CN1327206A - Application function designating device and its method and recording medium of storage execute program - Google Patents
Application function designating device and its method and recording medium of storage execute program Download PDFInfo
- Publication number
- CN1327206A CN1327206A CN 00108794 CN00108794A CN1327206A CN 1327206 A CN1327206 A CN 1327206A CN 00108794 CN00108794 CN 00108794 CN 00108794 A CN00108794 A CN 00108794A CN 1327206 A CN1327206 A CN 1327206A
- Authority
- CN
- China
- Prior art keywords
- authorization message
- user
- application
- function
- applet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The application function designating device includes one authorized information returning part, which returns according to the authorized information request of the said application, the application function authorized information capable of being executed by the user of the application among the function(s) provided by the application.
Description
The present invention relates to application function and specify (application function designatingapparatus) apparatus and method, and recording medium, specifically, relate to being used to allow authorize and use application function designating device and the method that the executor dynamically changes the function carried out of the application of operation on WWW browser etc., and the memory function program recording medium.
Along with the recent development of Internet technology, beginning extensively utilization WWW (World Wide Web) is used, such as the Java Applet of operating on the WWW browser (being called applet below the applet-).
And some functions of operation itself or this application often are subjected to and user-dependent utilization restriction.For example, suppose that a certain applet comprises several functions.When carrying out this applet, must make some functions dynamically can carry out or can not carry out according to user's authorization conditions.In order to realize that this dynamic change can carry out the function of scope, adopt following method traditionally.
First method is applet inquiry user profile (for example, username and password) itself.
Promptly, so form applet, thereby when carrying out this applet, applet requires user (applet executor) input user profile (promptly, username and password), determine the built-in function to carry out and not carry out and according to this information.
Yet, for this reason, need form user authorization mechanism respectively and be used to be provided with and to manage the mechanism of each user's authorization message.
Second method is that the function carried out of various combination is prepared different applets.
For example, suppose to realize three kinds of function A, B and C by applet.If this is the case, prepare so
Applet 1: the applet that can carry out function A, B and C
Applet 2: the applet that can carry out function A and C
Applet 3: can only carry out the applet of function A, and according to the access control function of www server access rights are set for three applets.
That is, access right to applet 1 is set for the user that can carry out all functions A, B and C.For the user that can carry out function A and C access right to applet 2 is set.For the user that can only carry out function A access right to applet 3 is set.
As a result, do not authorize the user who carries out function B can not download or carry out applet 1.
Unfortunately, the technology of carry out using by tradition dynamically changes some WWW functions still to exist following point to have to be solved.
Therein in the first method of applet inquiry user profile itself, be input in this applet that the user profile of this applet only moves on the WWW browser just effectively.
On the other hand, if access right to the WWW content is set, so by using HTTP (HTML (Hypertext Markup Language)) that user profile is delivered to www server from the WWW browser, and www server is carried out User Recognition and test access mandate.
In order to visit the WWW content that is provided with its access right, at first require the user to import user profile, and when carrying out applet, require to import user profile once more.That is, can not realize single registration (single-sign-on) (user only once discerns the mechanism that is used for multinomial service).
In addition, in this first method, the mechanism that must prepare to be used for the mechanism of User Recognition respectively or be used to manage and be provided with access authorization on server perhaps is included in the applet.These mechanism of packing need more workloads.
In addition, would rather use digital certificate sometimes, the combination of alternate user name and password is as user profile, so that improve degree of safety and user-friendly.When first method is combined with the method for utilization digital certificate, in order to make applet inquiry user profile, need be formed for from it memory location (promptly, WWW browser or IC-card) extract the mechanism of digital certificate and be used to analyze the content of digital certificate so that carry out the mechanism of subscriber authorisation.This has increased the workload that is used to pack greatly.
On the other hand, preparing in the second method of different applets for the various combination that can carry out function, the user selects the applet with the execution of forms such as menu.Yet, be difficult to sometimes all allow the user to select applet at every turn.
For example, suppose to finish this processing procedure by after carrying out applet 1, carrying out applet 2.Suppose that also applet 1 comprises function A and B, and applet 2 comprises function C and D.In this case, realize each program in this applet 1 and 2 by following two applets according to content of the prior art above-mentioned.
Applet 1a: the applet 1 that can carry out function A and B
Applet 1b: the applet 1 that can only carry out function A
Applet 2a: the applet 2 that can carry out function C and D
Applet 2b: the applet 2 that can only carry out function C
In this processing procedure, after the processing of finishing applet 1a, call applet 2.Yet this applet 2 has two kinds of variations (variation), applet 2a and 2b.
Generally, do not need to give access right for having user to the access right of applet 1a to applet 2a.Therefore, when forming (packing), applet 1a can not stipulate that this applet 1a calls applet 2a or applet 2b.For this reason, when carrying out applet 1a, need dynamically to change next step applet of calling.
Unfortunately, do not provide such mechanism.Therefore, when carrying out applet 1a, need make the user select applet 2a or 2b with the form of menu.Yet, in the practice, dynamically will handle usually and be delivered to applet 2, and not have user's intervention from applet 1.Therefore, each inquiry user is difficult under multiple situation.
In addition, when an applet comprises multiple function, form multiple variation to applet, such as applet 1a, 1b, 1c ...This has increased packing and management costs greatly.
The object of the present invention is to provide a kind of when carrying out this application, can dynamically make some functions that provide by application can carry out maybe and can not carry out according to carrying out the subscriber authorisation of using, and can realize single application function designating device of registering, and the program recording medium of this application function appointment is carried out in storage.
The invention provides a kind of application function designating device, it comprises the receiving unit of the authorization message request that receives self-application, with the authorization message request of basis from this application, authorization message is turned back to the returning part of application, and authorization message is the feasibility about the application function that can be carried out by the user who uses this application in the one or more functions that provided by application.
In the present invention, the authorization message return mechanism can make some functions that provided by application can carry out maybe and can not carry out according to the subscriber authorisation of carrying out this application.
