JP2000172646A - Application function designating device and storage medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To dynamically change execution enable or disable for part of function provided by an application at application execution with respect to the authority of a user, who executes that application, and to provide single sign on. SOLUTION: This device is provided with authority information returning means 102 and 103 for returning authority information concerning the function, to which the execution is permitted to the user in response to demand from an application 111 for more than one function from among functions 122, 123 and 124 provided by that application corresponding to a request from that application.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an application function designating device and a storage medium, and more particularly, to an application operating on a WWW browser or the like, which dynamically switches functions executable by the application according to the authority of the application executor. The present invention relates to an application function designating device and a storage medium for enabling the function.

[0002]

2. Description of the Related Art With the development of Internet technology in recent years, WWW applications such as Java applets (hereinafter referred to as applets) that operate on a WWW (World Wide Web) browser have been widely used.

[0003] In these applications, the operation itself or a part of the operation function is often restricted in use corresponding to the user. For example, consider a case where one applet is composed of several functions. This applet needs to dynamically change, at runtime, whether to enable or disable some of these functions according to the authority of the user. In order to realize the function of dynamically changing the executable range, for example, the following method has conventionally been used.

In the first method, the applet itself inquires user information (user name, password, etc.).

[0005] That is, at the time of applet execution, a user (applet executor) is required to input user information (user name, password, etc.), and based on this information, which function in the applet can be executed and which function is executed. Create an applet to determine whether to make it impossible.

However, for this purpose, it is necessary to separately provide a user authentication mechanism and a mechanism for setting and managing authority information of each user.

The second method is to prepare another applet for each combination of executable functions.

For example, consider a case where three functions A, B, and C are realized by an applet. In this case, three types of applets are prepared: applet 1: an applet that can execute functions A, B, and C. applet 2: an applet that can execute functions A and C. applet 3: an applet that can execute only function A. The access right is set for each of them based on the access control function of the WWW server.

That is, the applet 1 has functions A, B,
The access right is set to a user who can execute all the functions C and the applet 2 sets the access right to the user who can execute the functions A and C, and the applet 3 is set to the access right to the user who can execute only the function A. Is set.

Thus, for example, a user who does not have the authority to execute the function B cannot download and execute the applet 1.

[0011]

However, when a part of the WWW application function is dynamically changed at the time of execution according to the above-mentioned conventional technology, there are still the following problems to be solved.

First, in the first method in which the applet itself inquires for user information, the user information input to the applet is valid only in the applet operating on the WWW browser.

On the other hand, when the access right to the WWW content is set, the user information is transferred between the WWW browser and the WWW server using the HTTP protocol, and the WWW server performs user authentication and confirmation of the access right. .

Therefore, when accessing the WWW content to which the access right is set, the user is first required to input user information, and is required to input user information again when executing the applet. become. That is, single sign-on (a mechanism in which a plurality of services can be used with one authentication) cannot be realized.

In the first method, a mechanism for performing user authentication and a mechanism for managing and setting access authority must be separately prepared on the server or included in the applet. The implementation will be labor intensive.

Furthermore, instead of using a set of a user name and a password as user information, there is a case where it is desired to improve a security level and user convenience by using an electronic certificate. Considering that a method using an electronic certificate is incorporated in the first method, in order for an applet to query user information, a mechanism for extracting the electronic certificate from its storage location (WWW browser, IC card, etc.), It is necessary to create a mechanism for analyzing the contents of the electronic certificate and performing user authentication, and the implementation effort becomes very large.

Next, in the second method in which a separate applet is prepared for each combination of executable functions, the user selects which applet to execute in the form of a menu or the like. However, it may be difficult to make the user select each time.

For example, it is assumed that the processing is completed by executing the applet 2 after executing the applet 1. Here, applet 1 has functions A and B
Suppose that the applet 2 is composed of a function C and a function D. In this case, according to the contents described in the above-mentioned conventional technique, the following two applets are realized.

Applet 1a: Applet 1 that can execute functions A and B Applet 1b: Applet 1 that can execute only function A Applet 2a: Applet 2 that can execute functions C and D Applet 2b: Applet that can execute only function C 2. Here, attention is paid to the applet 1a. Applet 1a
After the processing of, the applet 2 is called,
The applet 2 has two variations, an applet 2a and an applet 2b.

In general, a user who has been given the right to access the applet 1a does not always have the right to access the applet 2a. Therefore, whether the applet 1a calls the applet 2a or calls the applet 2b It cannot be specified when creating (mounting) the applet 1a. Therefore, it is necessary to dynamically change the next applet to be called when the applet 1a is executed.

However, since such a mechanism is not provided, when executing the applet 1a, it is necessary for the user to select whether to execute the applet 2a or the applet 2b by a menu or the like. is there. However, in reality, applet 1 to applet 2
In many cases, it is desired to automatically perform the process transfer to the user without the intervention of the user. Therefore, it is often difficult to make an inquiry to the user each time.

When one applet is composed of many functions, the applet 1a, 1b, 1c
.., And so on, there is a problem that the implementation and management costs become very large.

The present invention has been made in consideration of such circumstances, and corresponds to a user authority to execute an application and enables or disables some of the functions provided by the application. It is an object of the present invention to provide an application function designating apparatus and a storage medium which can dynamically change the above when an application is executed and can realize single sign-on.

