CN101800748A - Security strengthening device - Google Patents

Security strengthening device Download PDF

Info

Publication number
CN101800748A
CN101800748A CN201010112456A CN201010112456A CN101800748A CN 101800748 A CN101800748 A CN 101800748A CN 201010112456 A CN201010112456 A CN 201010112456A CN 201010112456 A CN201010112456 A CN 201010112456A CN 101800748 A CN101800748 A CN 101800748A
Authority
CN
China
Prior art keywords
parameter
dialogue
request
replying
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201010112456A
Other languages
Chinese (zh)
Other versions
CN101800748B (en
Inventor
小田原育也
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toshiba Corp
Toshiba Digital Solutions Corp
Original Assignee
Toshiba Corp
Toshiba Solutions Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Toshiba Corp, Toshiba Solutions Corp filed Critical Toshiba Corp
Publication of CN101800748A publication Critical patent/CN101800748A/en
Application granted granted Critical
Publication of CN101800748B publication Critical patent/CN101800748B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a kind of security strengthening device.Reply filter (61) and from reply, detect the parameter consistent with filtering rule.Replying filter (61) is mapped the parameter that detects and is stored in the dialogue object with dialogue ID.Reply the parameter that filter (61) deletion detects, send to client terminal (10) and embedded replying of dialogue ID.Request filter (63) is recovered stored parameters in the dialogue object of discerning by the dialogue ID that comprises from for deletion dialogue ID the request of replying that receives from client terminal (10) in request in this request, send to application server (20).