The invention provides a kind of application function designating device, it comprises the receiving unit of the authorization message request that receives self-application and according to the specified portions of the function carried out in one or more functions of specifying this application from the authorization message request of this application.
In this application function designating device, the management of authorization message administrative section is allowed to or is not allowed to carry out the execution authorization message of the user profile conduct of function for each function of each application.
In addition, the authorization message returning part obtains the execution authorization message about the application of exporting the authorization message request from the authorization message administrative section.Carry out authorization message according to this, form about by the information of the feasibility of the executable application function of user that uses this application as for example, can carry out menu, and turn back to export this application of this request.
Therefore, according to carrying out the subscriber authorisation of using, can make some functions that provide by this application can carry out maybe and can not carry out.
Mention in the following description, and from this description, partly see, perhaps can recognize attached purpose of the present invention and advantage by putting into practice the present invention.Can realize objects and advantages of the present invention, and utilize in particular the following means and combination, can realize and obtain objects and advantages of the present invention.
Add and constitute that the accompanying drawing of a part of the present invention is current to illustrate preferred embodiment of the present invention,, be used for explaining principle of the present invention in conjunction with the detailed description of general description that provides above and preferred embodiment given below.
Fig. 1 illustrates the block scheme of layout that the application function designating device according to the first embodiment of the present invention is imposed on its network system;
Fig. 2 is and applet A corresponding grant information diagrammatic sketch;
Fig. 3 is the process flow diagram that the operating process of www server in the present embodiment is shown;
Fig. 4 is the diagrammatic sketch that the content that can carry out menu is shown;
Fig. 5 illustrates the process flow diagram of the operating process of WWW browser in the present embodiment;
Fig. 6 is the block scheme of layout that the www server of realization application function designating device according to a second embodiment of the present invention is shown;
Fig. 7 is the process flow diagram that the operation of application function designating device in this embodiment is shown;
Fig. 8 is the diagrammatic sketch that illustrates in this embodiment as the menu carried out of CGI rreturn value;
Fig. 9 is the diagrammatic sketch that is illustrated in the data structure of the authorization message in the application function designating device of a third embodiment in accordance with the invention;
Figure 10 illustrates the process flow diagram of the operating process of application function designating device in this embodiment;
Figure 11 illustrates the block scheme of layout that according to a fifth embodiment of the invention application function designating device is imposed on its www server;
Figure 12 is the diagrammatic sketch that ACE is shown;
Figure 13 is the diagrammatic sketch that is illustrated in the information translation table of the transcriber 155 among the 5th embodiment;
Figure 14 is the diagrammatic sketch that is illustrated in the ACL among the 5th embodiment;
Figure 15 illustrates in an embodiment of the present invention by the diagrammatic sketch of using the system architecture that shows;
Figure 16 is the diagrammatic sketch that screen when carrying out application without any the user that the variation mandate is set is shown; With
Figure 17 illustrates when having the diagrammatic sketch that the user who change to authorize carries out the screen when using is set.
Below with reference to Fig. 1, narration will impose on a network system according to the application function designating device of the first embodiment of the present invention.This network system is made of a large amount of computing machines that link to each other with the internet.Fig. 1 illustrates WWW browser 108 and 110 and be installed in www server 101 in some computing machines in these computing machines.Note, the network channel of computing machine itself and utilization common signal channel etc. is not shown.
Www server 101 has general www server function, also comprises authorization message returning part 102 and authorization message administrative section 103.This www server 101 also is included in a plurality of applets in the memory storage (not shown), comprises applet 105 and 106.Corresponding grant information 104 such as 103 management of authorization message administrative section and applet 105,106.
By authorization message returning part 102 and authorization message administrative section 103 are provided, realize the WWW application function designating device of present embodiment on www server 101.
In structure as shown in Figure 1, user's 1 utilization browser 108, user's 2 utilization browsers 110 and these users download to applet 105 their browser and carry out it from www server 101.Downloading on browser 108 and 110 and making executable applet is respectively applet 111 and 112.
If applet inquiry subscriber authorisation, authorization message returning part 102 inquiry authorization message administrative sections 103 allow the user to use which function of applet so.According to the result of this inquiry, authorization message returning part 102 forms can be carried out menu and this table is turned back to applet.Be not particularly limited the method for carrying out this authorization message returning part 102, as long as can activate this part from applet.For example, can use by www server to open to the public, carry out authorization message returning part 102 to expand the CGI (CGI (Common Gateway Interface)) or the API (application programming structure) of www server function.
The aforesaid authorization message 104 of authorization message administrative section 103 management, and when being called by authorization message returning part 102 is returned the content with corresponding result of the applet of appointment and user's authorization message 104.When CGI carries out authorization message returning part 102, can activate authorization message administrative section 103 as subprocess, perhaps as a built-in function of authorization message returning part 102 and in its identical processing procedure, carry out above-mentioned authorization message administrative section 103 from authorization message returning part 102.
For each applet that keeps by www server 101, prepare authorization message 104.The user that these authorization message 104 expressions can be carried out corresponding applet function.
Fig. 2 is the diagrammatic sketch that illustrates with applet A corresponding grant information.
This applet A has rough Presentation Function 122, detailed Presentation Function 123 and data variation function 124, as the original processing capacity of this applet.User as shown in Figure 2 has the execution mandate of these functions.
Except the original processing capacity 122,123 of these applets and 124, applet 105 and 106 has the measurement processor 121 of mandate.Notice that different applets have different original processing capacities.
Authorize its applet title of measurement processor 121 usefulness to activate the returning part 102 of www server 101, but also receive the menu carried out from returning part 102.
Can carry out menu according to this, authorize measurement processor 121 to make in other functions (the original processing capacity of applet) of this applet and some functions that allow the user to carry out can be carried out.With reference to Fig. 1, make to allow user 1 and 2 functions of carrying out to carry out.
WWW browser 108 and 110 has according to the function that for example comprises the user profile of customer identification information (user name) and password and user profile is sent to server 101 from the acquisition request of www server 101 as the browser standard feature, though not shown.Utilize this information, www server 101 is discerned the operator of WWW browsers 108 and 110 as the user.