[0024]

In order to solve the above-mentioned problems, the invention according to claim 1 uses the application among one or more functions provided by the application in response to a request from the application. An application function designating device having an authority information returning means for returning authority information on a function that is executed or not performed by a user performing the operation.

Since the present invention is provided with such means, it is possible to execute or not execute a part of the functions provided by the application in accordance with the user authority to execute the application.

Next, an invention according to claim 2 is provided as an application function designating device for designating an executable function among one or more functions of the application in response to a request for authority information from the application. It is.

In this application function designating device, the authority information management means manages, as execution authority information, information on users who can be executed for each function of each application.

The authority information returning means obtains execution authority information on the application which has output the authority information request from the authority information management means. Further, based on the execution authority information, information on functions that can be executed by the user using the application is created in the form of, for example, an executable mechanism list, and is returned to the application that made the request.

Accordingly, it is possible to execute or not execute a part of the functions provided by the application in accordance with the user authority to execute the application.

Next, the invention corresponding to claim 3 is the WWW
The present invention is directed to an application function designating apparatus according to claim 2 provided on a server.

In the present invention, the authority information managing means includes:
The execution authority information is managed as an access control list used in the WWW server.

Therefore, system development according to the present invention can be performed easily and efficiently.

Next, the invention corresponding to claim 4 is the WWW
The present invention is directed to an application function designating apparatus according to claims 1 to 3 provided on a server.

The authority information returning means of the present invention specifies the executor of the application by directly using the authentication result of the user authentication mechanism of the WWW server.

Therefore, since the user authentication mechanism of the WWW server performs the user authentication of the entire system in a lump, so-called single sign-on can be realized.

Next, a fifth aspect of the present invention is a recording medium storing a program for causing a computer to implement the first aspect of the present invention.

The computer controlled by the program read from the recording medium functions as the application function designating device of the first aspect.

Next, the invention corresponding to claim 6 is a recording medium storing a program for causing a computer to realize the invention corresponding to claim 2.

The computer controlled by the program read from the recording medium functions as the application function specifying device according to the second aspect.

Next, the invention corresponding to claim 7 is a recording medium which records a program for causing a computer to realize the invention corresponding to claim 3.

The computer controlled by the program read from the recording medium functions as the application function specifying device according to the third aspect.

Next, an eighth aspect of the present invention is a recording medium storing a program for causing a computer to implement the fourth aspect of the present invention.

The computer controlled by the program read from the recording medium functions as the application function designating device of the fourth aspect.

[0044]

Embodiments of the present invention will be described below. (First Embodiment) FIG. 1 is a block diagram showing a configuration example of a network system to which an application function designating apparatus according to a first embodiment of the present invention is applied.

This network system comprises a large number of computers connected to the Internet, and a WWW browser 108,
110 and the WWW server 101 are shown in the figure.
The computer itself and a network using a public line and the like are not shown.

The WWW server 101 has a general WWW server function, and further includes an authority information return unit 102 and an authority information management unit 103. WWW server 1
Reference numeral 01 stores a plurality of applets including an applet 105 and an applet 106 in a storage unit (not shown). In addition, the authority information management unit 103 manages each authority information 104 corresponding to each of the applets 105 and 106 and the like.

The WWW application function designating apparatus according to the present embodiment includes an authority information return unit 1 on the WWW server 101.
02 and the right information management unit 103 are provided.

In the example shown in FIG. 1, the user 1 uses the browser 108 and the user 2 uses the browser 110, and downloads and executes the applet 105 on the WWW server 101 on his / her own browser. I have.
The applet downloaded to each of the browsers 108 and 110 and in an executable state is transmitted to the applet 11.
1, the applet 112.

The authority information return unit 102, upon receiving an inquiry about the user authority from the applet, executes the authority information management unit 1
03, the user inquires which function of the applet can be used, creates a list of executable functions based on the inquiry result, and returns the list to the applet. The authority information return unit 102 can be implemented by any method as long as it can be started from an applet.
Specifically, for example, CGI (Common Gateway)
y Interface) or an API (application interface) for extending the function of a WWW server published by the WWW server
It can be realized by a form using the like.

The authority information management unit 103 manages the authority information 104 as described above, and when called from the authority information return unit 102, a result corresponding to the contents of the authority information 104 for the specified applet and user. Is returned. For example, in the case where the authority information return unit 102 is executed by the CGI, the authority information return unit 102 is activated as a child process, or as a function of the authority information return unit 102 in the same process. An execution form may be considered.

The authority information 104 is prepared for each applet held by the WWW server 101, and is information indicating which user can execute each function of the applet.

FIG. 2 is a diagram showing an example of authority information for applet A.

The applet A (105) has a rough display function 122, a detailed display function 123, and a data change function 124 as the original processing functions of the applet. The user shown in FIG. have.

Each of the applets 105 and 106 has an authority check processing unit 121 in addition to the processing functions 122, 123 and 124 inherent to the applet. The original processing function of the applet is different for each applet.

The authority check processing unit 121 activates the authority information return unit 102 of the WWW server 101 with the self applet name attached thereto, and further receives a list of executable functions from the return unit 102.

Further, based on the list of executable functions, the authority check processing section 121 puts, into the executable state, the functions permitted to be executed by the user among the functions (original processing functions of the applet) of the applet. FIG. 1 shows an example in which functions permitted to the users 1 and 2 can be executed.

Note that the WWW browsers 108, 110, etc. respond to requests from the WWW server 101 as standard functions of the browser, acquire user information including user identification information (user name), a password, and the like, and transmit them to the server 101. (Not shown). This allows
The WWW server 101 authenticates users of the WWW browsers 108, 110 and the like.

Next, the operation of the application function designating apparatus according to the present embodiment configured as described above will be described.

FIG. 3 is a flowchart showing the operation on the WWW server side in this embodiment.

First, the authority information return unit 102 is called from the applets 111 and 112 and receives the name of the applet to be checked (s1).

Next, the user name of the user executing the applet that called the authority information returning unit 102 is changed by the server function of the WWW server 101 to the authority information returning unit 10.
2 (s2). Here, the user name can be extracted by using a function provided by the WWW server 101 as a standard.

The acquired applet name to be investigated is used as an argument, and the authority information return unit 102 inquires the authority information management unit 103 about the authority information 104 (s3).

The authority information 104 for the applet to be checked received in step S303 is
3 and transmitted to the authority information return unit 102 (s4).

The authority information 104 is stored in the authority information return unit 10
A list of functions (executable function list) which is analyzed in step s2 and is given the execution right to the investigation target user obtained in step s2 is created (s5).

FIG. 4 is a diagram showing an example of the contents of the executable function list.

For each of the users 1 and 2, there is shown a list of whether the execution of each function of the applets A and B to be investigated is permitted or not permitted. The example of the executable function list 125 shown in FIG.
This is for the applet A for the user 2.

The created executable function list is stored in the calling applet 11 by the authority information returning unit 102.
1, 112, etc. (s6).

In step s5, it is described that the authority information return unit 102 generates the executable function list by matching the information received from the authority information management unit 103 with the user name to be investigated. The name of the user to be investigated is also passed as an argument when the unit 103 is called, and a list of executable functions of the user to be investigated is stored in the authority information management unit 103.
May be generated.

Next, based on the authority information (executable function list 125) received from the authority information return unit 102, the applet 1 whose operation is to be switched according to the given authority.
The operation procedures of 11, 112 and the like will be described with reference to the flowchart of FIG.

FIG. 5 is a flowchart showing the operation on the WWW browser side in this embodiment.

First, when the execution of the applets 111, 112 and the like is started in the browsers 108 and 110 (t)
1) The authority information return unit 102 on the WWW server 101 is activated by the authority check processing 121 in the applets 111 and 112 (t2).

After that, when the executable function list 125 created by the authority information return unit 102 is transferred to the authority check processing unit 121 (t3), based on the list 125, among the functions of the applet, the users 1, 2 and so on Is enabled or disabled by the authority check processing unit 121 or by the functions of the applet's original processing functions 122, 123, and 124 itself.

Note that, in the example of FIG.
In the case where is used, first, the authority information for the applet A is as shown in FIG. Therefore, the executable function list 125 is as shown in FIG. 4, and as shown in FIG. 1, only the “schematic display function 122” is in an executable state.

Here, as a function control method of the applets 111 and 112, for example, the following method can be considered. (1) A GUI component (such as a button) that executes a function for which the applet user is not authorized is provided by the authority check processing unit 121 or the original processing function 12 of the applet.
Due to the functions of the elements 2, 123, 124, etc., they are not displayed when the execution screen of the applet is created, or are set in a state where they cannot be operated by setting properties of the corresponding GUI component. (2) The executable function list 125 is held in the applet, and in each method that provides the applet function 122 and the like, the held executable function list is checked. Put a routine that stops the execution of the method. For example, the method definition has the following configuration.

Public void Detailed display function () ｛Refers to the list of executable functions and checks whether the execution right of the detailed display function is given if (the execution authority is given) ル ー チ ン Routine for performing detailed display｝ In this manner, by creating a function execution restriction process based on the executable function list 125 in the authority check processing unit 121 or the original processing functions 122, 123, and 124 of the applet, the executor possesses when executing the applet. Operation switching according to authority is realized.

As described above, the application function specifying device according to the embodiment of the present invention
1 is provided with an authority information return unit 102 and an authority information management unit 103, which are used by the applets 111, 112, etc., so that the following effects can be obtained. (1) Since the authority information return unit 102 is requested to check the user authority when executing the applet, it is possible to configure an applet that dynamically changes an executable function at the time of execution according to the user authority. . (2) Therefore, since it becomes possible to dynamically change which of the provided functions is executable and which of the functions is not executable, it is not necessary to create a number of applets of different variations. , Significantly reduce implementation and management costs. (3) Since the method of referring to the execution authority information held on the server from the applets 111, 112 and the like is employed, the authority information can be set and managed efficiently, and the setting management cost is reduced. Can be reduced. Also, unlike the case where the authority information is provided (or distributed) to each client side, no inconsistency occurs when the content of the authority information is changed. (4) Also, since the user information is transferred to the authority information returning unit 102 via the WWW server 101 or the like, the WWW
The user authentication function of the server function of the server 101 can be used as it is. In this case, it is not necessary to request the user information again, and so-called single sign-on can be realized.

Note that the user authentication function provided by the WWW server as a standard need not always be used as it is, and a user name can be obtained by various methods.

Further, even when the authority information return unit 102 is realized by using, for example, an API for extending a server function, the API may use the user authentication function of the WWW server standard or may use the same user authentication function. The user name can be obtained without using. W
When the user authentication function of the WW server standard is not used, the user information may be transmitted to the authority check processing unit 121 such as the applets 111 and 112, for example. (Second Embodiment) In the present embodiment, a case where CGI is used as a method of realizing the authority information returning unit 102 in the first embodiment will be described.

FIG. 6 is a block diagram showing an example of the configuration of a WWW server for realizing an application function designating apparatus according to the second embodiment of the present invention. The description is omitted, and only different portions are described here.

In the WWW server 101, the authority information return unit 102 is configured as a CGI program (a program executed by the CGI), and the authority information management unit 103 is realized as one function of the authority information return unit 102, and the same process is performed. Other than that, the configuration is the same as that of the first embodiment. The WWW server 101 is provided with a user authentication unit 131. The authentication unit 131 is normally included in a general WWW server function, and is not shown in the first embodiment. ing.

The user authentication unit 131 is configured to execute the applet 11
When the execution request of the authority information returning unit 102 is received from the server 1, 1, 112, or the like, the user information is requested from the WWW browsers 108, 110, etc. to perform user authentication, and the user has obtained or has already obtained the user information. The user information is provided to the authority information return unit 102 in a form of being set in a variable REMOTE_USER.

The CGI is a mechanism for executing a program on a WWW server, and the program operation is realized by requesting the browser to execute the program.

Next, the operation of the application function specifying device according to the present embodiment configured as described above will be described.

FIG. 7 is a flowchart showing the operation of the WWW application function designating apparatus according to this embodiment.

First, an execution request is issued from the authority check processing unit 121 of the applets 111 and 112 to the authority information return unit 102 by CGI. At this time, CGI
The authority information investigation target name (applet name) is passed to the authority information return unit 102 as an argument of (u1).

If the executor of the applet 111 or 112 has not yet authenticated the user to the WWW server 101, the user authentication unit 131 transmits the user information at the HTTP level to the WWW browser 108, 110, etc. (step u
2).

The process of prompting the user to input user information in response to this is a function (not shown) generally provided by the WWW browser as a standard. A pop-up window is displayed to prompt the user for a user name and a user name. In general, the user is required to enter a password. If the user has already been authenticated for the corresponding WWW server, this processing at this point is omitted.

Next, HTTP (Hyper Text Transfer) is transmitted from the WWW browsers 108 and 110 and the like.
User information transmitted using the (Protocol) protocol is received by the WWW server 101 (u
3).

User authentication is performed by the user authentication unit 131 of the WWW server 101 on the basis of the user name and password as user information, and when the user is authenticated, the user name is changed by the user authentication unit 131 into the variable REMOTE.
_USER is set (u4). This variable can be referred to from the authority information return unit 102 which is a CGI program.

Next, the authority information return section 102 is executed as a CGI program (u5). As a result, first, by referring to the variable REMOTE_USER in the authority information return unit 102, the user name of the user who has activated the authority information return unit 102, that is, the user who uses the applets 111 and 112 is acquired. Furthermore, CG
By extracting the argument at the time of starting I, the authority information return unit 102 acquires the authority check target name (applet name) (u6).

Next, the authority information management unit 103 (function or subroutine) is requested to return the authority information to be inspected, using the inspection object name obtained in step u6 as an argument (u7).

Based on the search target name, the right information management unit 103 searches for the right information of the check target, and the search result is returned to the right information return unit 102 (u
8).

The user name obtained in step u6 and the authority information obtained in step u8 are combined with the authority information return unit 102
And a list of functions executable by the target user (executable function list 125) is created (u
9).

When the survey target is “Applet A”, the target user is “User 2”, and the authority information is as shown in FIG. 2, the user 2 is given authority only to the “Summary display function 122”. Therefore, the executable function list 125 is as shown in FIG.

A return value is constructed by the authority information return unit 102 based on the executable function list 125 obtained in step u9, and the applet 1 is returned as a CGI return value.
It is returned to 11, 112, etc. (u10).

The information to be returned (executable function list 1)
As the format 25), for example, a format as shown in FIG. 8 can be considered.

FIG. 8 is a diagram showing an example of an executable function list as a CGI return value in this embodiment.

Here, it is described that the authority information return unit 102 generates the executable function list by matching the information received from the authority information management unit 103 with the user name to be investigated. In some cases, the name of the user to be investigated may be passed as an argument, and the list of executable functions of the user to be investigated may be generated by the authority information management unit 103.

As described above, the application function specifying device according to the embodiment of the present invention includes the authority information return unit 1
02 as a CGI, and the authority information management unit 1
03 is also linked to the authority information return unit 102, so that the following effects can be obtained. (1) Since the user authentication functions provided as standard by the WWW server and the WWW browser are used as they are, it is not necessary to newly create these functions, and the labor for constructing the system can be reduced. (2) Since user authentication by HTTP is performed, W
It is possible to achieve commonality with user authentication when accessing another HTML file or the like from a WW browser. Therefore, single sign-on can be easily realized with another WWW system or WWW application. (Third Embodiment) In the first and second embodiments, a method in which a user inputs a set of a user name and a password is used as user information used for user authentication. In the present embodiment, user information is used as user information. A case where an electronic certificate is used will be described.

The application function designating apparatus of this embodiment has the same configuration as that of the first or second embodiment except that an electronic certificate is used as user information. An electronic certificate is a digital signature of information including a user name.

WWW Browser 10 in the Present Embodiment
8, 110 and the WWW server 101 have a function of using an electronic certificate to perform user authentication. This function is a standard function provided by a general WWW browser and WWW server.

Next, the operation of the application function specifying device according to the present embodiment configured as described above will be described.

The operation of this apparatus is the same as the procedure described in the first or second embodiment except that an electronic certificate is used.

For the electronic certificate, first, the WWW server 101 transmits a user information transmission request according to the HTTP protocol.

WWW browser 10 receiving this request
8, 110, etc., the applet 11 running on this browser is operated by the WWW browser standard function.
The electronic certificate of the user who uses 1,112 or the like is extracted and transmitted to the WWW server 101.

The electronic certificate transmitted to WWW server 101 in this manner is analyzed by the WWW server standard function, and user authentication is performed.

As a result, the user name of the user using the applets 111, 112 and the like is set to a variable (REMOTE_USER) that can be referred to from the CGI program in the same manner as in the second embodiment. Note that even when the authority information return unit 102 and the like are configured by an API for extending the function of the WWW server,
By using I, a variable storing a user name can be referred to.

As described above, the application function designating apparatus according to the embodiment of the present invention can use an electronic certificate for user authentication, so that the following effects can be obtained. (1) The security level can be improved by using an electronic certificate. (2) By using the electronic certificate, the browser user does not need to input a pair of a user name and a password each time, and the convenience of the user can be improved. (3) Since the functions for handling digital certificates can be directly used as provided by the WWW browser and the WWW server, there is no need for application developers or the like to create such functions, making application development easier. It can be carried out. (Fourth Embodiment) In this embodiment, a case where the authority information 104 in the first to third embodiments is realized by a text file in a format as shown in FIG. 9 will be described as an example.

FIG. 9 is a diagram showing an example of a data structure of authority information in the application function designating apparatus according to the third embodiment of the present invention.

As shown in FIG.
Is a data format in which records are separated by blank lines.
Authority information for one applet is described in one record. In the first line of the record, the name of the target applet is described. In the second line, the name of the function to which the access right provided by the applet is to be set and the name of the user permitted to execute the function are described.

Next, the operation of the application function designating apparatus according to the present embodiment configured as described above will be described with reference to the flowchart of FIG.

FIG. 10 is a flowchart showing the operation of the WWW application function designating apparatus in this embodiment.

First, the processing in steps s1 and s2 shown in FIG. 3 of the first embodiment is the same in the present embodiment, so that the description is omitted, and steps s3 to s3 in FIG.
Only the part corresponding to s6 will be described. Here,
Description will be made on the assumption that the applet to be investigated in the authority information is “Applet A” and the user to be investigated is “User 2”.

First, the authority information returning unit 102 inquires of the authority information management unit 103 about authority information using the applet name to be investigated (“applet A”) as an argument (v1).

Next, the authority information management unit 103 refers to the authority information 104, and extracts the authority information corresponding to the applet to be inspected, that is, the information of the record in which the applet to be inspected is described in the first line of the record. (V2).

In this example, since the applet to be investigated is “Applet A”, the contents of the record corresponding to “Applet A” in the authority information shown in FIG. 9, that is, the target: Applet A Summary display User 1, User 2 , User 3, user 4 detailed display user 1, user 4 data change user 1 is extracted.

Next, the authority information obtained in step v2 is passed from the authority information management unit 103 to the authority information return unit 102 (v3). The return means can be inter-process communication or
Any method such as file and shared memory transfer may be used, and there is no particular limitation on the means. Also, the authority information management unit 103
Is executed in the same process as one function of the authority information return unit 102, the function information may be transferred in the form of a data structure such as a structure.

Next, the authority information received in step v3 is referred to by the authority information return unit 102, and it is checked whether or not the investigation target is included as the executable user set for each function. Created (v
4).

In this example, since the user to be investigated is “user 2”, it is checked whether or not “user 2” is included in each line of the authority information obtained in step v2. A list 125 is created.

In this case, the function “summary display function 12
2) “Detailed display function 123” “Data change function 124”
However, since the user 2 is described as having authority only in the row of the “summary display function 122”, the executable function list 125 is as follows.

Outline display OK Detailed display NG Data change NG After the executable function list 125 is created, information necessary for returning to the applet 112 is added to the list 125, and a return process is executed (v5). ). When transmission and reception with the applet 112 are performed using the HTTP protocol, the information added here is “Content-Ty
pe: text / plain ".

Note that here, the authority information return unit 102
Although the information received from the authority information management unit 103 and the name of the user to be examined are matched to generate an executable function list, the name of the user to be investigated is also passed as an argument when the authority information management unit 103 is called, May be generated by the authority information management unit 103.

As described above, the application function designating apparatus according to the embodiment of the present invention describes the authority information 104 in a data format in which record delimiters are blank lines. The effect can be easily realized. (Fifth Embodiment) In the present embodiment, the authority information management unit 103 in the first to fourth embodiments uses the authority information 104 as an access control list (ACL: Access).
Control List) will be described.

FIG. 11 is a block diagram showing a configuration example of a WWW server to which an application function designating apparatus according to a fifth embodiment of the present invention is applied, and the same parts as those in FIGS. The description is omitted.

In this WWW application function designating apparatus, the authority information managing section 103
In addition to the configuration including the L management unit 152 and the ACL storage unit 153, the configuration is the same as in the first to fourth embodiments.

Here, the ACL management unit 152 provides a function of setting and managing the ACL, analyzing the ACL, and returning the setting contents, and uses the functions provided by the WWW server as standard.

Incidentally, a general WWW server provides a user interface for setting and managing an ACL by using the function of the ACL management unit 152. Also,
In some cases, an API for using the function of the ACL management unit 152 is disclosed. User interface and API
In the case of a WWW server that does not provide
The ACL management unit 152 is configured by implementing the management function in the form of a CGI program or the like.

The ACL storage unit 153 stores A in the form of access right setting information for one content (file).
CE (Access Control Entry) 1
54 stores an ACL composed of a plurality of groups. Note that AC
The L handling function itself is also a standard function provided by the WWW server.

FIG. 12 is a diagram showing an example of the ACE.

In the example of the ACE shown in FIG.
e. The figure shows that the read authority is given to the user 1 and the user 2 for the content “html”.
The description format of ACL and ACE, which is a component thereof, differs for each WWW server, but the information contained therein is basically the same.

Next, the inquiry management section 151 includes an information conversion section 155 and an ACL inquiry section 156 as an interface to the ACL management section 152.

The inquiry management unit 151 stores the information such as the applet name given from the authority information return unit 102 into the AC
Converted into an instruction in the format used by the L management unit 152,
The ACE is requested to the CL management unit 152. Also, A
The information received from the CL management unit 152 is returned to the authority information return unit 102.

Here, the information conversion unit 155 converts the information such as the applet name given from the authority information return unit 102 into A
This is converted into an instruction in a format used by the CL management unit 152, and for this conversion, for example, a table as shown in FIG. 13 is provided.

FIG. 13 shows the information conversion unit 1 in this embodiment.
FIG. 5 is a diagram showing an example of an information conversion table included in 55.

As shown in the figure, in this table, for example, when a certain applet name is received, the information is converted into a command for acquiring applet information from the corresponding ACE.

Next, the operation of the application function specifying device according to the present embodiment configured as described above will be described.

First, prior to a specific description of the operation of the WWW application function designating device, the authority information
The procedure for setting as CL will be described. As the example of the authority information 104, the information illustrated in FIG. 2 in the first embodiment is used.

First, some files are created for setting authority information. Here, as an example, the naming rule of the file name is “target name. Function name. Acl”.
This naming rule is an example, and other forms may be used as long as the processing described below can be performed.

As shown in FIG. 2, since the applet A is composed of three functions, according to the above naming rules, “applet A. schematic display. Acl”, “applet A. detailed display. Acl”, “applet A” A. Data change.
acl "will be generated.

Next, ACL setting is performed for the above three files by using an interface provided by the WWW server 101 or the like. The setting method is a normal HTM
This is similar to the case of setting for an L file or the like.

According to FIG. 2, since the user 1, the user 2, the user 3, and the user 4 have the execution right, the schematic display function of the applet A is described as “Applet A. schematic display.a
The ACL is set so as to give the four users access rights to the file "cl". FIG. 14 shows an example of an ACL set similarly in the following.

FIG. 14 is a diagram showing an example of an ACL according to the present embodiment.

Next, a specific operation of the WWW application function designating apparatus will be described.

In this embodiment, the same operation parts as those in the previous embodiment are omitted, and hereinafter, from step s3 in FIG. 3 of the first embodiment, that is, in accordance with the request from the authority information return unit 102, the authority information management is performed. A process until the unit 103 retrieves and returns the authority information will be described. Here, it is assumed that the check target of the authority information is “Applet A”.

First, the authority information return unit 102 requests the inquiry management unit 151 of the authority information management unit 103 for authority information on the applet A. Inquiry management unit 15
In 1, the applet name (applet A) is converted into a command to the ACL management unit 152 by the information conversion table,
This command requests the ACL management unit 152 to return an ACE group in which authority information for each function of the applet A is set.

Next, the ACL is analyzed by the ACL management unit 152, and a target ACE group is extracted and returned to the inquiry management unit 151. The target ACE group is
Specifically, “path =” applet A. *. ac
ACE ("*" is a wild card representing an arbitrary character string). In this example,
The three ACEs shown in FIG. 14 correspond.

ACE received from ACL management section 152
The group is sent to the authority information return unit 10 by the query management unit 151.
2 is sent. At this time, the received ACE group may be transmitted as it is, or the format may be converted so that the authority information returning unit 102 can easily handle it. For example, processing such as combining one piece of ACE information into one line may be performed as follows.

Outline display User 1, User 2, User 3, User 4 Detailed display User 1, User 4 Data change User 1 Other, authority information return unit 102 and authority information management unit 103
May be transferred in the form of a data structure such as a structure, if they operate in the same process.

The authority information received from the authority information management unit 103 is referred to by the authority information return unit 102, and it is checked whether or not the target user is included as an executable user set for each function. Based on the findings,
A data format to be returned to the applet is created.

Here, assuming that the user to be investigated is “user 2”, since “user 2” is included only in the executable users of “summary display”, the following executable function list is created. Is done.

Outline display OK Detailed display NG Data change NG Then, information necessary for returning to the applet 112 is added to the executable function list 125, and the list is returned to the applet 112. H to send / receive to / from applet
When performing using the TTP protocol, the information added here is “Content-Type: text / play”.
n ”.

Here, the authority information returning unit 102
Although the information received from the authority information management unit 103 and the user name to be investigated are matched to generate an executable function list, the name of the user to be investigated is also passed as an argument when the authority information management 103 is called, and the The configuration may be such that the list of executable functions is generated by the authority information management unit 103.

As described above, the application function designating apparatus according to the embodiment of the present invention
Is set using the ACL, so that the authority information management unit 1
03, the functions (API) and user interface provided by the WWW server as standard for ACL setting / management and analysis of setting contents can be used, and the system development labor can be reduced. .

[0154]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS A description will be given of an embodiment using an application function designation apparatus and a WWW application (applet) according to the first to fifth embodiments. Here, an example of an application that dynamically changes the function of an applet based on the authority information 104 for each function 122 and the like of the applets 111 and 112 will be described. The applications assumed in the present embodiment are as follows. (1) Display the device configuration diagram as HTML. (2) By clicking on a device to be set, an applet for changing the settings of the device is activated. (3) When executed by a user who has the authority to change the settings, this applet provides a function to change the settings. If the user who does not have the authority to change the settings executes the applet, The function to display the set value is provided.

FIG. 15 is a diagram showing an example of a device configuration diagram displayed by an application according to the embodiment of the present invention.

This device configuration diagram is composed of one HTML file. The device A, device B, and device C provide a function of changing their settings using HTML functions such as a clickable map. A link has been created to run the applet.

FIGS. 16 and 17 show examples of applet screens executed in this manner.

FIG. 16 is a diagram showing an example of a screen displayed when a user who does not have the authority to change the settings executes the process.

FIG. 17 is a diagram showing an example of a screen when the user having the setting change authority executes the process. In the example shown in the figure, the field displaying the value is editable, and a “change setting” button is provided.

Next, the operation of the WWW application function designation device and application will be described. First, a processing procedure on the applet side for changing the setting of the device will be described. This applet operates in the following flow.

First, the executable function list 125 is requested to the authority information return unit 102 of the WWW server 101.

A list of executable functions of the user executing this applet is received from the authority information return unit 102.

On the other hand, as an initial screen, labels such as "object" and "administrator" and a field for displaying a set value are set by an applet function.

The received executable function list is confirmed,
It is checked whether the user has the setting change authority. This check may be performed by processing embedded in each function, or may be performed by the authority check processing unit 121.

Here, in the case of a user having the setting change authority, the set value display field is set to be changeable, and FIG.
A setting change button is provided as shown in FIG.

Next, the current set value is obtained from the target device, and the value is displayed in each field shown in FIGS.

When the setting change button shown in FIG. 17 is pressed, the value of each field is extracted, and the setting of the target device is changed according to the input by the user.

The processing in the application has been described above. Next, the device configuration diagram of FIG. 15 will be described.

This is one HTML created using a function such as a clickable map. When, for example, clicking the “device A” portion, an applet for changing the settings of the device A is started. Here, the HTM set to start the applet for changing the setting of the device A
Assuming that the L file is “device A.html”, a link is established from “device A” in the device configuration diagram to “device A.html”.

Here, in the present embodiment, the authority information return unit 10
Since an applet for changing the setting of the device is constructed by inquiring the executable function list 125 with respect to 2, there is only one applet. Therefore, only one type of “device configuration diagram” needs to be prepared.

On the other hand, for comparison with the embodiment, it is assumed that an applet for changing the setting of the device A is implemented as another applet for each function as described in the related art. That is, two applets, an "applet A1" having only a function of displaying setting information and an "applet A2" having a function of displaying and changing settings are created. The link from "Device A" in the device configuration diagram is HTM
Since only one link destination can be set due to the restriction of L, in such a configuration, the "device configuration diagram for a user who does not have the authority to change the setting" and the "device configuration for a user who has the authority to change the setting" It is necessary to prepare two figures.
The former is set to start the applet A1, and the latter is set to start the applet A2.

Further, the case where the conventional technique is used for the device B will be considered. It is generally assumed that the right that a certain user has for the device A and the right that the user has for the device B do not generally match. That is, it is assumed that there is a user who has the setting change authority for the device A but does not have the setting change authority for the device B. Therefore, the “device configuration diagram” includes “a device configuration diagram for a user who can change the settings of both devices A and B”, “a device configuration diagram for a user who can change the settings of only device A”, and “a device B only. Device configuration diagram for users who can perform the operation ”“ Device A, B
Configuration diagram for users who cannot change the settings
You need to prepare a street. If the number of devices further increases, the types of “device configuration diagrams” prepared will cause a combinatorial explosion.

However, as described above, the WWW of this embodiment
According to the application function designating device, an applet that can change the device setting by inquiring the executable information list 125 to the authority information return unit 102 is used, so that the actual state of the applet can be reduced to only one. Only one type of “device configuration diagram” needs to be prepared.

The present invention is not limited to the above embodiments and examples, but can be variously modified without departing from the gist thereof.

For example, in each embodiment, the authority information return unit 102
Has returned a list of executable functions to a browser (applet) in the form of a list of executable functions, but the present invention is not limited to the form of returning executable information. For example, return information about functions that are refused to execute,
Information such as execution permission may be returned conditionally.

The situation to which the present invention is applied is not limited to the case where execution is requested via a network. For example, the present invention can also be applied to a case where an application in one computer inquires of another program (corresponding to an application function designating device) in the computer about a function that is permitted to be executed among a large number of functions of the computer.

The apparatuses described in the embodiments and examples can be realized by causing a computer to read a program stored in a storage medium.

Here, as the storage medium in the present invention,
Magnetic disk, floppy disk, hard disk,
Any storage medium that can store a program and can be read by a computer, such as an optical disk (CD-ROM, CD-R, DVD, etc.), a magneto-optical disk (MO, etc.), a semiconductor memory, etc. It may be.

An operating system (OS) running on the computer based on instructions of a program installed in the computer from the storage medium,
MW for database management software, network software, etc.
(Middleware) or the like may execute a part of each process for realizing the present embodiment.

Further, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

Further, the number of storage media is not limited to one, and a case where the processing in the present embodiment is executed from a plurality of media is also included in the storage media of the present invention, and the medium may have any configuration.

The computer according to the present invention executes each process in the present embodiment based on a program stored in a storage medium.
Any configuration such as a single device, a system in which a plurality of devices are connected to a network, or the like may be used.

The computer in the present invention is
It is not limited to a personal computer, but also includes a processing device, a microcomputer, and the like included in an information processing device, and generically refers to a device and a device capable of realizing the functions of the present invention by a program.

[0184]

As described above in detail, according to the present invention, the authority information for each application and each user is managed, and the information of the operable function is returned in response to the authority check request of the application. So
Provided is an application function designating device and a storage medium that can dynamically change, when an application is executed, whether to enable or disable a part of the functions provided by the application in accordance with a user authority to execute the application. be able to.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration example of a network system to which an application function specifying device according to a first embodiment of the present invention is applied.

FIG. 2 is a diagram showing an example of authority information for an applet A.

FIG. 3 is a flowchart showing the operation on the WWW server side in the embodiment.

FIG. 4 is a diagram showing an example of the contents of an executable function list.

FIG. 5 is an exemplary flowchart showing the operation on the WWW browser side in the embodiment.

FIG. 6 is a block diagram illustrating a configuration example of a WWW server that realizes an application function specifying device according to a second embodiment of the present invention.

FIG. 7 is a flowchart showing the operation of the application function designation device in the embodiment.

FIG. 8 is an exemplary view showing an example of an executable function list as a CGI return value in the embodiment.

FIG. 9 is a diagram showing an example of a data structure of authority information in an application function designating apparatus according to a third embodiment of the present invention.

FIG. 10 is an exemplary flowchart showing the operation of the application function designation apparatus according to the embodiment.

FIG. 11 is a block diagram showing a configuration example of a WWW server to which an application function designating device according to a fifth embodiment of the present invention is applied.

FIG. 12 illustrates an example of an ACE.

FIG. 13 is a view showing an example of an information conversion table included in the information conversion unit 155 according to the embodiment.

FIG. 14 is a view showing an example of an ACL in the embodiment.

FIG. 15 is a diagram illustrating an example of a device configuration diagram displayed by an application according to the embodiment of the present invention.

FIG. 16 is a view showing an example of a screen when a user who does not have setting change authority executes the screen.

FIG. 17 is a view showing an example of a screen displayed when a user having setting change authority executes the screen.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 101 ... WWW server 102 ... Authority information return part 103 ... Authority information management part 104 ... Authority information 105 ... Applet held on server 106 ... Applet held on server 107 ... User 108 ... Browser 109 ... User 110 ... Browser 111 ... Applet downloaded and executed on the browser 112 ... Applet downloaded and executed on the browser 121 ... Authority check processing unit 122 ... Summary display function 123 ... Detail display function 124 ... Data change function 125 Executable function list 131 User authentication unit of WWW server 132 Variable 151 Query management unit 152 ACL management unit 153 ACL storage unit 154 ACE 155 Information conversion unit 156 ACL inquiry unit

Claims (8)

[Claims] 1. In response to a request from an application,
Among one or more functions provided by the application,
An application function specification device, comprising: an authority information returning unit that returns authority information about a function that is executable by a user using the application. 2. An application function designating device for designating an executable function among one or more functions of the application in response to a request for authority information from the application, the executable function of each application having each function. Authority information management means for managing information on a user who can be executed as execution authority information, and acquiring execution authority information on the application that has output the authority information request from the authority information management means, and An application function specifying device, comprising: an authority information returning unit that creates information on a function that is executable by a user using the application and returns the information to the application. 3. The application function designating device according to claim 2, wherein the application information designating means is provided on a WWW server, wherein the authority information managing means manages the execution authority information as an access control list used in a WWW server. Characteristic application function designation device. 4. The application function designating device according to claim 1, wherein the authority information returning means is provided on a WWW server, and the authority information returning means includes a user authentication mechanism provided in the WWW server. An application function specifying device that specifies a user who has performed the application as a user who uses the application. 5. In response to a request from an application,
Among one or more functions provided by the application,
A computer-readable storage medium storing a program having authority information returning means for causing a user using the application to return authority information on a function that is permitted or rejected. 6. A program for controlling an application function designating device for designating an executable function among one or more functions of the application in response to a request for authority information from the application, the program comprising: Authority information management means for managing information of a user who can be executed each time as execution authority information; and acquiring execution authority information on the application which has output the authority information request from the authority information management means; A computer-readable storage medium storing a program having an authority information returning means for causing a user using the application to create information on a function to be executed based on the authority and returning the information to the application. 7. A program for controlling an application function designating device according to claim 6, wherein said program is provided on a WWW server, wherein said authority information managing means stores said execution authority information as an access control list used in a WWW server. A computer-readable storage medium characterized by being managed. 8. A program for controlling an application function designating device according to claim 5, provided on a WWW server, wherein the authority information returning means includes a user authentication device provided in the WWW server. A computer-readable storage medium, wherein a user authenticated by the mechanism is specified as a user using the application.