Description

Security strengthening device
Technical field
The present invention relates to a kind of security strengthening device, its can prevent send from application server for from the leakage of the parameter that comprises the replying of the request of client terminal and distort.
Background technology
Now, follow the development of technique of internet, miscellaneous service or service just realize as using from the Web that easily utilizes as Web browser.This Web browser is to go up the client software of action with the terminal (to call " client terminal " in the following text) that the server (to call " application server " in the following text) that provides Web to use communicates to connect.
For example, on the shopping website, while the user can see that picture displayed is carried out selection of goods or order on client terminal, and then also can pay with credit card etc.The commodity that the user orders by the receptions such as company of delivering goods to the customers utilize service thus.
Like this, in recent years, the user that Web uses for example can enjoy various services in oneself family.In the occasion of utilizing Web to use, be sent as the request that utilizes this Web to use from client terminal, return replying from application server for this request.That is, by the transmitting-receiving of between client terminal and application server, asking and replying, provide various services.In this request and replying, be included in needed various parameters of processing in terminal and the application server etc.
But Web uses, and convenience as described above is arranged, on the other hand, because be stateless (not having state) originally so structure has been pointed out many fragility to cause the accident of leakage of information etc. sometimes.This results from has not thorough place in the installation that Web uses, the design of using at Web or whether can suitably handle when installing depends on the technical staff's who carries out this design or installation technical ability.
The major part of the fragility that above-mentioned Web is used is categorized as and inserts class, dialogue management class and the improper class of operation of parameter.
The so-called fragility of inserting class is meant in the parameter that for example comprises the request that sends for application server from client terminal and has inserted wrongful character string.
The fragility of so-called dialogue management class is meant and has for example operated in request wrongly or the dialogue ID that comprises in replying.This talks with ID, for example be used to realize between client terminal and the application server communication synchronously.
In addition, the improper class of operation of so-called parameter, be meant for example distort send from application server reply send request after the information of the parameter that comprises.
Among these, the fragility of dialogue management class or the improper class of operation of parameter particularly need be from being made into of upper design phase, and the occasion of realizing after the utilization that Web uses begins need be dealt with by revising a large amount of programs.
Therefore, known with good grounds regular permutations given in advance realizes innoxious technology (to call first look-ahead technique in the following text) as the improper character string that comprises the parameter (input parameter) of the request that sends for application server from client terminal.
In addition, disclose according to rule-based filtering given in advance mail to the access request of server and technology that visit that should access request is replied (to call second look-ahead technique (with reference to the patent disclosure communique 2005-92564 of Japan) in the following text.According to second look-ahead technique, to accept to reply for the visit of access request, the residual occasion of incorrect code of storage in this visit is replied is with they deletions.Thus, according to second look-ahead technique, can from replying, visit delete predetermined incorrect code.
But in the first above-mentioned look-ahead technique, the fragility that manageable Web uses is limited to the insertion class, can not deal with for other the dialogue management class and the fragility of the improper class of operation of parameter.Therefore, the remarkable occasion that exists of fragility in these dialogue management classes and the improper class of operation of parameter needs to revise a large amount of programs.
In addition, in the second above-mentioned look-ahead technique, so because also can only deal with the part of the fragility of inserting class as object with incorrect code.Therefore, need revise a large amount of programs for the fragility of dialogue management class and the improper class of operation of parameter.
Summary of the invention
The object of the present invention is to provide a kind of security strengthening device, it need not to change the installation of the application in the running, can prevent send from application server for the leakage of the parameter that comprises the replying of the request that comes self terminal and distort.
According to first form of the present invention, a kind of security strengthening device is provided, it can provide the application server of application to be connected communicatedly with by the client terminal of user's operation and for this client terminal.This security strengthening device has: the rale store unit is used for the rule of condition that storage list in advance is shown with the parameter of the possibility of leaking or distorting; Reply receiving element, be used for from described application server receive comprise according to described user's operation from described client terminal send for replying for the parameter of the request that utilizes described application; Detecting unit, be used for from described receive reply the parameter that detects with the term harmonization of representing by the rule of storing in described rale store unit; Generation unit is used in the occasion from the described parameter of replying the term harmonization that detects and represent described rule that receives, and generates and replys corresponding dialogue object with this; The dialogue object-storage unit is used to store the dialogue object of described generation; Issuance unit is used to issue the dialogue identifying information of the dialogue object that is used for the described generation of unique identification; Storage processing unit is used for described detected parameter and described issued dialogue identifying information are mapped, and is stored in the dialogue object of storing in the described dialogue object-storage unit; The parameter delete cells is used for deleting this parameter from described replying of receiving when in the described detected parameter of described dialogue object storage; Embed the unit, be used for deleting the described issued dialogue identifying information of embedding in the replying of described dialogue object stored parameters; Reply transmitting element, be used for having embedded replying of described issued dialogue identifying information for described client terminal transmission; The request receiving element is used for receiving for this request of replying that comprises this dialogue identifying information from described client terminal after transmission has embedded replying of described issued dialogue identifying information; Read in the unit, be used for reading in the dialogue object of discerning by the dialogue identifying information that the request that receives by the described request receiving element, comprises from described dialogue object-storage unit; Dialogue identifying information delete cells is used for the dialogue identifying information that comprises from this request deletion the request that receives by the described request receiving element; Recovery unit is used for recovering stored parameters in the described dialogue object that reads in the request of having deleted the dialogue identifying information by described dialogue identifying information delete cells; And request transmitting unit, be used for sending the request that has recovered described parameter for described application server.
Description of drawings
Fig. 1 is the figure that is used to illustrate the network system of the security strengthening device that connects form of implementation of the present invention.
Fig. 2 is to be the block diagram of principal representation functional structure with the security strengthening device 60 represented in Fig. 1.
Fig. 3 is the figure that is used to illustrate the summary of the Web application that provides by application server 20.
Fig. 4 is that expression is as the demonstration example of replying the order picture that returns to client terminal 10.
Fig. 5 is that expression is as the demonstration example of replying the order end picture of returning to client terminal 10.
Fig. 6 is the flow chart of processing procedure of the security strengthening device 60 of expression this form of implementation of sending the occasion of replying by application server 20.
Fig. 7 is expression by the figure of an example of replying of the order picture of replying filter 61 and receiving.
Fig. 8 is the figure that is illustrated in an example of the filtering rule of storage in the filtering rule storage part 52.
Fig. 9 is expression and the figure of an example of the data structure of replying 100 corresponding dialogue objects.
Figure 10 is expression by the figure that replys an example of 100 that replys that filter 61 sends.
To be expression send flow chart for the processing procedure of the security strengthening device 60 of this form of implementation of the occasion of 100 the request of replying by replying that filter 61 sends by client terminal 10 to Figure 11.
Figure 12 is the figure of an example of the expression request that receives the request of accepting of ordering goods by request filter 63.
Figure 13 is the figure of expression by an example of the request 200 of request filter 63 transmissions.
Embodiment
With reference to the accompanying drawings, form of implementation of the present invention is described.
Fig. 1 is the figure that is used to illustrate the network system of the security strengthening device that connects this form of implementation.
As shown in Figure 1, client terminal 10 and application server (Web Application Server) 20 is connected with network 30.
On client terminal 10, utilize the client software action of application server 20.Client software for example is a Web browser.
Application server 20 provides various Web to use for client terminal 10.
Client terminal 10 is by user (user) operation of the Web application that is provided by application server 20 is provided.Here, the client terminal 10 of the occasion that Web that the user uses client terminal 10 to utilize to be provided by application server 20 uses and the communication between the application server 20 are described.
In this occasion, between client terminal 10 and application server 20, for example the operation according to the user sends request from the Web browser in terminal 10 operations for application server 20.In addition, return (transmission) replying from the Web application that provides by application server 20 to client terminal 10 for this request.And then, in that the occasion of using the request of replying that sends for from Web is arranged, send this request from Web browser.Like this, ask and reply, realize passing through the various services of this Web application for the user by transmitting-receiving between Web browser and Web application.In addition, between above-mentioned Web browser and Web use the request of transmitting-receiving and reply in comprise various parameters.
As above-mentioned transmitting-receiving request and replying between the Web browser of operation on the client terminal 10 and the Web that provides by application server 20 use.But in the following description,, suppose the 20 transmitting-receiving requests of client terminal 10 and application server and reply for avoiding loaded down with trivial details.
In addition, in Fig. 1, done omission, still, on network 30, connected a plurality of client terminals and application server for client terminal and application server beyond client terminal 10 and the application server 20.
On network 30, connect computer 40.Computer 40 connects the such external memory 50 of hard disk drive.The program 51 that these external memory 50 storages are carried out by computer 40.Computer 40 and external memory 50 constitute security strengthening device (Web application safety intensifying device) 60.
Security strengthening device 60 can connect client terminal 10 and application server 20 by network 30.Security strengthening device 60 has request that relaying communicates by letter and the function of replying between above-mentioned client terminal 10 and application server 20.
Fig. 2 is to be the block diagram of principal representation functional structure with the security strengthening device 60 represented in Fig. 1.Security strengthening device 60 comprises replys filter 61, dialogue management portion 62 and request filter 63.In this form of implementation, suppose that replying filter 61, dialogue management portion 62 and request filter 63 carries out externally by the computer of representing among Fig. 1 40 that program stored 51 realizes in the storage device 50.This program 51 can be distributed after the storage in the storage medium of embodied on computer readable in advance.In addition, this program 51 also can download to computer 40 by network 30.
In addition, security strengthening device 60 has filtering rule storage part 52 and dialogue object storage portion 53.In this form of implementation, filtering rule storage part 52 and dialogue object storage portion 53 for example are stored in the external memory 50.
In addition, as above-mentioned, security strengthening device 60 relay request and replying between client terminal 10 and application server 20.
In filtering rule storage part 52, for example, storage list is shown with the filtering rule of condition of the parameter of the possibility of leaking or distorting in advance.The filtering rule of storage in filtering rule storage part 52, be used for from (by) above-mentioned application server 20 (Web that provides uses) send reply detected parameters.Details back narration about the data structure of this filtering rule.
Storage and the corresponding dialogue object of replying that sends from application server 20 in dialogue object storage portion 53.
Reply filter 61 from application server 20 receive with according to user's operation corresponding the replying of request from user terminal 10 transmissions.As mentioned above, comprise parameter in replying.The parameter that in replying, comprises, for example comprise for the transmission destination URL (Uniform Resource Location... is designated as " connecting the destination identifying information " sending destination URL in this manual), the parameter type and the parameter name of this parameter of the request of replying.
Reply filter 61, from the parameter that detects with the term harmonization of representing by the filtering rule of storage filtering rule storage part 52 of replying that receives.At this moment, reply filter 61 according to receive reply in the URL, parameter type and the parameter name that comprise carry out to detect and handle.
Reply filter 61, with receive reply in the corresponding dialogue object the detected parameter of storage (with the parameter of the term harmonization of representing by the filtering rule of storage in filtering rule storage part 52).Reply filter 61 and carry out stores processor by dialogue management portion 62.As described later, be stored in the dialogue object storage portion 53 with the corresponding dialogue object of replying that receives.
Reply filter 61 and in having deleted the replying of the parameter that detects, embed the dialogue ID that issues by dialogue management described later portion 62.
Reply filter 61 and send replying of the dialogue ID that embedded by 62 distribution of dialogue management portion for client terminal 10.
Dialogue management portion 62 carries out the various processing for dialogue object storage portion 53.
Dialogue management portion 62, from reply, detecting occasion with the parameter of the term harmonization represented of filtering rule by storage in filtering rule storage part 52, judge in filtering rule storage part 52, whether to store and replys corresponding dialogue object with this by replying filter 61.That is, dialogue management portion 62 judge whether generated with by replying the corresponding dialogue object of replying that filter 61 receives.
Dialogue management portion 62, do not generate with by replying the occasion of replying corresponding dialogue object that filter 61 receives, generation is replied corresponding dialogue object with this.The dialogue object of this generation is stored in the dialogue object storage portion 53.
Dialogue management portion 62, when generate with by reply that filter 61 receives reply corresponding dialogue object the time, issue the dialogue ID alone (dialogue identifying information) that is used for this dialogue object of unique identification.The dialogue ID of this distribution is stored in the dialogue object (by the dialogue object of this dialogue ID identification) that generates by dialogue management portion 62.
In addition, dialogue management portion 62 carries out the waste treatment of the dialogue object of storage in dialogue object storage portion 53 as described later.
Request filter 63 as above-mentioned from client terminal 10 receive by reply that filter 61 sends for the request of replying.This request that receives for example is the request that sends for application server 20 according to user's operation.In addition, in the request that this receives, be included in by replying the dialogue ID that replys middle embedding (by the dialogue ID of dialogue management portion 62 distribution) that filter 61 sends.
Request filter 63 is read in the dialogue object (storing the dialogue object of this dialogue ID) by the dialogue ID identification that comprises in the request that receives from dialogue object storage portion 53.
When request filter 63, the dialogue object of the dialogue ID that in having read in, has comprised identification by the request that is receiving, this dialogue of deletion ID from this request.
Request filter 63, stored parameters in the dialogue object that in the request that receives, recovers reading in.When having recovered in the request that is receiving in the dialogue object during stored parameters, by dialogue management portion 62 discarded this dialogue objects.
Request filter 63 sends the request that has recovered parameter for application server 20.
In addition, request filter 63 is only in the occasion work that comprises dialogue ID by dialogue management portion 62 distribution (by replying the dialogue ID of embedding in the replying that filter 61 sends) in the request that is receiving.For example client terminal 10 (go up operation Web browser) and (by) the dialogue ID by 62 distribution of dialogue management portion be not provided the request that sends from this client terminal 10 between the application server 20 (application that provides) at first.In the occasion that receives such request, request filter 63 is not carried out special processing, directly should request to application server 20 relayings.
At this moment, for example also can be the rule of preparing the value that is used for checking the parameter (required parameter) that comprises in request in advance, request filter 63 structure according to the value of this this parameter of rule-based filtering.
The following describes the action of the security strengthening device 60 of this form of implementation.Here, with reference to Fig. 3, be illustrated as the action of explanation security strengthening device 60 and summary that passing through of the using web that application server 20 provides uses.The web application of supposing explanation here is the accept service of reception from the order of user's commodity.In addition, in Fig. 3 web of the middle expression (use), expression is used to illustrate the minimal content of the action of security strengthening device 60.
As shown in Figure 3, at first, client terminal 10 for example specified URL, to (by) application server 20 (provide Web use) sends request (request of ordering goods) (step S1).At this moment, the user can be from the Web browser specified URL in client terminal 10 operations.
Then, application server 20 is as returning order picture (step S2) for the replying to this client terminal 10 of request that sends by client terminal 10.
Here, Fig. 4 represents as an example of replying the occasion that shows to the order picture that client terminal 10 returns on this client terminal 10.In the example that Fig. 4 represents, in the order picture, the unit price of display of commodity name, these commodity, the input field (pattern of the input) of ordering the number (order number) of these commodity, transmission button and cancel button.
When the order picture of displayed map 4 expression, the user of operation client terminal 10 from ordering number in the Web browser input of these client terminal 10 operations, pushes (clicks) transmission button.Thus, the request (request is accepted in order) that comprises order content (order number) sends (step S3) from client terminal 10 for application server 20.
(by) processing of accepting of order is provided according to the request that sends from client terminal 10 in the application server 20 (provide Web use).Thus, as for the replying of the request that sends from client terminal 10, return order end picture (step S4) to client terminal 10.
Here, Fig. 5 represents as an example of replying the occasion that shows to the order end picture that client terminal 10 returns on this client terminal 10.In the example that Fig. 5 represents, in the order end picture, the unit price of display of commodity name, these commodity, the order number of in above-mentioned order picture, importing and the request amount of money.In addition, from the unit price of commodity and order number and calculate the request amount of money that the order end picture, shows.
In the following description, suppose that between client terminal 10 and application server 20 request that the above-mentioned Fig. 3 of transmitting-receiving represents and replying describes.That is, the request of the security strengthening device of this form of implementation 60 junction diagrams 3 expressions and replying.
At first, with reference to the flow chart of Fig. 6, illustrate in the processing procedure that sends the security strengthening device 60 of this form of implementation of occasion of replying by application server 20.Here, the occasion of replying that is sent in the order picture that has illustrated among above-mentioned Fig. 3 by application server 20 is described.
This occasion, what comprise in security strengthening device 60 replys in the filter 61, according to the filtration treatment of (having set) filtering rule of storage execution in advance in filtering rule storage part 52.
At first, reply reply (the step S11) of filter 61 receptions by application server 20 transmissions.In this is replied, for example comprise transmission destination URL and parameter for this request of replying.This URL for example specifies from Web browser according to user's operation.In addition, in parameter, comprise parameter type, parameter name and the parameter value of this parameter.
Here, Fig. 7 represents the example of replying by the order picture of replying filter 61 receptions.Along in addition, in the content of replying of reality, represent the needed minimal content of explanation.
Replying in 100 that Fig. 7 represents, " SESSION_ID " of first row, expression is for the dialogue ID of request application server 20 distribution that send from client terminal 10.(by) between application server 20 (provide Web use) and the client terminal 10 (going up the Web browser of operation), use this dialogue ID to realize the synchronous of communication.In this first row, " Cookie " is parameter type, and " SESSION_ID " is parameter name, and " 012 " is parameter value.That is, in first row, show the parameter that comprises parameter type " Cookie ", parameter name " SESSION_ID " and parameter value " 012 ".
" Content-length " of second row represents the length of the data that continue thereafter with byte unit.In addition, in the present embodiment, be the line feed code counting that data length asked in 1 literal.
" action=" the http://hostname/order.do " " that comprises in the fourth line, the transmission destination URL " http://hostname/order.do " of the data when button is sent in the order picture mid point percussion that is illustrated in above-mentioned Fig. 4.
" input type=" hidden " " of eighth row~the 10th row is called the Hidden parameter.This Hidden parameter sends to client terminal 10 as information, but does not show on the picture in this Web browser.Therefore, the Hidden parameter is installed sometimes so that embed and the user not to be represented (not showing) but the information of wishing between picture, to transfer, and the object that becomes the leakage of information or distort etc.
In addition, in the Hidden of eighth row parameter, " Hidden " is parameter type, and " SCREEN_ID " is parameter name, and " s001 " is parameter value.That is in eighth row, expression comprises the parameter (Hidden parameter) of parameter type " Hidden ", parameter name " SCREEN_ID " and parameter value " s001 ".
In the Hidden parameter of the 9th row, " Hidden " is parameter type, and " USER_ID " is parameter name, and " taro " is parameter value.That is in the 9th row, expression comprises the parameter (Hidden parameter) of parameter type " Hidden ", parameter name " USER_ID " and parameter value " taro ".
In addition, in the Hidden parameter of the 10th row, " Hidden " is parameter type, and " PRICE " is parameter name, and " 12000 " are parameter values.That is in the 10th row, expression comprises the parameter (Hidden parameter) of parameter type " Hidden ", parameter name " PRICE " and parameter value " 12000 ".
In addition, in parameter type, there be " GET " etc. in addition at above-mentioned " Cookie " and " Hidden ".
Below in above-mentioned step S11, describe for 100 the situation of replying that receives that Fig. 7 represents.
Return Fig. 6 explanation once more.Reply filter 61,, read in the filtering rule (step S12) of storage in the filtering rule storage part 52 when receiving when replying 100.At this moment, reply filter 61 and read in the filtering rule storage part 52 in the filtering rule of storage one.
Here, Fig. 8 is illustrated in an example of the filtering rule of storage in the filtering rule storage part 52.As shown in Figure 8, (by) filtering rule (condition of expression), URL pattern, parameter type and parameter name comprised at least.In this manual, the URL pattern is an example of " the destination recognition mode continues ", and for example the souvenir method by regular performance etc. provides.
In the example that Fig. 8 represents, stored filter rule 521~526 in filtering rule storage part 52.
Filtering rule 521 comprises URL pattern " .*/order$.do.* ", parameter type " COOKIE " and parameter name " SESSION_ID ".
Filtering rule 522 comprises URL pattern " .*/order$.do.* ", parameter type " HIDDEN " and parameter name " SCREEN_ID ".
Filtering rule 523 comprises URL pattern " .*/order$.do.* ", parameter type " HIDDEN " and parameter name " USER_ID ".
Filtering rule 524 comprises URL pattern " .*/order$.do.* ", parameter type " HIDDEN " and parameter name " PRICE ".
Filtering rule 525 comprises URL pattern " .*/userinfo$.do.* ", parameter type " GET " and parameter name " CLASS ".
In addition, filtering rule 526 comprises URL pattern " .*/order$.do.* ", parameter type " GET " and parameter name " ADDRESS ".
Returning Fig. 6 once more describes.In addition, in above-mentioned steps S12, read in the filtering rule 521 that Fig. 8 represents and described for replying filter 61.
Reply filter 61, judge the URL pattern consistent (step S13) of the filtering rule 521 whether URL that comprises in 100 replying of receiving of above-mentioned steps S11 reads in formation.
The URL pattern that comprises in filtering rule 521 is " .*/order$.do.* ".This expression with character string arbitrarily begin, comprise character string "/order.do ", with the pattern of the character string of end of string (URL) arbitrarily.In addition, comprising null character string in the character string arbitrarily.On the other hand, be " http://hostname/order.do " replying the URL that comprises in 100.
In this occasion, reply filter 61 judgements and replying the URL that comprises in 100 consistent with the URL pattern that in filtering rule 521, comprises (YES of step S13).
Whether then, reply filter 61 judges replying to exist in 100 and is included in the parameter type that comprises in the filtering rule 521 that reads in and the parameter (with this parameter type and the consistent parameter of parameter name) (step S14) of parameter name.
The parameter type that comprises in filtering rule 521 is " COOKIE ", and parameter name is " SESSION_ID ".On the other hand, there is the parameter comprise parameter type " Cookie (COOKIE) " and parameter name " SESSION_ID " replying in 100 first row of representing of Fig. 7.
In this occasion, reply filter 61 and judge replying to exist in 100 and be included in the parameter type that comprises in the filtering rule 521 and the parameter (YES of step S14) of parameter name.
In this occasion, reply filter 61 and the parameter that is included in the parameter type that comprises in the filtering rule 521 and parameter name (replying the parameter of 100 first row among Fig. 7) is detected as the parameter consistent with filtering rule 521 from replying 100.
From replying the occasion that detects the parameter consistent with filtering rule 521 100, dialogue management portion 62 judges whether reply 100 corresponding dialogue objects with this generates finish (step S15).Dialogue management portion 62 carries out determination processing with reference to dialogue object storage portion 53.The dialogue object is for example generating when detecting parameter at first 100 from replying as described later, and is stored in the dialogue object storage portion 53.
Here, by replying the parameter that filter 61 detects, because be from replying the 100 initial parameters that detect, not replying 100 corresponding dialogue objects so do not generate with this.Therefore, dialogue management portion 62 is judged to be and replys 100 corresponding dialogue objects and do not generate finish (NO of step S15).
Do not generate the occasion that finishes being judged to be the dialogue object, dialogue management portion 62 generates and replys 100 corresponding dialogue objects (step S16).The dialogue management portion 62 dialogue object that storage generates in dialogue object storage portion 53.
62 distribution of dialogue management portion are used for the dialogue ID (step S17) of the dialogue object (at the dialogue object of dialogue object storage portion 53 storages) of unique identification generation.Here, the dialogue ID by 62 distribution of dialogue management portion for example supposes it is " 3juzOuAwk ".This talks with ID, compares with above-mentioned dialogue ID " 012 " by application server 20 distribution, and be the firm dialogue ID that is difficult to predict.Dialogue ID by application server 20 distribution is stored in the dialogue object by the unique identification of this dialogue ID.
Then, reply filter 61, the parameter that storage detects in the dialogue object of storage in dialogue object storage portion 53 (parameter consistent) (step S18) with filtering rule 521.This dialogue is to liking and the 100 corresponding dialogue objects of replying that generate at above-mentioned steps S16.In addition, in the dialogue object, in the stored parameters, comprise parameter type, parameter name and parameter value.Here, because 100 first row of replying that Fig. 7 represents is the Cookie parameter, so as parameter type, storage " COOKIE (Cookie) " in the dialogue object.In addition, as parameter name, in the dialogue object " SESSION_ID " in "=" left side of storage " SESSION_ID=012 ".As parameter value, in the dialogue object " 012 " on "=" right side of storage " SESSION_ID=012 ".
Reply filter 61, from replying the parameter that deletion detects 100 (step 3 9).Here, reply delete character string " SESSION_ID=012 " 100 from what Fig. 7 represented.
Here, judge whether carried out above-mentioned steps S12 and later processing (step S20) for whole filtering rules of storage in filtering rule storage part 52.
Being judged to be the processing of occasion (NO of step S20) do not carry out to(for) whole filtering rules, return step S12 reprocessing.
In addition, be judged to be at above-mentioned steps S13 and replying the URL that comprises in 100 and the inconsistent occasion of URL pattern that in filtering rule, comprises, return step S12 reprocessing.In addition, be judged to be the parameter that comprises parameter type and parameter name that in filtering rule, comprises at step S14 and replying non-existent occasion in 100, also return step S12 reprocessing.
Here, because carried out step S12 and later processing, handle so then carry out about filtering rule 522 about the filtering rule 521 of storage in dialogue object storage portion 53.
Here, simple declaration is about the step S12 of filtering rule 522 and later processing.
The URL pattern that comprises in filtering rule 522 is " .*/order$.do.* ".On the other hand, be " http://hostname/order.do " replying the URL that comprises in 100.
Therefore, be judged to be at step S13 that to reply the URL that comprises in 100 consistent with the URL pattern that comprises in filtering rule storage part 52.
In addition, the parameter type that comprises in filtering rule 522 is " HIDDEN ", and parameter name is " SCREEN_ID ".On the other hand, in replying 100 eighth row, there is the parameter (Hidden parameter) that comprises parameter type " Hidden (HIDDEN) " and parameter name " SCREEN_ID ".
Therefore, be judged to be the parameter that comprises parameter type and parameter name that in filtering rule 522, comprises at step S14 and replying existence in 100.
Therefore, be included in the parameter (parameter of representing among Fig. 7 of replying 100 eighth row) of the parameter type that comprises in the filtering rule 522 and parameter name, detect from replying 100 as the parameter consistent with filtering rule 522.
At this moment, with reply 100 corresponding dialogue objects and generated and finish.Therefore, be judged to be and reply 100 corresponding dialogue objects and generated and finish at step S17.In this occasion, the not processing of execution in step S16 and step S17, the processing of execution in step S18.
At step S18, the parameter that detects (parameter consistent with filtering rule 522) storage is to talk with in the dialogue object (with replying 100 corresponding dialogue objects) of object storage portion 53 stored.
In addition, at step S19, from replying the parameter that deletion detects 100.
Like this, for the whole filtering rules order execution in step S12 and the following processing of in filtering rule storage part 52, storing.When carrying out for the whole filtering rules of storage in filtering rule storage part 52 when handling, with reply 100 corresponding dialogue objects, storage is replied whole parameters of detecting 100 (for example consistent with filtering rule 522~526 parameter) from this.
In addition, though omitted detailed explanation, replying in 100 that Fig. 7 represents, there be the parameter consistent with filtering rule 521~524 in the filtering rule 521~526 that Fig. 8 represents, still there be not the parameter consistent with filtering rule 525~526.That is, in occasion for whole execution in step S12 of filtering rule 521~526 and following processing, with reply 100 corresponding dialogue objects in the consistent parameter of storage and filtering rule 521~524.
In addition, though do not exist representing to reply in 100 at Fig. 7, even but be in the filtering rule 525 (perhaps 526) of " GET " at parameter type, if have this parameter type " GET " and the consistent parameter (GET parameter) of parameter name " CLASS " (perhaps " ADDRESS ") then detect this parameter replying in 100, in the dialogue object, store.Reply the URL that comprises in 100 for example be " http://hostname/order.do? SCREEN_ID=s001 " occasion, the dialogue object in the storage parameter type as " GET ", the left side of "=" of " SCREEN_ID=s001 " (SCREEN_ID) as parameter name, the right side of this "=" (s001) parameter as parameter value.
Here, Fig. 9 represents the example with the data structure of replying 100 corresponding dialogue objects.
As shown in Figure 9, in the dialogue object, store inner kind, parameter at least.In this parameter, comprise parameter type, parameter name and parameter value.
Inner kind, the kind of the parameter of expression dialogue object inside.In inner kind, comprise " SESID " and " PARAM "." SESID " expression is by the dialogue ID of dialogue management portion 62 distribution." PARAM " expression is by replying the parameter (parameter consistent with filtering rule) that filter 61 detects.
In the example that Fig. 9 represents, in the dialogue object, store inner kind " SESSID ", parameter type " COOKIE ", parameter name " FILTER_ID " and parameter value " 3juzOuAwk ".Thus, expression is " COOKIE " by the parameter type of the dialogue ID of dialogue management portion 62 distribution, and parameter name is " FILTER_ID ", and parameter value is " 3juzOuAwk "
The parameter type of dialogue ID by 62 distribution of this dialogue management portion, for example the parameter type according to the information of using in replying 100 management (ID etc.) decides.Here, because for example have " Set-Cookie " replying in 100, so the parameter type of the dialogue ID by 62 distribution of dialogue management portion becomes " Cookie ".
As the parameter name of the dialogue ID that issues by dialogue management portion 62, use and the unduplicated parameter name of parameter name that in the Web that provides by application server 20 uses, uses.
In addition, as the parameter value of the dialogue ID by dialogue management portion 62 distribution, use with the dialogue ID (replying the dialogue ID that comprises in 100) that issues by application server 20 relatively to be difficult to the firm value predicted.
Equally, in the dialogue object, store inner kind " PARAM ", parameter type " COOKIE ", parameter name " SESSION_ID " and parameter value " 012 ".Represent from the parameter type of replying 100 parameters that detect it is that " COOKIE ", parameter name are that " SESSION_ID " and parameter value " 012 " are " 012 " thus.Replying the parameter that detects 100 from this is the parameter consistent with the filtering rule represented 521 among Fig. 8.
In the dialogue object, store inner kind " PARAM ", parameter type " HIDDEN ", parameter name " SESSION_ID " and parameter value " s001 ".Represent that thus from the parameter type of replying 100 parameters that detect are " HIDDEN ", parameter name is that " SESSION_ID " and parameter value are " s001 ".Replying the parameter that detects 100 from this is the parameter consistent with the filtering rule represented 522 among Fig. 8.
In the dialogue object, store inner kind " PARAM ", parameter type " HIDDEN ", parameter name " USER_ID " and parameter value " taro ".Represent that thus from the parameter type of replying 100 parameters that detect are " HIDDEN ", parameter name is that " USER_ID " and parameter value are " taro ".Replying the parameter that detects 100 from this is the parameter consistent with the filtering rule represented 523 among Fig. 8.
In addition, in the dialogue object, store inner kind " PARAM ", parameter type " HIDDEN ", parameter name " PRICE " and parameter value " 12000 ".Represent that thus from the parameter type of replying 100 parameters that detect are " HIDDEN ", parameter name is that " PRICE " and parameter value are " 12000 ".Replying the parameter that detects 100 from this is the parameter consistent with the filtering rule represented 524 among Fig. 8.
Return Fig. 6 once more, be judged to be the occasion that executes above-mentioned steps S12 and following processing for whole filtering rules, reply filter 61 and replying the dialogue ID (step S21) that embeds in 100 by 62 distribution of dialogue management portion at step S20.Specifically, the dialogue ID by 62 distribution of dialogue management portion is embedded as the Cookie parameter " Set-Cookie:FILTER_SID=3juzOuAwk " of replying 100.In addition, the embedded mode of the dialogue ID by dialogue management portion 62 distribution also can be the mode beyond the Cookie, embeds as Hidden parameter, GET parameter.Need make the parameter type of the inside kind of representing with Fig. 9 " SESSID " consistent.
Here, delete parameter at above-mentioned step S19 100 from replying.Therefore, reply 100 and deleted replying in 100 after the parameter what above-mentioned steps S11 received, this is replied 100 data length and shortens.Therefore, reply filter 61 " Content-length " that reply the expression data length in 100 (value) is updated to the suitable value (step S22) corresponding with the deletion of above-mentioned parameter.
Reply filter 61 and send 100 (the step S23) that reply that upgraded " Content-length " for terminal 10.
Here, Figure 10 represents 100 the example of replying by replying that filter 61 sends.Here, suitably (the replying before handling) 100 of replying of comparison diagram 7 describes.
Replying in 100 that Figure 10 represents, " FILTER_SID=3juzOuAwk " of first row is the dialogue ID by 62 distribution of dialogue management portion.That is, replying in 100 that Figure 10 represents, Fig. 7 represents " SESSION-ID " that reply 100 first row be replaced by by 62 distribution of dialogue management portion dialogue ID.Thus, even application server 20 has been issued the occasion of fragile dialogue ID (represent among Fig. 7 reply " SESSION-ID=012 " in 100), by replace with the firm dialogue ID that is difficult to predict (represent among Figure 10 reply in " FILTER_SID=3juzOuAwk "), for example can prevent to abuse pretending to be of dialogue ID etc.
In addition, replying in 100 that Figure 10 represents, " Content-length " of second row is by the data length of replying after filter 61 is updated to the deletion parameter.Deletion according to parameter in the example that Figure 10 represents is updated to " 221 " to " Content-length ".
In addition,, reply 100 relatively, deleted Hidden parameter (represent among Fig. 7 reply eighth row~10th row of 100) with Fig. 7 represents replying in 100 that Figure 10 represents.
That is, the picture of using for the Web that provides by application server 20 shift be necessary, but in the Hidden parameter, comprise the occasion of unwanted information for Web browser in operation on the client terminal 10, because this information does not send to client terminal 10, so can prevent the leakage of this information or distort.Specifically, that represents in the Figure 10 that sends to client terminal 10 replys in 100, because for example deleted the parameter of representing among Fig. 7 (PRICE parameter) of replying 100 the 10th row, so can prevent distorting of pricing information etc.
In addition, in above-mentioned steps S20 in the occasion that is judged to be for whole filtering rule executed above-mentioned steps S12 and following processing, processing for execution in step S21 is illustrated, but is replying in 100 the occasion end process that does not have (that is a parameter also can not detect) in the parameter consistent with this filtering rule.
Below with reference to the flow chart of Figure 11, illustrate as above-mentionedly send processing procedure for the security strengthening device 60 of this form of implementation of the occasion by replying the request of replying that filter sends by client terminal 10.Here, illustrate by client terminal 10 and be sent in the occasion that the request of request is accepted in the order that has illustrated among above-mentioned Fig. 3.
At first, the request filter 63 that comprises in security strengthening device 60 receives the request (step S31) that sends by client terminal 10.In this request, be included in by the above-mentioned dialogue ID that replys embedding in 100 (by the dialogue ID of dialogue management portion 62 distribution) that filter 61 sends that replys.
Here, Figure 12 represents to receive by request filter 63 example of the request of the request of accepting of ordering goods.The request 200 that Figure 12 represents is operated client terminal 10 by the user and is sent from this client terminal 10 in the occasion of the transmission button of pressing this order picture in the order picture that above-mentioned Fig. 4 represents.
First row of the request 200 that Figure 12 represents is the Cookie that comprise from the dialogue ID of client terminal 10 (Web browser of operation) transmission." FILTER_SID=3juzOuAwk " of first row of request 200 is by replying (replacing) dialogue ID that embeds in 100 that replys that filter 61 sends.
" Content-length " of second row of request 200 represents the data length of the data that continue thereafter with byte unit.
In addition, the fourth line of request 200 is that expression is from the order number of importing at the Web browser of client terminal 10 operations and this true parameter of transmission button of supressing the order picture Fig. 4." ORDER=10 " of the fourth line of request 200, expression requires to order 10.
Below, describe for request 200 1 things of representing at above-mentioned step S31 reception Figure 12.
Return Figure 11 once more, request filter 63 obtains the dialogue ID (step S32) that comprises in the request 200 that receives.Request filter 63 is as talking with ID from asking to obtain " FILTER_SID=3juzOuAwk " 200.In this " FILTER_SID=3juzOuAwk ", " FILTER_SID " is parameter name, and " 3juzOuAwk " is parameter value.
Then, request filter 63 is read in the corresponding dialogue object (step S33) with acquired dialogue ID from dialogue object storage portion 53.Request filter 63 is read in and inner kind " SESSID " the be mapped parameter name of having stored acquired dialogue ID and the dialogue object of parameter value.That is, read in and following such parameter name and the consistent dialogue object of parameter value, this parameter name and parameter value are parameter name and parameter value and inner kind " SESSID " corresponding parameters name and the parameter values of the dialogue ID that obtains by request filter 63.
Specifically, read in inner kind " SESSID " corresponding stored parameter type " COOKIE ", from the parameter name " FILTER_SID " of asking 200 " FILTER_SID=3juzOuAwk " that obtain and the dialogue object of parameter value " 3juzOuAwk ".That is read in the dialogue object of representing above-mentioned Fig. 9 from dialogue object storage portion 53.
Request filter 63 is deleted the dialogue ID (step S34) that comprises in the request 200 that receives from this request 200.At this moment, delete inside kind " SESSID " corresponding parameters type, parameter name and the consistent project of parameter value with the dialogue object that reads in.That is because with " SESSID " corresponding parameters type be " COOKIE ", so the first capable Cookie parameter " FILTER_SID=3juzOuAwk " of the request 200 that deletion is represented among Figure 12 from this request 200.
Request filter 63 obtains the parameter (parameter type, parameter name and parameter value) (step S35) with inner kind " PARAM " corresponding stored in the dialogue object that reads in.At this moment, request filter 63 obtains parameter by dialogue management portion 62.With inner kind " PARAM " stored parameters in the dialogue object that is mapped, be the parameter of recovery (reconstructing) in the request 200 that receives by request filter 63.
Request filter 63 obtains in the stored parameters in the dialogue object that reads in.Here, suppose and from the dialogue object that Fig. 9 represents, obtain corresponding (comprising) parameter type " COOKIE ", parameter name " SESSION_ID " and parameter value " 012 " with inner kind " PARAM " (parameter) in dialogue object stored.
Request filter 63 parameter that comprises parameter type " COOKIE ", parameter name " SESSION_ID " and parameter value " 012 " that recovery obtains in request 200.
In this occasion, because parameter type is " COOKIE ", so the character string SESSION_ID=012 that parameter name " SESSION_ID " is formed as right side that should "=" as the left side of "=", parameter value " 012 " " recover in request 200 as the Cookie parameter.
Judge then whether whole parameters of storing have recovered (step S37) in request 200 in the dialogue object that reads in by request filter 63.That is whether the corresponding whole parameters in dialogue object stored with inner kind " PARAM " of judgement are recovered.
Being judged to be, return step S35 reprocessing in whole parameters that dialogue is stored in object occasion (NO of step S37) of recovery in request 200.That is reprocessing always before whole parameters recoveries of in the dialogue object, storing.
Here, the parameter that should recover in request 200 in the dialogue object that Fig. 9 represents as above-mentioned is and inner kind " PARAM " corresponding parameters.That is 4 of existence should be in the parameters of asking to recover in 200 in the dialogue object that Fig. 9 represents.In request filter 63, recover these parameters, reconstruct as the request of using for Web.
Below, illustrate at above-mentioned steps S35 and obtain corresponding occasion of talking with stored parameters type " HIDDEN ", parameter name " SCREEN_ID " and parameter value " s001 " in the object with inner kind " PARAM ".In this occasion, because parameter type is " HIDDEN ", so the character string " SCREEN_ID=s001 " that parameter name " SCREEN_ID " is formed as right side that should "=" as the left side of "=", parameter value " s001 " is as the recovery in request 200 of Hidden parameter.
Below, illustrate at step S35 and obtain corresponding occasion of talking with stored parameters type " HIDDEN ", parameter name " USER_ID " and parameter value " taro " in the object with inner kind " PARAM ".In this occasion, because parameter type is " HIDDEN ", so the character string " USER_ID=taro " that parameter name " USER_ID " is formed as right side that should "=" as the left side of "=", parameter value " taro " is as the recovery in request 200 of Hidden parameter.
In addition, illustrate step S35 obtain corresponding with inner kind " PARAM " in the dialogue object occasion of stored parameters type " HIDDEN ", parameter name " PRICE " and parameter value " 12000 ".In this occasion, because parameter type is " HIDDEN ", so the character string " PRICE=12000 " that parameter name " PRICE " is formed as right side that should "=" as the left side of "=", parameter value " 12000 " is as the recovery in request 200 of Hidden parameter.
In addition,, obtaining the occasion that parameter type is the parameter of " GET " though be not stored in the dialogue object that Fig. 9 represents, as the GET parameter by additional being resumed on URL.For example in the occasion that obtains parameter type " GET ", parameter name " SCREEN_ID " and parameter value " s001 ", for example imagine URL and be " http://sampleshost/order.do? ORDER=10 " occasion.In this occasion, as " http://sampleshost/order.do? ORDER=10﹠amp; SCREEN_ID=s001 " recover the GET parameter like that.
As above carrying out the recovery processing like that, be judged to be the occasion (YES of step S37) that corresponding whole parameters of storing with inner kind " PARAM " have been recovered in the dialogue object in request 200, request filter 63 is discarded the dialogue object (step S38) that reads in from talk with object storage portion 53.At this moment, request filter 63 is by dialogue management portion 62 discarded dialogue objects.
In request 200, recovered parameter as above-mentioned.Therefore, in request that above-mentioned steps S31 is receiving 200 with recovered in the request 200 after the parameter, the data length of request 200 increases.Therefore, request filter 63 is updated to the suitable value (step S39) corresponding with the recovery of above-mentioned parameter to " Contenet-length " of the data length in the expression request 200 (value).
Request filter 63 sends the request 200 (step S40) of having upgraded " Contenet-length " for application server 200.
Here, Figure 13 represents the example by the request 200 of request filter 63 transmissions.Here, the request of suitably representing with Figure 12 (handling preceding request) 200 relatively describes.
In the request 200 that Figure 13 represents, in first row, recovered the Cookie parameter.This is based on the result that corresponding parameter type " COOKIE ", parameter name " SESSION_ID " and parameter value " 012 " in dialogue object stored with inner kind " PARAM " recovers the Cookie parameter.
In addition, in the request 200 that Figure 13 represents, in fourth line, recover the Hidden parameter." SCREEN_ID=s001 " is based on the corresponding result who recovers the Hidden parameter at the parameter type " HIDDEN " of talking with the object stored, parameter name " SCREEN_ID " and parameter value " s001 " with inner kind " PARAM " that Fig. 9 represents." USER_ID=taro " is based on the corresponding result who recovers the Hidden parameter at the parameter type " HIDDEN " of talking with the object stored, parameter name " USER_ID " and parameter value " taro " with inner kind " PARAM " that Fig. 9 represents.In addition, " PRICE=12000 " is based on the corresponding result who recovers the Hidden parameter at the parameter type " HIDDEN " of talking with the object stored, parameter name " PRICE " and parameter value " 12000 " with inner kind " PARAM " that Fig. 9 represents.
Like this by sending the request 200 that parameters have been resumed to application server 20, finished to develop the occasion that begins to use even use at the Web that provides by this application server 20, also can not use for this Web influence.
As mentioned above in this form of implementation, send from application server 20 reply in the parameter that comprises, interim storage and the consistent parameter of filtering rule of in filtering rule storage part 52, storing in the dialogue object.In addition, in this form of implementation, replace embedding the firm dialogue ID alone that is difficult to predict, and send to client terminal 10 and to have deleted replying of in this dialogue object stored parameters by the dialogue ID of application server 20 distribution.In addition, in this form of implementation, embedded alone dialogue ID and also for parameter deleted the occasion of replying the request that sends from client terminal 10, in this request, recover stored parameters in the dialogue object, send for application server 20.
Thus, in this form of implementation, in replying, on client terminal 10, do not use in the Web browser of operation, but the possible parameter (for example pricing information or personal information) transferred, leakage of information is arranged or distort is provided between the picture that the web that provides by application server 20 uses, do not send to client terminal 10.Therefore, in this form of implementation, because can prevent from the leakage of the parameter that comprises in the replying of application server 20 and distort, so in the Web that provides by this application server 20 uses, can continue dialogue safely.
And then, in this form of implementation, just can realize because need not revise the program that the Web that developed uses, so just display the installation that such occasion also can not change the Web application in the running and deal with problems even the utilization of using at this Web begins the back problem.
In addition, in this form of implementation, the situation that comprises a kind of pattern of the input in one is replied has been described, even but for example in one is replied, comprise the occasion of multiple pattern of the input, by embedding the identifier of this form, can not add change yet and easily realize for the structure of the security strengthening device 60 of this form of implementation with dialogue ID.
In addition, the security strengthening device 60 by this form of implementation reply filter 61 to client terminal 10 send reply after, supervision from client terminal 10 send for this request of replying, during predetermined, do not send the occasion of these requests (that is do not accept this request by the request filter 63 of security strengthening device 60) in (time) from this client terminal 10, also can adopt discarded (that is timeout treatment) with in talking with object storage portion 53, store reply the structure of corresponding dialogue object with this.Thus, the occasion that stored parameter, transmission are replied in the dialogue object although do not send the request of replying for this, also can avoid accumulating this dialogue to the state of affairs like this.
In addition, in this form of implementation, for security strengthening device 60 relay request between client terminal 10 and application server 20 and reply and be illustrated, but also can be that this security strengthening device 60 (each function) is comprised in the structure in the application server 20.
In addition, it is unalterable that the present application is not limited to above-mentioned form of implementation, and the implementation phase in the scope that does not break away from its main idea, structural element can be out of shape to specialize.Can form various inventions by appropriate combination disclosed multiple structural element in above-mentioned form of implementation in addition.For example, also can from the entire infrastructure key element of form of implementation, representing, delete some structural elements.

Claims (4)

1. security strengthening device, it can provide the application server of application to be connected communicatedly with by the client terminal of user's operation and for this client terminal, it is characterized in that,
Have:
The rale store unit, its in advance storage list be shown with the rule of condition of the parameter of the possibility of leaking or distorting;
Reply receiving element, it receives from described application server and replys, and this is replied and comprises the parameter for the request that utilizes described application that sends from described client terminal for according to described user's operation;
Detecting unit, its from described receive reply the parameter that detects with the term harmonization of representing by the rule of described rale store unit, storing;
Generation unit, it generates and replys corresponding dialogue object with this in the occasion of the parameter of the term harmonization that detects from described replying of receiving and represent in described rule;
The dialogue object-storage unit, it stores the dialogue object of described generation;
Issuance unit, its distribution are used for the dialogue identifying information of the dialogue object of the described generation of unique identification;
Storage processing unit, it is mapped described detected parameter and described issued dialogue identifying information, is stored in the dialogue object of storing in the described dialogue object-storage unit;
The parameter delete cells, it deletes this parameter from described replying of receiving when being stored in described detected parameter in the described dialogue object;
Embed the unit, it is the described issued dialogue identifying information of embedding in having deleted the replying of in described dialogue object stored parameters;
Reply transmitting element, it sends for described client terminal and has embedded replying of described issued dialogue identifying information;
The request receiving element, it receives for this request of replying that comprises this dialogue identifying information from described client terminal after transmission has embedded replying of described issued dialogue identifying information;
Read in the unit, it reads in the dialogue object by the dialogue identifying information identification that comprises in the request that is received by the described request receiving element from described dialogue object-storage unit;
Dialogue identifying information delete cells, its dialogue identifying information that deletion comprises in this request that receives by the described request receiving element from request;
Recovery unit, it recovers stored parameters in the described dialogue object that reads in the request of having deleted the dialogue identifying information by described dialogue identifying information delete cells; With
Request transmitting unit, it sends the request that has recovered described parameter for described application server.
2. security strengthening device according to claim 1 is characterized in that,
Also have discarded unit, it has recovered the occasion of stored parameters in the described dialogue object that reads in the request of having deleted described dialogue identifying information, discarded this dialogue object.
3. security strengthening device according to claim 1 is characterized in that,
Also has discarded unit, it is after having sent the replying of the dialogue identifying information that embedded described distribution for described client terminal, do not receive occasion in during predetermined, discard the dialogue object of in described dialogue object-storage unit, storing for the request of replying of this transmission from client terminal.
4. security strengthening device according to claim 1 is characterized in that,
By the condition that the rule of storing in described rale store unit is represented, comprise and connect destination recognition mode, parameter type and parameter name,
Described replying of receiving also comprises the connection destination identifying information that relates to for the transmission destination of this request of replying,
The parameter that comprises in described replying of receiving comprises the parameter type and the parameter name of this parameter,
Described detecting unit comprises following unit:
The connection destination identifying information that judgement comprises in described replying of receiving whether with the consistent unit of recognition mode, connection destination that in the condition of representing by the rule of in described rale store unit, storing, comprises;
Be judged to be the connection destination identifying information and the consistent occasion of described connection destination recognition mode that in described replying of receiving, comprises, whether judgement includes the unit of following parameter in described replying of receiving, described parameter is included in parameter type and the parameter name that comprises in the condition of representing by the rule of storing in described rale store unit; With
Be judged to be the occasion that in described replying of receiving, includes the parameter that is included in the parameter type that comprises in the condition of representing by the rule of in described rale store unit, storing and parameter name, from this is replied, detecting the unit of this parameter.
CN201010112456.9A 2009-02-06 2010-02-04 Security strengthening device Expired - Fee Related CN101800748B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2009-026342 2009-02-06
JP2009026342A JP4643718B2 (en) 2009-02-06 2009-02-06 Security enhancement program and security enhancement device

Publications (2)

Publication Number Publication Date
CN101800748A true CN101800748A (en) 2010-08-11
CN101800748B CN101800748B (en) 2013-03-27

Family

ID=42596240

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010112456.9A Expired - Fee Related CN101800748B (en) 2009-02-06 2010-02-04 Security strengthening device

Country Status (2)

Country Link
JP (1) JP4643718B2 (en)
CN (1) CN101800748B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546292A (en) * 2011-12-16 2012-07-04 深信服网络科技(深圳)有限公司 Method and device for detecting healthy status of server application
CN111104490A (en) * 2018-10-25 2020-05-05 阿里巴巴集团控股有限公司 Parameter deleting method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5677899B2 (en) * 2011-06-16 2015-02-25 株式会社三菱東京Ufj銀行 Information processing apparatus and information processing method
JP6629157B2 (en) 2016-09-06 2020-01-15 株式会社東芝 system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6377994B1 (en) * 1996-04-15 2002-04-23 International Business Machines Corporation Method and apparatus for controlling server access to a resource in a client/server system
US20030005308A1 (en) * 2001-05-30 2003-01-02 Rathbun Paul L. Method and system for globally restricting client access to a secured web site
CN1900906A (en) * 2006-07-14 2007-01-24 中国科学院软件研究所 Software process main body automatic consulting system and method based on rulls
CN1960553A (en) * 2005-11-16 2007-05-09 乔超 System and method for preventing software and hardware with communication condition / function from being embezzled

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004334741A (en) * 2003-05-12 2004-11-25 Nippon Telegr & Teleph Corp <Ntt> Relay device and its program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6377994B1 (en) * 1996-04-15 2002-04-23 International Business Machines Corporation Method and apparatus for controlling server access to a resource in a client/server system
US20030005308A1 (en) * 2001-05-30 2003-01-02 Rathbun Paul L. Method and system for globally restricting client access to a secured web site
CN1960553A (en) * 2005-11-16 2007-05-09 乔超 System and method for preventing software and hardware with communication condition / function from being embezzled
CN1900906A (en) * 2006-07-14 2007-01-24 中国科学院软件研究所 Software process main body automatic consulting system and method based on rulls

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546292A (en) * 2011-12-16 2012-07-04 深信服网络科技(深圳)有限公司 Method and device for detecting healthy status of server application
CN102546292B (en) * 2011-12-16 2015-11-18 深信服网络科技(深圳)有限公司 Detect the method and apparatus of server application health status
CN111104490A (en) * 2018-10-25 2020-05-05 阿里巴巴集团控股有限公司 Parameter deleting method and device
CN111104490B (en) * 2018-10-25 2023-06-06 阿里巴巴集团控股有限公司 Parameter deleting method and device

Also Published As

Publication number Publication date
JP4643718B2 (en) 2011-03-02
CN101800748B (en) 2013-03-27
JP2010182180A (en) 2010-08-19

Similar Documents

Publication Publication Date Title
CN104335237B (en) For providing system, the method and computer program product of contactless agreement
CA3012822C (en) Digital virtual currency transaction system and method having block chain between concerned parties
US8671165B2 (en) Method, cell phone and system for accessing a computer resource over a network via microphone-captured audio
Veijalainen et al. Transaction management for m-commerce at a mobile terminal
US20110099088A1 (en) Various methods and apparatuses for completing a transaction order through an order proxy system
CN109191194B (en) Method, device and system for processing card data and storage medium
CN101601058A (en) Content business management server device, content providing server device, end device and program thereof
CN102801647A (en) Realizing method of actual gift in instant communication, client end and system
US20060036509A1 (en) Electronic data interchange system, sales server, settlement server, terminal, sales method, settlement method, purchasing method and information recording medium storing information for realizing the same
JP2008129635A (en) Settlement method and proxy settlement server
CN101800748B (en) Security strengthening device
WO2008118104A1 (en) System for tracking the successful recommendation of a good or service
CN111881276B (en) Virtual resource transfer method and device, storage medium and electronic equipment
US20030105723A1 (en) Method and system for disclosing information during online transactions
JP5126299B2 (en) Purchase management server device, program thereof, purchase management system, and purchase management method
JP2010039702A (en) Value management server, program, value management system, and value management method
CN106559470A (en) A kind of method for pushing and device of account information
CN112116343A (en) Cash register system based on C/S and B/S fusion
CN102123207A (en) Information processing method and system based on mobile terminal
US20080172343A1 (en) Data processing method for secure Internet transactions
Dulai et al. IOTP and Payments Protocols
KR20040020124A (en) Method for downloading data files in wireless communication system, and the storage media thereof
WO2002039311A1 (en) System and method for sending information by using mask picture control
CN113468068A (en) Virtual resource testing method and device, storage medium and electronic equipment
JP6576017B2 (en) Server device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130327

Termination date: 20190204

CF01 Termination of patent right due to non-payment of annual fee