Below, with the operating process of describing according to the application function designating device of the present embodiment that constitutes as mentioned above.
Fig. 3 is the process flow diagram that the operating process of www server in this embodiment is shown.
At first, call authorization message returning part 102, and receive inquiry target applet name (s1) from applet 111,112 etc.
Then, the server capability of www server 101 is given authorization message returning part 102 with user name, and it is a user name (s2) of carrying out the user of the applet of calling authorization message returning part 102.Can extract this user name by utilization by the standard feature that www server 101 provides.
By using the inquiry target applet name of having obtained as parameter, authorization message returning part 102 inquiry authorization message administrative sections 103 are about authorization message 104 (s3).
Authorization message administrative section 103 be extracted in receive among the step s3 and with inquiry target applet name corresponding authorization message 104, and it is sent to authorization message returning part 102 (s4).
The right of execution that authorization message returning part 102 is analyzed these authorization messages 104 and formed these functions of a menu (can carry out menu) has been given the inquiry that obtains at step s2 targeted customer.
Fig. 4 is the diagrammatic sketch that the content that can carry out menu is shown.
The function whether table of Fig. 4 is represented to allow user 1 and 2 to carry out applet A and B is as the inquiry target.Note, as this menu carried out 125 of Fig. 2 with relevant for user 2 applet A.
Authorization message returning part 102 can be carried out menu to established this and turn back to applet 111,112 etc. as the source of calling (calling source) (s6).
Notice that in step s5, authorization message returning part 102 is checked by inquiring targeted customer's name and the information that receives from authorization message administrative section 103, formation can be carried out menu.Yet, when calling authorization message administrative section 103, can also be inquiry targeted customer name as the parameter transmission, and allow authorization message administrative section 103 to form inquiry targeted customers' the menu carried out.
Below with reference to the process flow diagram of Fig. 5, the authorization message (can carry out menu 125) that receives according to from authorization message returning part 102 is described, and according to given mandate, the operation steps of the applet 111,112 of conversion operations etc.
Fig. 5 is the process flow diagram that the operating process of WWW browser in this embodiment is shown.
At first, when starting applet 111,112 etc. when in browser 108,110 etc., carrying out (t1), the authorization message returning part 102 (t2) of mandate measurement processor 121 activation on WWW browser 101 of applet 111,112 etc.
After this, will be delivered to mandate measurement processor 121 (t3) by the menu carried out 125 that authorization message returning part 102 forms.According to this table 125 of the function of this applet, authorize that measurement processor 121 or the original processing capacity 122,123,124 of applet etc. are feasible has only those that allow that user 1,2 carries out to become and can carry out.
Under the situation of as shown in Figure 1 user 2 utilization applet A, Fig. 2 shows the authorization message that is used for this applet A.Therefore, can carry out menu 125 as shown in Figure 4.As shown in Figure 1, have only " rough Presentation Function 122 " to carry out.
Following method can be used as the function control method of applet 111,112 etc.
(1) when forming the execution screen of applet, for uncommitted applet user do not show carry out function GUI (graphic user interface) parts (for example, button), perhaps by authorizing measurement processor 121, or the original processing capacity 122,123,124 of applet etc. makes these GUI parts to operate by their characteristic is set.
(2) can carry out function 125 and remain in the applet, and routine will be stored in every kind of method that applet function 122 etc. is provided.This routine detects the menu carried out that is kept, and if do not provide any mandate, stop to carry out this method.For example, the method definition has following Column Layout:
The detailed Presentation Function () of public blank (Public void)
Search and to carry out menu and detect the right of execution of whether giving detailed Presentation Function
(if give carrying out and authorize) {
Be used to carry out the routine of detailed demonstration
}
}
With this form, in authorizing measurement processor 121 or the original processing capacity 122,123,124 of applet etc., form based on the function executing restriction that can carry out menu 125 and handle.When carrying out applet, this has finished and the corresponding operation conversion of executor's mandate.
As mentioned above, in the application function designating device according to this embodiment of the invention, www server 101 comprises authorization message returning part 102 and authorization message administrative section 103, and applet 111,112 grades are used these parts.As a result, can obtain following effect.
(1) when carrying out applet, require authorization message returning part 102 to detect subscriber authorisation.Therefore, can so constitute applet, feasible in commission can dynamically the change according to subscriber authorisation can be carried out function.
(2) therefore, can change dynamically which can be carried out with which and can not carry out in the function that is provided.This does not just need to form the different several applets that change, thereby has reduced packing and handling cost greatly.
(3) the execution authorization message that on server, keeps owing to references such as applets 111,112, thus can be provided with effectively and supervisor authority information, thus can reduce to be provided with and handling cost.In addition, when changing the content of authorization message, any mistake coupling does not take place, these are different with the situation of giving each client authorization information.
(4) in addition, by www server 101 grades user profile is delivered to authorization message returning part 102.Therefore, can directly use the subscriber authorisation function that server capability had of www server 101.This does not need to ask user profile once more, thereby has realized so-called single registration.
Note, always do not need directly to use the subscriber authorisation function that provides by www server as standard feature.That is, can obtain user name by distinct methods.
In addition, even when the API that uses the expansion servers function realizes authorization message returning part 102, this API is by utilization or need not to use the Standard User authorization function of www server can obtain user name.If without the Standard User authorization function of www server, user profile can be sent to the mandate measurement processor 121 of applet 111,112 grades so.
Second embodiment is described below.In this second embodiment, will use CGI as the method that realizes authorization message returning part 102 among first embodiment.
Fig. 6 illustrates the layout that is used for realizing according to second embodiment www server of application function designating device.Represent same section with label identical among Fig. 1, will omit its detailed description, and the following different piece of only describing.
With with first embodiment in identical method constitute this www server 101, except authorization message returning part 102 is constituted as cgi script (by the program of CGI execution), and authorization message administrative section 103 realizes as function of authorization message returning part 102, and with returning part 102 as same process operation.Though this www server 101 has subscriber authorisation part 131, usually this authorization portions 131 is included in the general www server function, therefore not shown in first embodiment.
When the request that receives from the execution authorization message returning part 102 of applet 111,112 etc., subscriber authorisation part 131 is to WWW browser 108,110 user profile such as request such as grade.In addition, the user profile that subscriber authorisation part 131 obtains oneself it, the user profile that perhaps obtains previously is arranged among the variable R EMOTE_USER, gives authorization message returning part 102.
Notice that CGI is the mechanism that is used to carry out the program on the WW server, and, realize this procedure operation by to the browse request executive routine.
Below, the operating process of the application function designating device that constitutes is as mentioned above in this embodiment described.
Fig. 7 is the process flow diagram of operating process that the WWW application function designating device of present embodiment is shown.
At first, the authorization message measurement processor 121 of applet 111,112 etc. is by utilization CGI, and authorization message returning part 102 is carried out in request.As a result, the authorization message as the inquiry target designation (applet name) of the parameter of CGI is delivered to authorization message returning part 102 (u1).
If with respect to www server 101, the executor of this applet 111,112 etc. itself is uncommitted, and subscriber authorisation part 131 request WWW browsers 108,110 etc. are sent in the user profile (u2) on the HTTP level so.
The processing that receives this request and point out the user to import user profile is the function (not shown) that the WWW browser generally provides as standard feature.Common solution is to show pop-up window, and allows the user to import username and password.If for this www server executed subscriber authorisation, omit so in this and handle.
Then, www server 101 receives from the user profile (u3) of transmissions such as WWW browser 108,110 by utilization HTTP.
According to the username and password as user profile, the subscriber authorisation part 131 of www server 101 is carried out subscriber authorisation.If the user is authorized to, subscriber authorisation part 131 is provided with user name (u4) in variable R EMOTE_USER so.This variable can be used as authorization message returning part 102 references of cgi script.
So authorization message returning part 102 is carried out (u5) as cgi script.At first, by with reference to variable R EMOTE_USER in authorization message returning part 102, obtain to activate this user's who authorizes returning part 102 (that is, utilization applet 111,112 etc. user) user name.In addition, the parameter that extract to activate CGI obtain in authorization message returning part 102 authorization query destination name (applet name) (u6).
Then, by being used in the inquiry destination name that obtains among the step u6 as parameter, request authorization message administrative section 103 (function or subroutines) are returned the authorization message (u7) of inquiry target.
According to this inquiry destination name, this inquires the authorization message of target 103 search of authorization message administrative section, and Search Results is turned back to authorization message returning part 102 (u8).
Authorization message returning part 102 is used in the authorization message that obtains among the step u8 and checks the user name that obtains in step u6, and forms the executable menu of targeted customer (can carry out menu 125) (u9).
If the inquiry target is " applet A ", the targeted customer is " user 2 ", and authorization message as shown in Figure 2, and then this user 2 is only to " rough Presentation Function 122 " given mandate.Therefore, can carry out menu 125 as shown in Figure 4.
According to the menu carried out 125 that obtains in step u9, authorization message returning part 102 constitutes rreturn values and turns back to applet 111,112 grades (u10) as the rreturn value of CGI.
Notice that form as shown in Figure 8 can be used as return message form (can carry out menu 125).
Fig. 8 illustrates in this embodiment the example as the menu carried out of CGI rreturn value.
In this embodiment, authorization message returning part 102 is by checking the information that receives from authorization message administrative section 103 with inquiry targeted customer name, and formation can be carried out menu.Yet, transmit inquiry targeted customer name in the time of also can working as invocation target information management part 103 as parameter, and allow authorization message administrative section 103 to form inquiry targeted customer's the menu carried out.
As mentioned above, in the application function designating device according to this embodiment of this aspect, authorization message returning part 102 constitutes as CGI, and with authorization message administrative section 103 and these authorization message returning part 102 interlockings.As a result, can obtain following effect.
(1) owing to the subscriber authorisation function that provides by www server and WWW browser usually directly is provided, so need not newly to form these functions.This reduces the workload that system constitutes.
(2) owing to carry out subscriber authorisation with HTTP, so when another html file of WWW browser access, can be by carrying out this subscriber authorisation with the same treatment that is used for subscriber authorisation.Therefore, the list that can easily finish between this WWW browser and another WWW system or WWW application is registered.
The 3rd embodiment is described below.In first and second embodiment, the user imports the combination of username and password as the user profile of using in User Recognition.In the 3rd embodiment, with digital certificate as user profile.
With the method identical, constitute the application function designating device of the 3rd embodiment, except digital certificate is used as user profile with first and second embodiment.Digital certificate is the information that comprises user name and have digital signature.
In this embodiment, WWW browser 108,110 etc. has the function that subscriber authorisation is carried out in the utilization digital certificate with www server 101.Notice that this function is the standard feature that is provided by general WWW browser and www server.
The operation of the application function designating device of this embodiment that constitutes as mentioned above is described below.
The operation of this device is identical with the process of describing in first and second embodiment, except the utilization digital certificate.
In order to obtain this digital certificate, www server 101 sends the user profile transmission requests according to HTTP.
In case receive this request, its WWW browser standard feature of utilizations such as WWW browser 108,110 extracts the user's who is used in the applet 111,112 of operating on this browser etc. digital certificate, and sends to www server 101.
The www server standard feature analysis of www server 101 sends to the digital certificate of www server 101, and carries out subscriber authorisation and differentiate.
As a result, in the user's that utilization applet 111,112 etc. can be set from the variable (remote_user) of cgi script reference user name, as among second embodiment.Note, even when the API by the function that is used to expand www server constitutes authorization message returning part 102, by using this API, can be with reference to the variable of storing user name.
As mentioned above, in application function designating device according to this embodiment of the invention, can in subscriber authorisation, use digital certificate.As a result, can obtain following effect.
(1) the utilization digital certificate can improve security.
(2) owing to use digital certificate, browser client need not to import the combination of username and password at every turn.This has improved the comfort level to the user.
(3) the digital certificate processing capacity that can directly use WWW browser and www server to provide usually.Therefore, application developers need not to form any such function, and this helps application development.
The 4th embodiment is described below.In the 4th embodiment, the text of the authorization message 104 conducts form as shown in Figure 9 in first to the 3rd embodiment is realized.
Fig. 9 is illustrated in the data structure of the authorization message in the application function designating device of a fourth embodiment in accordance with the invention.
As shown in Figure 9, this authorization message 104 have the utilization null represent the data layout of rs chacter (record break) as record cell.That is, between the posting field of the authorization message of the posting field of the authorization message of applet A and applet B, form a null.In addition, in first row of each record, target applet name is described, the user name that provides and be provided with the function name of access right and allow to carry out these functions by this applet second and below row in describe.
Below, with reference to the process flow diagram of Figure 10, the operation of the application function designating device of the 4th embodiment that constitutes is as mentioned above described.
Figure 10 is the process flow diagram that illustrates according to the operating process of the WWW application function designating device of the 4th embodiment.
Identical among processing procedure among the step s1 of first embodiment as shown in Figure 3 and the s2 and the 4th embodiment omitted its detailed description, and only described and the corresponding part of step s3 to s6.In the following description, suppose that authorization message inquiry target applet name is that " applet A " and inquiry targeted customer name are " user 2 ".
At first, as parameter, inquiry authorization message administrative section 103 is about authorization message (v1) by utilization inquiry target applet name (" applet A ") for authorization message returning part 102.
Then, authorization message administrative section 103 is with reference to authorization message 104 and extract and inquire the corresponding authorization message of target applet name,, wherein describes the recorded information (v2) of inquiry target applet name in first row that is.
In this example, inquiry target applet name is " applet A ".Therefore, in authorization message as shown in Figure 9, extract and " applet A " corresponding recorded content, that is,
Target: applet A
Rough explicit user 1, the user 2, and the user 3, and the user 4
Detailed explicit user 1, the user 4
Data variation user 1.
Then, authorization message administrative section 103 is delivered to authorization message returning part 102 (v3) to the authorization message that obtains in step v2.Particular determination returning part not, and can be handle between (inter-process) communication or utilization file or shared storage exchange.If carry out the function of authorization message administrative section 103, and in the processing identical with it as authorization message returning part 102, can be such as the form exchange authorization message of the data structure of C/C++ structure.
Authorization message returning part 102 detect whether comprise the inquiry target as the carried out user to each function setting, and formation can be carried out menu 125 (v4) with reference to the authorization message that receives in step v3.
In this example, the inquiry targeted customer is " user 2 ".Whether therefore, be included in arbitrary row of the authorization message that obtains among the step v2 by detecting " user 2 ", formation can be carried out menu 125.
Three functions, that is, " rough Presentation Function 122 ", " Presentation Function 123 in detail " and " data variation function 124 " are described to function.Because user 2 is described to only have mandate in the row of " rough Presentation Function 122 ", so it is as follows to carry out menu 125:
The rough 0K that shows
Information shows NG
Data variation NG
After this can carry out menu 125 in formation, the information that needs is turned back to applet 112 was added to table 125, and returns table 125 (v5).If HTTP carries out the transmission/reception that utilizes applet 112 by utilization, additional information is " content type: text/plain " so.
In this embodiment, authorization message returning part 102 is by checking the information that receives from authorization message administrative section 103 with inquiry targeted customer name, and formation can be carried out menu.Yet, when calling authorization message administrative section 103, also may will inquire targeted customer's name, and allow authorization message administrative section 103 to form inquiry targeted customers' the menu carried out as the parameter transmission.
As mentioned above, in application function designating device according to this embodiment of the invention, to represent the data format descriptor authorization message 104 of rs chacter with null.Therefore, be easy to realize the function and the effect of the foregoing description.
Below, the 5th embodiment is described.In the 5th embodiment,, be implemented in the authorization message administrative section 103 among first to fourth embodiment by the authorization message 104 with access control list (ACL) form is provided.
Figure 11 is the block scheme of layout that the www server of application application function designating device according to a fifth embodiment of the invention is shown.The label identical with Fig. 1 to 10 represented same section, and omits its detailed description.
This WWW application function designating device has the layout identical with first to fourth embodiment, except authorization message administrative section 103 comprises inquiry administrative section 151, ACL administrative section 152 and ACL storage area 153.
ACL administrative section 152 provides and is provided with and manages ACL, analyze ACL and return the function of ACL content.As these functions, directly use the standard feature that provides by www server.
Notice that general www server is provided for being provided with and managing the user interface of ACL by the function of this ACL administrative section 152 of utilization.In addition, in some cases, the API of the function of the use ACL administrative section 152 that opens to the public.For the www server that Any user interface or API are not provided, by the form packing ACL settings/management function with cgi script etc., formation ACL administrative section 152.
ACL storage area 153 storage ACL are as the group of a plurality of ACE154 (Access Control Entry), and each ACE comprises the configuration information to the access right of single content (file).The function of handling this ACL also is the standard feature that is provided by the WWW accessor.
Figure 12 illustrates the example of ACE.
In ACE example as shown in figure 12, give user 1 and 2 pairs of contents " sample.html " " reading " and authorize.Different www servers have the different descriptor formats of ACL and its element ACE.Yet all information that comprised equate basically.
Inquiry administrative section 151 comprise transcriber 155 and as with the ACL inquiry part 156 of the interface of ACL administrative section 152.
The order that this inquiry administrative section 151 becomes to have used form ACL administrative section 152 information translation such as the applet name that provides from authorization message returning part 102, and to ACL administrative section 152 request ACE.In addition, inquiry administrative section 151 will turn back to authorization message returning part 102 from the information that ACL administrative section 152 receives.
Transcriber 155 is the order that becomes to have the form of using such as the information translation of the applet name that provides from authorization message returning part 102 ACL administrative section 152.For this conversion, transcriber 155 has form as shown in figure 13.
Figure 13 illustrates the example of the information translation table that the transcriber 155 of the 5th embodiment has.
As shown in figure 13, when receiving a certain applet name, this form becomes to be used for obtaining from corresponding ACE the order of applet information to information translation.
Below, the operating process according to the application function designating device of the 5th embodiment that constitutes is as mentioned above described.
Before the operation of describing the WWW application function designating device in detail, the process that authorization message 104 is made as ACL is described.As the example of this authorization message 104, the information shown in Figure 2 of the utilization as first embodiment.
At first, form several files authorization message is set.As an example, suppose that the filename nomenclature is " destination name DOT function name DOT acl (target name DOT function name DOT acl) ".This nomenclature is an example, as long as can carry out following processing, can use any other form.
As shown in Figure 2, applet A comprises three functions.Therefore, according to above-mentioned nomenclature, form file with name " applet A.rough display.acl ", " applet A.detail display.acl " and " applet A.data change.acl ".
Then, for example the interface that is provided by www server 101 by utilization is provided with the ACL for these three files.Method to set up is with identical for public html file etc.
According to Fig. 2, user 1,2,3 and 4 has the execution mandate to the rough Presentation Function of applet A.Therefore, ACL is set so, thereby, gives this 4 user capture power with respect to file " applet A.rough display.acl ".Figure 14 illustrates the example that ACL in this way is set.
Figure 14 is illustrated in the example of the ACL among the 5th embodiment.
The details of operation of WWW application function designating device is described below.
In the 5th embodiment, omit with embodiment in front in the description of identical operations part.In the following description, explain the step s3 processing afterwards in Fig. 3 of first embodiment, that is, authorization message administrative section 103 will make an explanation in response to request extraction and the return authorization information processing from authorization message returning part 102.Suppose that authorization message inquiry target is " applet A ".
At first, inquiry administrative section 151 transmissions of authorization message returning part 102 request authorization message administrative sections 103 are about the authorization message of applet A.Inquiry administrative section 151 is according to the information translation table, and (applet A) converts the order to ACL administrative section 152 to the applet name.In addition, inquiry administrative section 151 utilizes identical command request ACL administrative section 152 to return ACE, and the authorization message for each function of applet A wherein is set.
Then, ACL administrative section 152 is analyzed ACL, extracts interested ACE and these ACE is turned back to inquiry administrative section 151.Interested ACE be more concrete path=" applet A.*.acl " (" * " is the asterisk wildcard of the arbitrary character string of expression).In this example, interested ACE is three ACE as shown in figure 14.
151 ACE that receive from ACL administrative section 152 of inquiry administrative section send to authorization message returning part 102.In this is handled, can be directly or at format transformation to allow sending the ACE that receives after authorization message returning part 102 handles easily.For example, summarize the information of an ACE with delegation, specific as follows:
Rough explicit user 1, user 2, user 3, user 4
Detailed explicit user 1, user 4
Data conversion user 1
If authorization message returning part 102 and authorization message administrative section 103 are operated with same process, so can be such as the data structure exchange ACE of C/C++ structure.
Authorization message returning part 102 is with reference to the authorization message that receives from authorization message administrative section 103, and whether detection comprises the inquiry targeted customer as the carried out user to each function setting.According to this testing result, authorization message returning part 102 forms the data layout that will turn back to applet.
If the inquiry targeted customer is " user 2 ", so only in the carried out user of " the rough demonstration ", comprise these " user 2 ", so form the following menu of carrying out:
The rough OK that shows
Show NG in detail
Data variation NG
The information that needs are turned back to applet 112 is added to can carry out menu 125, and returns this table 125.If HTTP carries out the transmission/reception that utilizes applet 112 by utilization, additional information is " Content-Type:text/plain ".
In this embodiment, authorization message returning part 102 forms and can carry out menu by checking the information that receives from authorization message administrative section 103 with inquiry targeted customer name.Yet, also can work as when calling authorization message administrative section 103 inquiry targeted customer name as the parameter transmission, and allow authorization message administrative section 103 to form inquiry targeted customers' the menu carried out.
As mentioned above, in application function designating device according to this embodiment of the invention, ACL is provided with authorization message 104 by utilization, realizes authorization message administrative section 103.Therefore, the available standard feature that is provided by www server or user interface (for example API) is provided with and management ACL, and analyzes the content of ACL.This has reduced the workload of system development.
Utilization is described below according to the application function designating device of first to the 5th embodiment and an example of WWW application (not comprising applet).This example be about according to the corresponding grant information such as function 122 of applet 111,112 etc., dynamically change the application of the function of applet.The application of supposing in this example is as follows:
(1) system architecture is shown as HTML.
(2) when clicking the device not have to be provided with, activation is used to change the applet of the setting of this device.
(3) when the user with mandate change setting carried out application, this applet provided the function that changes setting.When not authorizing the user who changes setting to carry out this application, applet provides the function that only shows the Set For Current value.
Figure 15 illustrates the example of the system architecture that shows by this application.
Constitute this system architecture by a html file.So the zone of linked set A, B and C is so that carry out applet, and it provides the function of the setting that changes these devices by utilization HTML function (such as clicking map (clickable map)).
Figure 16 and 17 illustrates the applet window of in this way carrying out.
Figure 16 illustrates the window when carrying out this utilization without any the user that the change mandate is set.
Figure 17 illustrates when the window that has when the user who change to authorize being set carrying out this utilization.With reference to Figure 17, the field displayed value is editable, and " variation (SETTING CHANGE) is set " button is shown.
Below, the operation of WWW application function designating device and application is described.
At first, describe below by the performed process of being provided with of applet modifier.This applet is operated with following flow process.
The authorization message returning part 102 of request www server 101 sends can carry out menu 125.Receive the user's who carries out this applet the menu carried out from this authorization message returning part 102.
Simultaneously, utilize the function of applet, the label of location such as " object (OBJECT) " and " manager (MANAGER) " and the field that is used to show the value of setting.According to the menu carried out that receives, whether the detection user has to be provided with to change is authorized.Processing by embedding each function or by authorizing measurement processor 121 can be carried out such detection.
Change to authorize if the user has to be provided with, so will the value of setting display field be made as variablely, and changes button is set as shown in figure 17.Obtain the Set For Current value from destination apparatus, and show them with the field shown in Figure 16 and 17.If press the changes button that is provided with as shown in figure 17, extract each field value so, and change the setting of destination apparatus according to user's input.
The front is the processing in application.Then, description system architecture as shown in figure 15.
This structure is the HTML that utilization forms such as the function that can click map.For example, when clicking part " device A (APPARATUS A) ", start the applet of the setting that is used for modifier A.Supposing so to be provided with the HTML of applet that is used for the setting of modifier A with activation is " APPARATUSA.html ", and partly " APPARATUS A " is linked to " APPARATUS A.html ".
In this example, can carry out menu 125 to authorization message returning part 102 inquiry is relevant, and be configured for the applet of the setting of modifier.Therefore, the entity of applet (entity) has only one.Therefore, only need to prepare one " system architecture ".
For with embodiment relatively, suppose as the applet of the described setting that is used for modifier A for packing another applet of each function in the prior art.That is, formation has " the applet A1 " of the function that only shows configuration information and has Presentation Function and " the applet A2 " that changes function is set.Because the restriction of HTML makes in system architecture, a target can only be set as hyperlink target from part " APPARATUS A ".In structure like this, need to prepare " for not having the system architecture that changes the user that mandate is set " and " for having the system architecture that changes the user that mandate is set ".The former is set so that activate applet A1 and the latter is set so that activate applet A2.
Below, the situation that prior art is used for device B is described.General hypothesis, authorize he (or she) that a certain user has device A has the mandate of device B inconsistent.That is, suppose that existing user has being provided with of device A change authorized, change and authorize and be not endowed this set to device B.Therefore, need to prepare four kinds of different " system architectures ": " for can modifier A and the user's of the setting of B system architecture "; " for the user's of setting that can only modifier A system architecture "; " for the user's of setting that can only modifier B system architecture "; " for can not modifier A and the user's of the setting of B system architecture ".If the quantity of device further increases, the number of combinations of " system architecture " that will prepare so is very huge.
On the contrary, the utilization of the WWW application function designating device of aforesaid this embodiment can be by the applet of inquiring that authorization message returning part 102 is provided with about the situation modifier that can carry out menu 125.Because this only needs an actual applet, so only need prepare one " system architecture ".
In each embodiment, authorization message returning part 102 can be carried out and can not carry out menu and turn back to browser (applet) can carry out the menu form.Yet the present invention is not limited to return this form that can carry out function information.For example, can return about carrying out the information of function, perhaps presentation function can be carried out, can not carry out or executable conditionally information.
In addition, can use situation of the present invention is not limited to by network challenge function executable situation whether.For example, the present invention can be used for following situation, and another program (corresponding with application function designating device) in same computer of the application asks in computing machine is about the function carried out of a large amount of functions that this application had.
Be installed in the computing machine by the program that will be stored in the recording medium, can be implemented in the device of being explained in embodiment and the example.
This recording medium of the present invention can have any record format, if the recording medium program storage, and can read by computing machine.The example of recording medium be disk, floppy disk, hard disk, CD (for example, CD-ROM, CD-R and DVD), magneto-optic disk (for example, MO) and semiconductor memory.
In addition, according to the instruction that comes the program on the computing machine that is installed to since recording medium, go up the OS (operating system) of operation at computing machine or MW (middleware),, can carry out each processing section that is used to realize each embodiment such as database management language or network software.
In addition, recording medium of the present invention is not limited to be independent of the medium of computing machine, and comprises storage or interim program recording medium of storing from LAN or the Internet download.
In addition, the quantity of recording medium is not limited to one.That is, recording medium of the present invention comprises the situation of wherein carrying out the operation of each embodiment from a plurality of medium.
Notice that computing machine of the present invention is carried out the processing of each embodiment according to the program in the recording medium of being stored in.Therefore, this computing machine can have any structure, such as single assembly, for example, personal computer, or wherein connect the system of multiple arrangement by network.
Computing machine of the present invention is not limited to personal computer, and comprises arithmetic processor and the microcomputer that is included in the signal conditioning package.That is, computing machine is the general condition that can realize device of the present invention and equipment by program.
Among described the present invention, manage authorization message in the above, and detect request according to the mandate that comes self-application and return the information that to carry out function about each application and each user.Therefore, when carrying out this application, the mandate according to carrying out the user who uses may provide dynamically to make some function that is provided by application can carry out application function designating device and the recording medium that maybe can not carry out.
For those skilled in the art that, attendant advantages and correction are easy.Therefore, more wide region of the present invention be not limited to specific detail and shown in representative embodiment and herein narration.Therefore, various corrections be can carry out, and the design or the scope of inventive principle as appended claims and their equivalent limit do not departed from.
Claims (15)
1. an application function designating device is characterized in that, comprising:
Formation is come the request receiving unit of the authorization message request of self-application with reception; With
Formation is with the authorization message request of basis from described application, authorization message is turned back to the authorization message returning part of described application, wherein said authorization message is about the feasibility of application function, and described application function is to be no less than in the function function that can be carried out by the user who uses described application by what described application provided.
2. device as claimed in claim 1, it is characterized in that, described device is added the WWW device, and described authorization message returning part comprises specified portions, constituting it is that to specify a user by the user authorization mechanism identification of described www server be the user of the described application of utilization.
3. device as claimed in claim 1 is characterized in that, described authorization message returning part comprises:
The authorization message administrative section, constitute it with management about each function for each application, the information of the feasibility of the function that can carry out by described user; With
The authorization message returning part, constitute it to have exported the execution authorization message of the application of described authorization message request from described authorization message administrative section acquisition, according to described execution authorization message, formation turns back to described application about the information of the feasibility of the application function that can be carried out by the user who uses described application with described information.
4. device as claimed in claim 3, it is characterized in that, described device is added www server, and described authorization message returning part comprises specified portions, constituting it is that to specify a user by the user authorization mechanism identification of described www server be the user of the described application of utilization.
5. device as claimed in claim 3, it is characterized in that, described device is added www server, and described authorization message administrative section comprises administrative section, constitute it and carry out authorization message as the access control list of in described www server, using in order to management.
6. device as claimed in claim 5 is characterized in that, described authorization message returning part comprises specified portions, and constituting it is that user by the user authorization mechanism identification of described www server of appointment is the user of the described application of utilization.
7. device as claimed in claim 3 is characterized in that, described authorization message returning part is checked the information that receives from described authorization message administrative section with user name, and form to describe the menu carried out of the function that can be carried out by described user.
8. device as claimed in claim 1 is characterized in that, also comprises output, constitutes it is used to show the content of described authorization message with output display message.
9. device as claimed in claim 1 is characterized in that, also comprises formation so that the analysis part of the number proof that provides with described authorization message request to be provided, and carries out subscriber authorisation.
10. device as claimed in claim 1 is characterized in that, described authorization message returning part is with the authorization message of each applet of being recorded as unit description and using.
11. computer-readable recording medium, it is characterized in that, described recording medium has the program of authorization message link order, wherein said authorization message link order is used for according to the authorization message request that comes self-application, authorization message is turned back to described application, the feasibility that be no less than the function that in a function can by the user of use described application carry out of wherein said authorization message about providing by described application.
12. medium as claimed in claim 11, it is characterized in that, described authorization message link order comprises supervisory instruction and authorization message link order, wherein said supervisory instruction makes authorization message management devices each function for each application, management about the feasibility information of the function that can carry out by described user as carrying out authorization message; And described authorization message link order obtains execution authorization message about the application of exporting described authorization message request from described authorization message management devices, and make the authorization message return mechanism form feasibility information, and described information is turned back to described application about the application function that can use by the user of the described application of utilization according to described execution authorization message.
13. medium as claimed in claim 12, it is characterized in that, described medium are added www server, and described supervisory instruction comprises and is used for making described authorization message management devices to manage the instruction of described execution authorization message as the access control list of using at described www server.
14. medium as claimed in claim 11, it is characterized in that, described medium are added described www server, and described authorization message link order makes that described authorization message return mechanism appointment is the user of the described application of utilization by the user of the User Recognition mechanism identification of described www server.
15. an application function designation method is characterized in that, comprising:
By the authorization message returning part of server, receive the apply names and the user profile of the application of using from the user;
Described authorization message returning part by described server is inquired the situation of the authorization message administrative section of described server about authorization message by the apply names that uses described acquisition as parameter;
Search for and described application corresponding grant information by described authorization message administrative section, and the described authorization message that finds is sent to described authorization message returning part; With
By described authorization message returning part by analyzing described authorization message, the application function table that formation can be carried out by described user, and described table turned back to described application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 00108794 CN1327206A (en) | 2000-06-02 | 2000-06-02 | Application function designating device and its method and recording medium of storage execute program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 00108794 CN1327206A (en) | 2000-06-02 | 2000-06-02 | Application function designating device and its method and recording medium of storage execute program |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1327206A true CN1327206A (en) | 2001-12-19 |
Family
ID=4579291
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 00108794 Pending CN1327206A (en) | 2000-06-02 | 2000-06-02 | Application function designating device and its method and recording medium of storage execute program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1327206A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102077211A (en) * | 2008-06-30 | 2011-05-25 | 佳能株式会社 | Method of managing software license contracts, system and information processing apparatus therefor, and target software for license contracts |
-
2000
- 2000-06-02 CN CN 00108794 patent/CN1327206A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102077211A (en) * | 2008-06-30 | 2011-05-25 | 佳能株式会社 | Method of managing software license contracts, system and information processing apparatus therefor, and target software for license contracts |
| CN102077211B (en) * | 2008-06-30 | 2014-09-10 | 佳能株式会社 | Method of managing software license contracts, system and information processing apparatus therefor |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1264307C (en) | Agency, image forming device management system, method and program, storage medium | |
| CN1275139C (en) | Chaining information making apparatus and method | |
| CN1163831C (en) | Computer readable recorded medium on which image file is recorded, device for producing recorded medium and medium on which image file creating program is recorded | |
| CN100347696C (en) | Method and system for enterprise business process management | |
| CN1173285C (en) | Method and device for fixing display information, and related soft ware products and storage medium therefor | |
| CN1680959A (en) | Process editing apparatus and method and process management apparatus and method | |
| CN1794645A (en) | Invading detection method and system based on procedure action | |
| CN1740970A (en) | System and method for seamlessly comparing objects | |
| CN1901490A (en) | Method, apparatus, and program product for providing web service | |
| CN1866260A (en) | Method and system for providing programs to user operable device | |
| CN1327195A (en) | Method and system for accessing information on network | |
| CN1841376A (en) | Data-driven actions for network forms | |
| CN1532751A (en) | Service processer, service processing method | |
| CN1768373A (en) | Information processing device, information processing method, and computer program | |
| CN1489078A (en) | Method and apparatus for managing attached relation in distribution-type system | |
| CN1677277A (en) | Service providing method, service provider apparatus, information processing method and apparatus | |
| CN1437122A (en) | Information transfer system, method and servicer, content transfer servicer and custom's terminal | |
| CN1542584A (en) | Program electronic watermark processing apparatus | |
| CN1795434A (en) | Program execution control device, program execution control method, control program and recording medium | |
| CN101030204A (en) | Access server and method for generating client interface on client terminals | |
| CN1484171A (en) | Operation scveen display device, method and recording medium having same | |
| CN1722140A (en) | Information processing apparatus and information processing method | |
| CN1922600A (en) | User authentication system and data providing system using the same | |
| CN101079940A (en) | Multi-function peripheral and information acquisition system including a plurality of the multi-function peripherals | |
| CN1532745A (en) | Sevice processing system, processing result management device and processing result determining method of service processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |