to do.

When the access switching unit 22 interprets the login command notified from the communication control unit 21 and detects that the command requires login, the access switching unit 22 processes the notified user ID and encrypted password in the login process. Transfer to section 24.

The login processing unit 24 first sends the user ID and the encrypted password to the user authentication unit 25 in order to authenticate the user "A" in the PC network 7 (step 1105) and waits for the result. User authentication unit 25
Refers to the password storage area 262 in the row where "A" is held in the user ID storage area 261 of the password management table 26 (step 1106), and the area 262 is displayed.
It is determined whether or not the password held in step 1105 matches the encrypted password received in step 1105. When they match, the user authentication unit 25 stores the identification information indicating that the PC network 7 is being used in the usage state storage area 262 as the login process, and returns the authentication result to the login processing unit 24. When the authentication is rejected (or the login processing fails), the login processing unit 24 that has received the login result (step 110)
7) Then, a notification to that effect is returned to the client 10 (step 1108), and the processing ends.

When the authentication is established and the login processing is performed (step 1107), the login processing unit 24 determines that the W
In order to request the login of the user "A" to the S network 1, the user ID, password, and the address of the management server 3 read from the server address table 27 are notified to the communication control unit 29 (step 1109). Upon receiving the notification, the communication control unit 29 packetizes the user ID and the password, adds the address of the management server 3 to the packet, and sends the packet to the communication line 2 (step 1110).

(3) Process of Management Server of WS Network The management server 3 which received the packet is the user authentication unit 2
Authentication processing similar to the authentication processing by 5 (step 1106) is performed (step 1111), and the result is returned to the login processing unit 24 of the network connection device 13. That is,
The management server 3, like the network connection device 13,
A password management table having the structure shown in FIG. 17 (however, user IDs and passwords registered in this table relate to users who are permitted to use the WS network 1 and are stored in the usage state storage area 263). , The usage state is recorded in the WS network 1). Therefore, referring to this password management table, is the password management table holding a match with the combination of the password and the user ID read from the packet? If it is held, the login process (in the usage status storage area 263, W
The process of storing the identification information that the S network is being used) is performed and the result is returned. Finally, the management server 3 notifies the login processing unit 24 of the network connection device 13 of the determination result.

(4) Processing of network connecting device-2 When the login processing unit 24 of the network connecting device 13 receives the result of authentication establishment from the management server 3 via the communication control unit 29 (step 1112), the result is sent together with this result. , WS stored in the server address table 27
The server information (each server name and corresponding address) of the network 1 is notified to the client 10 via the communication control unit 21 (step 1113), and the user ID is stored in the user ID storage area (not shown). (Step 1
115), and the process ends. At this time, all the addresses corresponding to the server names are the addresses of the network connection device 13. As a result, all service requests for the WS network 1, which will be described later, are sent to the network connection device 13.

In the client 10 which has received the notification of authentication establishment from the login processing unit 24 and the server information of the WS network 1, the command processing unit 54 receives this result, and the data display unit 40 via the data output unit 59. A message indicating that the authentication is established is displayed on the screen, and the server information of the WS network 1 is added to the server address table 57. This completes the login operation to both networks.

When a login procedure is performed with a user ID or password that has not been registered as a user in the WS network 1, the management server 3 of the WS network 1 returns an authentication rejection response. When there is a response of authentication refusal from the management server 3 (step 1112),
The login processing unit 24 uses only the authentication refusal for the client 1
0 (step 1114), and the WS network 1
Server information is not notified. In this case, if the user ID and password used for this login procedure are WS
The service of network 1 cannot be received.

D. Service Request Processing Next, the operation when the user “A” makes a service request to the WS network 1 from any of the clients 10 to 12 of the PC network 7 (here, the case of the client 10 will be described as an example) explain. From the client 10 of the PC network 7 to WS
FIG. 12 shows an operation flow when a service request is made to the network 1. Note that among the steps shown in FIG. 12, steps 1201 to 1204 (see FIG.
(Shown as (a)) is a process of the client 10, and steps 1205-1207 (shown as (b) of FIG. 12) are processes of the network connection device 13 or the server 4.

According to the procedure described above, the user “A” who has logged in to both the PC network 7 and the WS network 1 can provide services and resources provided by the server 9 of the PC network 7 or, if necessary, WS. The services and resources provided by the server 4 of the network 1 can be used. The operation of the file access request to the server 4 of the WS network 1 will be described below with an example of erasing unnecessary files. Here, a process of requesting deletion of a file held by the server 4 will be considered.

(1) Processing of Client of PC Network When a file deletion command, a file server name, and a file path name are received from the keyboard 51 (step 1201), the file server of the WS network 1 ( Here, the process for deleting the file placed on the server 4) is started.

This file deletion request is issued by the keyboard 51.
From the data input unit 52 to the command analysis unit 53. The command analysis unit 53 analyzes this request (step 1202), detects that it is not a login but a normal service request command, and transfers the request to the command processing unit 56.

The command processing unit 56 searches the server address table 57 for the server name included in the request and reads the address corresponding to the server name (step 1203). The server address table 57 stores server information in step 1113 of the login request process, but as described above, all the addresses of the servers of the WS network 1 are the addresses of the network connection device 13. There is. Therefore, when the communication control unit 58 packetizes the file erasing command, the server name, and the path name of the file to be erased, the packet is given the address of the network connection device 13 as the destination address and is sent. (Step 1204).

(2) Processing of network connection device The communication control unit 21 of the network receives the transmitted request packet, reads the command, the server name, and the path name of the file to be deleted from this, and the access switching unit 22
To notify. The access switching unit 22 interprets the notified command, detects that it is not a login command, and transfers the notified content to the command processing unit 28.
The command processing unit 28 refers to the server address table 27, and detects an address (address of the server 4 that is the actual destination of the request) held in the table 27 in association with the notified server name. (Step 120
5) Notify the communication control unit 29 together with the command, server name, and path name of the file to be deleted. Communication control unit 29
Creates a packet including the notified command, the server name, and the path name of the file to be erased, and adds the notified address of the server 4 to the packet (step 1206).

The server 4, which has received the packet sent in step 1206, deletes the target file (step 1207) and notifies the network connection device 13 of the execution result. Upon receiving the notification, the network connection device 13 transfers the received execution result to the requesting client 10.

E. Processing of Logout Request Next, a so-called logout operation in which the user “A” who has finished a desired work notifies the network of the end of the work will be described. FIG. 13 shows an operation flow at the time of logout processing.

(1) Processing of Client of PC Network-1 When a logout command is input from the keyboard 51 (step 1301), the command analysis section 53 is notified via the data input section 52. The command analysis unit 53 detects that the notified command is logout, and notifies the login processing unit 54 of this. The login processing unit 54 uses the server address table 5 as the transfer destination.
The address of the network connection device 13 (held in the server address storage area 73 of the line corresponding to "login") is read from 7 and the user ID saved in step 1115 is read. Next, the login processing unit 54 sends the logout command and the read user I
D "A" and destination server (network connection device 1
The address of 3) is set and transferred to the communication control unit 58 (step 1302).

The communication control unit 5 which receives these data
8 packetizes the logout command and the user ID, adds the address of the network connection device 13 to this packet, and sends it to the communication line 8 (step 1303).

(2) Network Connection Device Processing-1 The communication control unit 21 of the network connection device 13 receives this packet, and passes the logout command and user ID held in the packet to the access switching unit 22. The access switching unit 22 detects that the command is logout, and passes the logout command and the user ID to the login processing unit 24.

The login processing unit 24 reads the address of the management server 3 of the WS network 1 (held in the server address storage area 73 of the row corresponding to "login") from the server address table 27 (step 1).
304), the received logout command and user ID
In addition to the above, these are passed to the communication control unit 29. The communication control unit 29 packetizes the logout command and the user ID, adds the address of the management server 3 to the packet, and sends the packet to the communication line 2 (step 1305).

(3) Processing of Management Server of WS Network The management server 3 of the WS network 1 receives this packet and performs logout processing (uses the WS network 1 held in the usage status storage area 263 of the password management table). Delete the identification information that it is in the middle),
The result is returned to the network connection device 13 (step 1306). This completes the logout process in the WS network 1.

(4) Network Connection Device Processing-2 The login processing unit 24 that has received the processing result from the management server 3 via the communication control unit 29 has the user authentication unit 25.
The user "A" to log out (step 13)
07). In response to the instruction, the user authentication unit 25 deletes the identification information indicating that the PC network 7 is in use, which is held in the use state storage area 263 of the password management table 26, as the logout process, and the processing result is the login processing unit. Notify 24. The login processing unit 24 notifies the client 10 of the logout processing result via the communication control unit 21. This completes the logout process in the PC network 7.

(5) Processing of PC Network Client-2 When the logout completion notice is returned to the client 10, the client 10 receives the server address table 57.
The server information of the WS network 1 stored in the above is deleted (step 1308). This completes the processing of the logout request.

F. Abnormal termination processing In the above description of the logout request processing, the client 1
The processing when 0 receives a logout instruction via the keyboard 51 has been described, but in the first embodiment, logout is also executed when a network abnormality is detected.

When the network connection device 13 issues a request (login request or access request) to the WS network 1, it measures the time until a response to the request is accepted, and the response is made even if a predetermined time has elapsed. If there is not, the user authentication unit 25 is instructed to perform the logout process of the user “A”. Upon receiving this instruction, the user authentication unit 25 performs a logout process (deletes the identification information indicating that the PC network 7 is being used, which is held in the use state storage area of the password management table 26), and outputs the result as the login processing unit 24. To notify. The login processing unit 24 uses the client 1 via the communication control unit 21.
0 is notified that an abnormality has occurred in the WS network 1. The client 10 notified of the abnormality of the WS network 1 deletes the server information of the WS network 1 held in the server address table 57.

In the first embodiment, the network connection device 13 does not notify the access request (service request and logout request) from the logged-in user “A” even after a lapse of a predetermined time. Is the user “A” on the management server 3 of the WS network 1.
Logout request of the user "A" to the user authentication unit 25 (password management table 2
PC network 7 held in the use state storage area 6
Is deleted), and the login processing unit 24 causes the user "A" to access the communication processing unit 21.
The client 10 that has received the login instruction is notified of the time-out. The client 10 notified of the time-out deletes the server information of the WS network 1 held in the server address table 57 and displays on the data display device 60 that the time-out has been logged out. If the time-out occurs due to a failure in the communication line or the client 10, this time-out notification causes an error, but the network connection device 13 ignores this error.

G. Effects of First Embodiment As described above, in the first embodiment, the PC connected to the WS network 1 by the network connection device 13 that connects the WS network 1 and the PC network 7 together.
When a user logs in to the network 7, the WS network 1 is automatically requested to log in. As a result, the user does not need to log in to the WS network 1 again, and the burden on the user can be reduced.

In the first embodiment, the user who logs in from the PC network 7 to the WS network 1 is
When a service is requested to the S network 1 or a file is accessed, the network connection device 13
To the WS network 1, and the network connection device 13 that receives the access request issues the request to the WS network 1. As a result, the user of the PC network 7 can access the resources of the WS network 1 as if they were accessing the resources of the PC network 7.

In the description of the first embodiment, the user who uses both the WS network 1 and the PC network 7 has been set on the assumption that the same password is set for both networks. It is not limited to this. For example, in the case where different passwords are registered in each network, the correspondence relationship between these passwords is recorded in the password management table 26, and the network connection device 13
When the user creates a login packet (step 1109 in FIG. 11), the password held in the password management table 26 is used in association with the user ID and password sent from the PC network 7 side.

In the first embodiment, the network connected to each other has been described as the network composed of WS and the network composed of PC, but the scope to which the present invention is applicable is not limited to this. The configuration of each network (the number of servers, the number of clients, etc.) is not limited to this embodiment. Further, the number of networks to be connected is not limited to two, and a configuration having three or more is also possible. Furthermore, in the first embodiment, only the access means from the PC network to the WS network is shown, but it is possible to configure so as to allow bidirectional access instead of such unidirectional access.

In the first embodiment, when the login to the PC network is requested, the login to the WS network is automatically requested. However, the user may be inquired via the client whether or not to log in to the WS network, and it may be determined whether or not to log in according to a response thereto.

In this case, the server address table 27
In advance, the name of the connected network is stored in advance, and the login processing unit 24 sets the data display devices 6 of the clients 10 to 12 before performing the login processing.
The name of the network registered in the server address table 27 is displayed at 0, and the input of whether to log in from the keyboard 51 is accepted. In response to this input, the login processing unit 24 issues a login packet only to the network for which login is instructed, so that it is possible to prevent unnecessary login to networks that do not need access. it can.

Further, the WS network may be released (authentication is not performed) for the user who is permitted to log in to the PC network.

In the first embodiment, the network connection device 13 also has a function as a management server of the PC network 7, but the network connection device and the management server are realized by separate information processing devices 150. May be. In this case, the user authentication unit 25 and the password management table 26 are provided not in the network connection device but in the management server provided separately. Therefore, in this case, the network connection device
In step 1106 (shown in FIG. 11) of the login request processing, the user authentication unit 25 of the management server is inquired about the validity of the user and the login processing is performed. Also in the logout request process, in step 1307 (shown in FIG. 13), the network connection device causes the user authentication unit 25 of the management server to perform the logout process.

In the first embodiment, if the response from the network connected via the network connection device 13 is not received within a certain time, the network connection device 13
Since a logout request is automatically issued to the logged-in network and the client is notified of the failure occurrence, the user can recognize the failure of the network connected via the network connection device 13, and it is unnecessary. I'll never have to wait.

Furthermore, in the first embodiment, if the request from the user is not received within a certain time, the network connection device 13
Automatically issues a logout request to the logged-in network and notifies the client of the time-out, so network resources are occupied by non-functioning clients or programs due to a communication line error, etc. Can be excluded.

If the response from the WS network 1 or the request from the user “A” is not within the time, if the logout process of the PC network 7 is unnecessary, the logout process by the user authentication unit 25. And the server address table 57 is added to the client 10.
Alternatively, the server information of the WS network 1 may be deleted.

(Embodiment 2) In a case where networks connected in a complex network environment are connected via a public network, a user who has logged in to any network is connected to this network. By permitting access to other networks, the ability to protect against unauthorized access via the public network is reduced. User management in such a case can be performed for each network, but the management becomes complicated as the number of connected networks increases.

Therefore, in the second embodiment, management of the usage right of the composite network environment (this usage right means the right to use the service or resource of another network environment from one network environment) is managed for each network. It provides a means that can be carried out collectively on the network connection device instead of being managed.

A. Configuration of Network Connection Device 20 The network system to which the second embodiment is applied is also shown in FIG.
6, as in the first embodiment, the WS network 1
The PC network 7 and the PC network 7 are connected by a network connection device 20. The configuration and functions other than those described here are the same as those in the first embodiment.

The configuration of the network connection device 20 of the second embodiment is shown in FIG. The network connection device 20 according to the second embodiment sends the command or data passed from the communication control unit 21 to the login processing unit 24 or the command processing unit according to the type of request (login, logout, or other service request). As a means for distributing to 28, an access management unit 30 is provided instead of the access switching unit 22 of the first embodiment. In the second embodiment, the network connection mediating unit is realized by both the access management unit 30 and the login processing unit 24. Furthermore, the network connection device 20 according to the second embodiment includes an access management table 23 referred to by the access management unit 30. The access management table 23 is an access management information storage unit, and
It is a table that manages the usage status of the users (whether the user has logged in or not yet logged in) and the usage rights of the WS network 1 for those users who have the usage right of the C network 7.

(1) Configuration of Access Management Unit The access management unit 30 of the second embodiment, as shown in FIG. 3, has access control means 31, command analysis unit 32, table control unit 33, ID / password storage unit 34. , And a message generation unit 35.

The access control means 31 is a means for controlling the processing for the command sequence and the like sent from the communication control section 21 by using each component described later. The command analysis unit 32 interprets a command string or the like sent via the access control unit 31 and classifies it into a login / logout request or another processing command, and the access control unit 3
It is a means to return to 1. The table control unit 33 is a unit that sets / references the access management table 23 and returns the result to the access control unit 31. The ID / password storage unit 34 is a storage area for temporarily storing the user ID and password of the user who has made a login request to the PC network 7, for use when executing a login request to the WS network 1. is there. The message generator 35 displays the result of user authentication, the response to the requested command, and the like in the clients 10 of the PC network 7.
It is means for generating a message to be added when notifying to 12.

(2) Configuration of Access Management Table FIG. 4 schematically shows a data configuration example of the access management table 23. The access management table 23 holds, for each user who has the right to use the PC network 7, a storage area 41 for holding the user ID of the user and a holding state of the right to use the WS network 1 of the user. Storage area (usage right storage area) 42 and W at that time
A storage area (usage state storage area) 43 for holding the login status to the S network. The data example shown in FIG. 4 is a user having a user ID “A”,
And the user with the user ID "B" is WS
It has the right to use the network but has not yet logged into the WS network. Also,"
It is shown that the user with the user ID “C” and the user with the user ID “E” do not have the right to use the WS network. Furthermore, “D”.
It is shown that the user having the user ID has the right to use the WS network, has already logged in to the WS network, and has not logged out.

By referring to the access management table 23, the access management unit 30 can perform, in addition to the authentication (normal login processing) in the PC network 7, the WS network in addition to the authentication in the PC network 7 when a login request is made from a user to the PC network 7. It is determined whether or not the login request to 1 is performed on behalf. Therefore, unlike the case of the first embodiment, even if the user instructs to log in, the second embodiment
Then, login is not required for all connected networks, and login is required only for the networks registered in the access management table 23 when there is a usage right.

In the second embodiment, writing of data in the access management table 23 (that is, granting and depriving each user of the right to use the WS network 1).
Is only available to so-called privileged users who are administrators of the network environment. However, the update of the access management table 23 by the non-privileged user may be accepted. In this way, the user himself / herself can dynamically determine the network to which he / she will automatically log in, according to the contents of the information processing.

B. Processing of Login Request According to the network connection device 20 of the second embodiment, the user IDs are set for both the network to which the network connection device 20 belongs and the network connected through the network connection device 20.
A user who has registered a password and a password, and whose usage right of the network connected via the network connection device 20 is registered in the network connection device 20 is a network in which the login operation is performed by one login operation. Not only (the network to which the user belongs), but also another network connected by the network connection device 20 can be logged in.

Hereinafter, assuming a user having a user ID “B”, the user “B” is registered as a user in both the WS network 1 and the PC network 7,
Moreover, the description will proceed assuming that the same password is registered in both networks.

(1) Processing of Client of PC Network As in the case of the first embodiment, when accepting the login instruction from the user, the client of the second embodiment displays the initial login screen shown in FIG. Display screen 61,
Input of the user ID and password is accepted (step 801). The input user ID (“B”) and password are transferred to the login processing unit 54 via the data input unit 52 and the command analysis unit 53, as in the first embodiment.

The login processing unit 54, which has received the user ID and the password, encrypts the password by the internal encryption unit 55 (step 802) and inputs a predetermined login command into the encrypted password. The user ID and the address of the management server (which is also used by the network connection device 20 in the second embodiment) as the destination of the request are added and transferred to the network connection device 20 via the communication control unit 58 (step 803). In the second embodiment as well, as in the first embodiment, the login processing unit 54 detects a line in the server address table 57 that holds “login” in the service name storage area 71, and stores the server address storage area in that row. The address of the management server is detected by referring to 73.

(2) Processing of network connection device-1 The communication control unit 21 of the network connection device 20 receives a login command, a packet from the packet sent from the client,
The user ID and the encrypted password are taken out and passed to the access management unit 30 (step 804). When the access management unit 30 interprets the notified login command and detects that the command requires login, the access management unit 30 transfers the notified user ID and encrypted password to the login processing unit 24 (step 80).
5) The user ID and the encrypted password are stored in the ID / password storage unit 34 (step 806).

Upon receiving the login request, the login processing unit 24 sends the user ID and the encrypted password to the user authentication unit 25 in order to authenticate the user "B" in the PC network 7, and waits for the result. The user authentication unit 25 collates the received user ID and encrypted password with reference to the user ID storage area 261 and the password storage area 262 of the password management table 26 (step 8).
07), it is determined whether the user is an authorized user. In the case of an authorized user, the user authentication unit 25 executes a login process (a process of storing identification information that the PC network 7 is in use in the usage state storage area 263) and returns the authentication result to the login processing unit 24. . The login processing unit 24 uses the login result received from the user authentication unit 25 as the access management unit 3
It notifies the access control means 31 of 0 and waits for a subsequent control command.

If the authentication is rejected (or if the login process is not successful) (step 808), the access control means 31 generates a notification to that effect by the message generation part 35, and the communication control part 21 is activated. The user ID and the encrypted password, which are temporarily stored in the ID / password holding unit 34, are erased (step 810) while being returned to the client 10 via the client 10 (step 809).

On the contrary, when the authentication is established and the login processing is performed (step 808), the access control means 31 refers to the usage right storage area 42 of the access management table 23 through the table control unit 33 ( Step 81
1) It is determined whether the user "B" has the right to use the WS network 1 (step 812).

If the usage right is not given, the access control means 31 advances the processing to step 818 without performing the login processing to the WS network 1. For example, when a login request is received from the user “C”, assuming that the access management table 23 of the second embodiment holds the data shown in FIG. 4, the usage right storage area 422 of the user “C”. Holds information indicating that there is no right to use the WS network 1. So user ”
In response to the login request of C ″, authentication regarding the right to use the PC network 7 is performed, but the WS network 1
Login processing to will not be performed.

However, in the example described here, FIG.
As shown in FIG. 5, since the information indicating that the usage right is stored in the usage right storage area 421 of the user “B”, the access control unit 31 which refers to the access management table 23, It is detected that "" is given the right to use the WS network 1. Therefore, the access control unit 31 reads the user ID and the encrypted password stored in step 806 from the ID / password storage unit 34, passes them to the login processing unit 24, and transfers them to the WS network 1 of the user “B”. Request to perform the login process (step 81).
3).

Upon receipt of this request, the login processing unit 24
The address of the management server 3 is read from the server address table 27, and the user ID and the encrypted password received from the access control means 31 are sent to the communication control unit 29. The communication control unit 29 receives the received user I
D and the encrypted password are packetized, the address of the management server 3 is added to the packet, and the packet is sent to the network cable 2 (step 814).

(3) Process of Management Server of WS Network The management server 3 of the WS network 1 stores the user ID and the encrypted password of the user who is registered in the management server 3 and who is authorized to use the WS network 1. By referring to the user ID and the encrypted password, the user indicated by the encrypted password is authenticated, and if the user is authorized to use the WS network 1, the login process (use of the password management table managed by the management server 3 is performed. A process of storing identification information indicating that the WS network is in use is executed in the state storage area 263, and the result is returned to the network connection device 20 (step 81).
5).

(4) Processing of network connection device-2 When the login processing unit 24 receives the authentication result by the management server 3 via the communication control unit 29, when the authentication success result is obtained (step 816). With this result, the access control means 3 obtains the server information of all the servers of the WS network 1 stored in the server address table 27.
Send to 1. This server information consists of the server name and the server address. In the server information passed to the access control means 31, the server address is not the actual address on the WS network but the network connection device 2
The address is 0. This allows the PC network 7
All the service requests of the client 10 to the WS network 1 are sent to the network connection device 20. Upon receipt of this, the access control means 31 generates a notification of success of authentication in the message generation unit 35, and the received server information (the address has been changed to the address of the network connection device 20) in the client 10. (Step 817) and the process proceeds to step 819.

When the management server 3 of the WS network 1 responds to the authentication refusal (step 816), the login processing unit 24 does not send the server information of the WS network 1 to the client 10 and outputs only the authentication result to the client 1.
0 (step 818) and the process proceeds to step 81.
Proceed to 9. In this case, the user can receive the service of the PC network 7, but the WS network 1
Cannot receive the service of.

At step 819, the login processing unit 24
In step 806, the user ID of the user “B” and the encrypted password which are temporarily stored in the ID / password holding unit 34 are deleted. Finally, the login processing unit 24
Rewrites the user "B" column 431 of the WS network usage state storage area 43 of the access management table 23 to "logged in" via the table control unit 33 (step 820), and saves the user ID as the user ID. The data is stored in the area (not shown) (step 821), and the process ends.

(5) Processing of Client of PC Network Notification of successful authentication from the network connection device 20 and W
The command processing unit 54 of the client 10, which has obtained the server information of the S network 1 via the communication control unit 58, displays the message of the authentication success on the data display device 60 via the data output unit 59, and the WS network 1
Server information of the above is added to the server address table 57. This completes the login operation to both the PC network 7 and the WS network 1.

C. Processing of Service Request Next, the logged-in user “D” is one of the clients 10 to 12 of the PC network 7 (here,
The case of requesting a service from the WS network 1 will be described below with reference to the case of the client 10). Here, as an example of the service request, the PC network 7 and the WS network 1
Considering a file deletion request to the server 4 which is the file server of the WS network 1 by the user “D” who has logged in to both networks, the flow of this request processing is shown in FIG.

(1) Processing of the client of the PC network The data input section 52 is operated by the user via the keyboard 51.
When the input of the file deletion command, the server name of the server 4, and the file path name from the keyboard 51 by D "is received (step 901), these input data are sent to the command analysis section 53. 53 analyzes the command and detects that it is not a login command or a logout command but a normal service request command (step 902), and transfers these input data to the command processing unit 56.

The command processing unit 56 reads the address corresponding to the server name of the server 4, which is the server name input from the server address table 57, as the destination of the command (step 903) and communicates with the input data. It is passed to the control unit 58. The address of the server 4 stored in the server address table 57 is the address of the network connection device 20 stored in step 820. Therefore, the destination address notified to the communication control unit 58 in step 903 is the address of the network connection device 20.

The communication control unit 58 packetizes the file deletion command, the server name, and the path name of the file to be processed (hereinafter, referred to as a set of file deletion commands), and sends the destination address (notified) from the command processing unit 56 ( The address of the network connection device 20) is added and sent to the communication line 8 (step 904).

(2) Processing of the network connection device 20 The communication control unit 21 of the network connection device 20, which has received the packet sent in step 904, extracts a set of file deletion commands from this packet and passes it to the access control means 31 (step 905). The access control means 31 passes this command to the command analysis section 32 for analysis. The command analysis unit 32 analyzes the passed command, detects that it is an access request that is not a login or logout request, and determines this as an access control unit 31.
To notify.

The access control means 31 refers to the use state storage area 43 of the access management table 23 via the table control unit 33 (step 906), and whether the user "D" has already logged in to the WS network 1. It is judged (step 907).

When it is detected that the user has not logged in yet, the access control means 31 creates a message to the effect that access is denied by the message generator 35, notifies the client 10 of this (step 909), and executes the processing. finish.

However, in the example described here, since the access management table 23 holds the data shown in FIG. 4, it is shown as the area 432 in FIG.
In the usage status storage area 43 corresponding to the user “D”,
Data indicating "logged in" is held. Therefore, the access control means 31 detects that the user “D” has already logged in to the WS network 1. When it is confirmed that the user “D” has already logged in to the WS network 1, the access control means 31 transfers the set of file deletion commands to the command processing unit 28 and waits for the execution result (step 9).
08).

Upon receiving the set of file delete commands, the command processing section 28 reads the address of the server 4 from the server address table 27 (step 910) and sends this address and the set of file delete commands to the communication control section 29. The communication control unit 29 packetizes the set of file deletion commands, adds the address of the server 4 and sends the set to the communication line 2 (step 911).

Upon receiving this packet, the server 4 erases the file designated as the target, and notifies the client 10 of the result via the network connection device 20 (step 912). This completes the processing of the access request.

D. Processing of Logout Request Next, the processing of the logout request (notification of work completion to the network) of the user “D” who has already logged in to the WS network 1 will be described. FIG. 10 shows a processing flow of the logout request.

(1) Processing of Client of PC Network-1 When a logout command is input from the keyboard 51 (step 1001), this command is notified from the data input section 52 to the command analysis section 53. The command analysis unit 53 detects that the input command is a logout command and passes it to the login processing unit 34.

The login processing unit 54 reads the address of the destination server from the server address table 57 (step 1002), and further, at step 8 at the time of login.
In step 21, the user ID “D” is read by referring to the user ID storage area (not shown) storing the user ID. Next, the login processing unit 54 transfers the destination address and user ID thus obtained and the logout command to the communication control unit 58. Stored in the server address table 57, stored in step 820,
The address of the server corresponding to login (and logout) is not the address of the management server 3 that is the true destination, but the address of the network connection device 20. Therefore, the destination address notified to the communication control unit 58 in step 1002 is the address of the network connection device 20.

The communication control unit 5 which has received these data
8 packetizes the logout command and the user ID, adds the notified destination address (address of the network connection device 20) to the packet, and sends the packet to the communication line 8 (step 1003).

(2) Processing of Network Connection Device-1 Upon receipt of this packet, the communication control unit 21 of the network connection device 20 passes the logout command and user ID obtained from the packet to the access management unit 30. In the access management unit 30, first, the access control unit 31 receives this command, and the access control unit 31
Causes the command analysis unit 32 to analyze this (step 1004).

The command analysis section 32 detects that the command is a logout command and notifies the access control means 31 of this. Access control means 3 that received the notification
1 refers to the usage status storage area 43 of the access management table 23 via the table control unit 33 (step 10
05), it is determined whether or not the user “D” has already logged in to the WS network 1 (step 1006).

When it is detected that the user has not logged in yet, the access control means 31 does not perform the logout processing of the WS network 1 and executes the processing in step 1013.
Then, the PC network 7 logout process is performed.

However, in the example described here, since the access management table 23 holds the data shown in FIG. 4, it is shown as the area 432 in FIG.
In the usage status storage area 43 corresponding to the user “D”,
Data indicating "logged in" is held. Therefore, the access control unit 31 detects that the user “D” has already logged in to the WS network 1 and has not logged out. Upon detecting that the user “D” has logged in and has not logged out, the access control means 31 passes the user ID of the user “D” and the logout command to the login processing unit 24, and W
It requests the management server 3 of the S network 1 to issue a logout request (step 1007).

In response to this request, the login processing unit 24 reads the address of the management server 3 of the WS network 1 from the server address table 27 (step 10).
08), sends this address, the logout command, and the user ID of the user “D” to the communication control unit 29.

The communication control unit 29 packetizes the logout command and the user ID, adds the address of the management server 3 to this packet, and sends it to the communication line 2 (step 1009).

(3) Processing of Management Server of WS Network The management server 3 which received this packet is the user "D".
Logout process from the WS network 1 of
The result is packetized, the address of the network connection device 20 is added, and the result is sent to the communication line 2 (step 101).
0).

(4) Processing of Network Connection Device-2 The communication control unit 29 of the network connection device 20 which has received the packet of the processing result notifies the access control unit 31 of the processing result via the login processing unit 24. If the processing result indicates that the logout processing is unsuccessful (step 1011), the access control means 31 causes the message generation unit 35 to generate a message and notifies the client 10 of the generated message (step 1).
015).

If the processing result indicates the completion of the logout processing in the WS network 1 (step 10)
11), the access control means 31 includes the table control unit 33
The usage status storage area 43 (illustrated as an area 432 in FIG. 4) corresponding to the user “D” in the access management table 23 is rewritten to “unlogged in” via (step 1012). As a result, since the logout of the WS network 1 is completed, the process proceeds to step 1013, and the logout process of the PC network 7 is executed.

At step 1013, the access control means 31 instructs the login processing section 24 to enter the user “D”.
The user ID is sent, and the user is requested to execute the logout process in the PC network 7. The login processing unit 24 that has received this request instructs the user authentication unit 25 to perform the logout processing of the user “D”. Upon receiving this instruction, the user authentication unit 25 logs out the user “D” (use state storage area 26 of the password management table 26).
3) processing for storing identification information that the PC network 7 is being used) and notifies the access control means 31 of the processing result.

Upon receiving the notification that the logout from the PC network 7 has failed, the access control means 31
Causes the message generator 35 to generate a message to that effect and notifies the client 10 of the message (step 1015).

Upon receiving the notification that the logout process from the PC network 7 has been completed, the access control means 31 causes the message generation unit 35 to generate a message to that effect and notifies the client 10 of the message (step). 1016).

(5) Processing of Client of PC Network-2 The login processing unit 54 of the client 10 which has received the notification of the network connection device 20 in step 1015 or 1016 indicates that the received notification is the PC network 7
If it indicates that the logout from the server is successful, the server information of the WS network 1 that has been added to the server address table 57 is deleted (step 1017).

Finally, the login processing unit 54 of the client 10 sends the accepted message to the data output unit 59 and causes the data display device 60 to display the message (step 10).
18).

E. Effect of Second Embodiment In the second embodiment, the description is given on the assumption that the user who uses both the WS network 1 and the PC network 7 sets the same password for both networks. It is not limited to this. For example, in the case where different passwords are registered in each network, the password management table 2
The correspondence relationship between these passwords may be recorded in 6. Then, after the step 813 in the processing of the login request (shown in FIG. 8) and before the step 814, the login processing unit 24 selects the PC from the password management table 26.
A step of reading the user ID and password registered in the WS network 1 corresponding to the user ID and password sent from the clients 10 to 12 of the network 7 is added, and the step for reading the WS network 1 is added. The user ID and password may be notified to the communication control unit 29 in step 814.

In the second embodiment, it is determined whether or not the network connection device 20 connecting the WS network 1 and the PC network 7 is given the right to use the WS network 1 from the PC network 7 to the PC network user. The access management unit 30 and the access management table 23 registered in advance for the users who are authorized to use the WS network 1 from the PC network 7 are provided.

When the user logs in to the PC network 7 connected to the WS network 1, the access management unit 30 refers to the access management table 23,
When it is determined that the user has the right to use the WS network 1, a login request to the WS network 1 is automatically made. As a result, in the second embodiment, it is not necessary for the user to log in to the WS network 7 again, and the burden on the user can be reduced.
In the second embodiment, even if the PC network 7 and W
Even a user whose user ID and password are registered in both the S networks 1 is prohibited from accessing the WS network 1 from the PC network 7 if the access right is not registered in the access management table 23.

Therefore, according to the second embodiment, since the network connection device 20 manages the usage right between the networks, even if a plurality of networks are connected, the management load of the usage right in each network increases. You can manage efficiently without doing.

Further, as described above, the PC network 7
User logged in to WS Network 1 from
When a service is requested to the network or a file is accessed, the network connection device 20 receives these access requests and issues them to the WS network 1. Therefore, the user of the PC network 7 is as if the user of the PC network 7 The WS network 1 can be used to access the resources therein.

Further, when a user who has logged in to a plurality of networks logs out from those networks, the network connection device 20 automatically issues a logout command to the network connected through the devices 20. Since it is issued to the user, the user only needs to issue a logout notification to the PC network.

In the second embodiment, the networks connected to each other are the network 1 composed of WS and the PC.
However, the applicable range of the present invention is not limited to this. Further, the configuration of each network (the number of servers, the number of clients, etc.) is not limited to this embodiment. Further, the number of connected networks is not limited to two,
A configuration with three or more is also possible. Furthermore, in the present embodiment, only the access means from the PC network 7 to the WS network 1 is shown, but it is possible to configure so as to allow bidirectional access instead of such unidirectional access.

Furthermore, in the second embodiment, when the login to the PC network is requested, the login procedure to the WS network is automatically performed. However, the user may be inquired via the client whether or not to log in to the WS network, and it may be determined whether or not to log in according to a response thereto.

In this case, the server address table 27
In advance, the name of the connected network is stored in advance, and the login processing unit 24 sets the data display devices 6 of the clients 10 to 12 before performing the login processing.
The name of the network registered in the server address table 27 is displayed at 0, and the input of whether to log in from the keyboard 51 is accepted. In response to this input, the login processing unit 24 issues a login packet only to the network for which login is instructed, so that it is possible to prevent unnecessary login to networks that do not need access. it can.

Similarly, the network connection device 20 may receive the update of the WS network usage right storage area 42 of the access management table 23 via the clients 10 to 12. In this way, the user can dynamically register the network to be logged in by the login request. In this case, the network connection device 20 causes the user ID and the password to be input, and if the authentication based on this is established, the column corresponding to the input user ID in the usage right storage area 42 is set to the input data. To be updated.
As a result, it is possible to avoid changing the usage rights of users other than the user.

In the second embodiment, when a user who has logged in from the PC network 7 makes a service request to the WS network 1, the access management unit 30 accesses whether the user has already logged in to the WS network 1. The use state storage area 43 of the management table 23 is referred to for confirmation (step 906).
When 06 is omitted and the service request is accepted, the WS network 1 is checked without checking whether the user has already logged in.
It may be sent to. Even in this way, WS
The server 4 of the network 7 rejects a service request from a user who is not logged in. Therefore, even if step 906 is executed or omitted, the client 10
Since an error is returned to ~ 12 as a processing result, the clients 10-12 can process without change. However, by executing step 906 as in the second embodiment, it is possible to avoid unnecessary communication to the WS network 1, which is transfer of an access request to a network that is not logged in.

[0163]

As described above, according to the present invention,
In a complex network environment in which networks that are managed independently of each other are connected to each other, it is possible to reduce the burden of login and logout requests of users who use the network environment.

[Brief description of drawings]

FIG. 1 is a configuration diagram of a network system according to a first embodiment.

FIG. 2 is a configuration diagram of a network connection device according to the first embodiment.

FIG. 3 is a configuration diagram of an access management unit.

FIG. 4 is a schematic diagram showing a data configuration example of an access management table.

FIG. 5 is a block diagram of a client of a PC network.

FIG. 6 is an explanatory diagram illustrating an example of a display screen displayed on the console screen of the client at the time of login.

FIG. 7 is a schematic diagram showing a data configuration example of a server address table.

FIG. 8 is a flow chart showing a processing flow of a login request from a client of the PC network in the second embodiment.

FIG. 9 is a flowchart showing a flow of processing of a service request from the client of the PC network to the WS network 1 in the second embodiment.

FIG. 10 is a flowchart showing a processing flow of a logout request from a client of the PC network in the second embodiment.

FIG. 11 is a flowchart showing a processing flow of a login request from a client of the PC network in the first embodiment.

FIG. 12 is a flowchart showing the flow of processing of a service request from the client of the PC network to the WS network 1 in the first embodiment.

FIG. 13 is a flowchart showing a processing flow of a logout request from a client of the PC network in the first embodiment.

FIG. 14 is a configuration diagram of a network connection device according to a second embodiment.

FIG. 15 is a configuration diagram of an information processing apparatus according to first and second embodiments.

FIG. 16 is a configuration diagram of a network system according to a second embodiment.

FIG. 17 is a schematic diagram showing a data structure of a password management table.

[Explanation of symbols]

1 ... WS network, 2 ... network cable,
3 ... Management server, 4 ... Server, 5-6 ... Client, 7 ... PC network, 8 ... Network cable, 9 ... Server, 10-12 ... Client,
13, 20 ... Network connection device, 21 ... Communication control unit, 22, 30 ... Access management unit, 23 ... Access management table, 24 ... Login processing unit, 25 ... User authentication unit, 26 ... Password management table, 27 ... Server address Table, 28 ... Command processing unit, 2
9 ... Communication control unit, 31 ... Access control means, 32 ...
Command analysis unit, 33 ... Table control unit, 34 ... I
D / Password holding unit, 35 ... Message generating unit,
51 ... Keyboard, 52 ... Data input section, 53 ... Command analysis section, 54 ... Login processing section, 55 ... Encryption section, 56 ... Command processing section, 57 ... Server address table, 58 ... Communication control section, 59 ... Data output Part, 60 ... Data display device.

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Inventor Isao Saito 292 Yoshida-cho, Totsuka-ku, Yokohama-shi, Kanagawa Hitachi, Ltd. Microelectronics Equipment Development Laboratory (72) Inventor Atsushi Kobayashi Totsuka-ku, Yokohama-shi, Kanagawa 5030 Totsukacho, Hitachi Ltd. Software Development Division

Claims (14)

[Claims] 1. A network for connecting a first network having a first user authentication means and one or more nodes to one or more second networks having a second user authentication means and one or more nodes. A connection device, comprising network connection mediating means for mediating connection between the first network and the second network, wherein the network connection mediating means is at least one of nodes of the first network. Means for accepting a notification of a login request from the user by the user, and the specified user by the first user authentication means.
First authentication requesting means for confirming whether or not the use of the network is permitted in advance, and if it is permitted, performing the authentication process which is a process of responding to the establishment of the authentication, and the second user authentication. The designated user is the second
Second authentication requesting means for confirming whether or not the use of the network is permitted in advance, and if it is permitted, the second authentication requesting means for requesting to execute the authentication processing, which is a processing for responding to the establishment of the authentication, and the notification of the login request. When accepted, the first authentication requesting means requests the first user authenticating means for authentication processing of the user who has made the request, and further the second authentication requesting means causes at least one second authentication requesting means. A network connection device comprising: the second user authentication means of the network, and means for requesting an authentication process for the user. 2. The network connection mediating means according to claim 1, wherein the response from the second user authentication means indicates that the authentication is successful, the first connection request from the user is accepted. The network connection device, further comprising means for notifying the node of the network of 1) the address of the network connection device as the address of the node of the second network. 3. The network connection mediating means according to claim 2, wherein the access request to the second network by the user who has made the login request is transmitted from the first network that has received the login request from the user. Means for accepting via a node, means for transferring the accepted access request to the first network, response to the access request from the first network, and login request from the user And a means for transferring to a node of the first network. 4. A network for connecting a first network having a first user authentication means and one or more nodes with one or more second networks having a second user authentication means and one or more nodes. A connection device, comprising network connection mediating means for mediating connection between the first network and the second network, wherein the network connection mediating means is at least one of nodes of the first network. Means for receiving a notification of a logout request from the user by the first user authentication means, and
First logout requesting means for requesting execution of logout processing, which is processing for deleting the registration indicating that the network is being used, and second log of the user specified by the second user authentication means.
Second logout requesting means for requesting to execute a logout processing which is a processing for deleting the registration that the network is being used, and when the notification of the logout request is accepted, the first logout requesting means Request the first user authentication means for logout processing of the user who has made the request,
Further, the second logout requesting means comprises means for requesting the second user authentication means of at least one second network for the logout processing of the user, and the network connection device. 5. A network for connecting a first network having a first user authentication means and one or more nodes to one or more second networks having a second user authentication means and one or more nodes. A connection device, which is a network connection mediating means for mediating connection between the first network and the second network, and a usage right in which the presence or absence of the usage right of the second network is registered in advance for each user. An access management information storage unit having a storage area, wherein the network connection mediating unit receives a login request notification from a user by at least one of the nodes of the first network; The user specified as the user authentication means of
Second authentication requesting means for confirming whether the use of the network is permitted in advance, and if it is permitted, the second authentication requesting means for requesting to execute the authentication process which is a process for responding to the establishment of the authentication, and the notification of the login request. When accepted, the usage right storage area is referred to, and it is confirmed whether or not the usage right of the user who has made the login request is registered. If registered, the second authentication request means causes the second And a means for notifying the user which has issued the login request to the node which has issued the login request, if the user authentication means requests the user authentication processing. 6. The access management information storage means according to claim 5, further comprising: a usage state storage area for holding information on whether or not the second network is being used for each user. If the response of the authentication processing notified from the second user authentication means indicates that the authentication is established, the connection mediating means stores in the use state storage area corresponding to the user who has made the login request, Means for storing information indicating that the second network is in use; means for receiving a logout request notification from a user by at least one of the nodes of the first network; and the second user. The second of the user specified as the authentication means
Second logout requesting means for requesting that the logout processing for canceling the registration indicating that the network is being used and for replying the processing result, and receiving the notification of the logout request, perform the request. If information indicating that the second network is being used is held in the usage state storage area corresponding to the user, the second logout requesting means causes the second user authentication means to access the second user authentication means. If a request for the logout process of the user and if the logout process is not held, a means for notifying the node that has notified the request of the logout request, and a response of the logout process indicating success of the logout process, The second network is being used in the area corresponding to the user who has issued the logout request in the usage status storage area. Network connection device, characterized in that it comprises a a further means for storing information indicating no. 7. The network connection mediating means according to claim 6, wherein the network connection mediating means receives a notification of an access request from the user to the second network by at least one of the nodes of the first network, When the notification of the access request is accepted, if the information indicating that the second network is being used is held in the usage state storage area corresponding to the user who has made the request, the request is sent to the first state. And a means for notifying the node that has notified the request of refusal of the access request, if not held. 8. A network connection between a first network having a first user authentication means and one or more nodes, and one or more second networks having a second user authentication means and one or more nodes. A network connection method for connecting by means of an intermediary means, wherein any of the nodes of the first network accepts a login request from a user and notifies the network connection intermediary means, and the network connection receiving the notification. A first authentication request step in which the mediating means charges the first user authentication means for authentication processing of the user who has made the request; and the network connection mediating means that has received the notification is at least one second network. A second authentication requesting step of requesting the second user authenticating means for the authentication processing of the user; In response to the request, the first user authentication means confirms the right to use the first network of the user designated by the request, and if the user has the right to use, replies that the authentication is successful. Step, and the second user authentication means confirms, in response to the request, the right to use the second network of the user designated by the request, and if the user has the right to use, the authentication is established. And a step of responding to the network connection method. 9. The network connection mediating means according to claim 8, when the network connection mediating means receives a response of success of authentication by the second user authenticating means, identification information of each node of the second network and identification information of the node. A step of notifying the node that has notified the request as server information in combination with the address of the network connection mediating means; Storing the server information in the information storage means, and when the node receives an access request from the user to the second network, the server information storage means holds the server information corresponding to the node to which the request is sent. The access request is transferred with the address of the network connection mediating means that has been set as the destination. A step, a network connection method, characterized in that it further comprises. 10. The method according to claim 9, wherein the node of the first network accepts a logout request from a user and notifies the network connection mediating means, and the network connection mediating means that has received the notification is A first logout requesting step of requesting a logout process of the user who has made the request to the first user authentication means, and the network connection mediating means which has received the notification is the second log of at least one second network. A second logout requesting step for requesting the user authenticating means for logout processing of the user who has made the request; and the first user authenticating means, in response to the request, for the first user of the user designated by the request. And a step of executing logout processing from the network, the second user authentication means, Accordingly, the step of executing the logout process from the second network of the user designated by the request and notifying the processing result to the node via the network connection mediating means; And a step of deleting the server information of the second network from the server information storage means, if the node indicates the success of the logout process. Method. 11. The method according to claim 8, wherein, before the execution of the second authentication requesting step, the network connection mediating means inquires of the node that has made the login request whether or not to log in to the second network. And, in response to the inquiry, the node receives an input as to whether or not to log in to the second network, and notifies the network connection mediating unit of the input information as a response to the inquiry. The network connection method, wherein the second authentication requesting step is performed in response to a response to the inquiry. 12. The method according to claim 10, wherein the network connection mediating means inquires of the node that has issued the logout request whether or not to logout from the second network, before executing the second logout requesting step. And, in response to the inquiry, the node receives an input as to whether or not to log out from the second network, and notifies the input information to the network connection mediating means as a response to the inquiry. A network connection method, wherein the second logout requesting step is performed in response to a response to the inquiry. 13. A network for connecting a first network having a first user authentication means and one or more nodes to one or more second networks having a second user authentication means and one or more nodes. A network connection method for connecting by a connection mediating means, the method comprising: receiving a notification of a login request from a user by at least one of the nodes of the first network by the network connection mediating means; Upon receiving the notification, the first user authentication means is requested to perform the authentication processing of the user who has made the request, and the second user authentication means of at least one second network is requested to perform the authentication processing of the user. A method of connecting to a network, comprising the steps of: 14. A network connection between a first network having first user authentication means and one or more nodes, and one or more second networks having second user authentication means and one or more nodes. A network connection method for connecting via an intermediary means, the step of accepting a notification of a logout request from a user by at least one of the nodes of the first network by the network connection intermediary means, the logout request Requesting the first user authentication means to perform the logout processing of the user who made the request, and further requesting the second user authentication means of the at least one second network to perform the logout processing of the user. A method of connecting to a network, the method comprising: