JP2002244871A - Data communication system and data communication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a data communication system and a data communication method that efficiently execute the access control over a mobile agent. SOLUTION: A service providing server 20, when a mobile agent A moves thereto, requests a management server 10 to transmit access control information corresponding to information on a user held by the mobile agent A. The management server 10 unifies the management of information in the service providing server 20 accessible to the user, as access control information, and when receiving the request for the access control information, extracts access control information related to the user and transmits the access control information to the service providing server. The service providing server 20 determines whether the mobile agent A has access or not from the received access control information, and if finding enabled access, permits access to resources in the service providing server.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data communication system and a data communication method for controlling access of a mobile agent which is a program for moving a plurality of systems in a network.

[0002]

2. Description of the Related Art In recent years, a mobile agent that collects information according to a user's request while performing a plurality of service providing servers existing on a network as a user's agent and performs various tasks. Technology, so-called mobile agent technology, has been studied for practical use.

[0003]

As described above, when a mobile agent accesses a server along a task given by a user on behalf of a user and uses a service provided by the server, In addition, the server needs to authenticate the mobile agent, and the service must be provided according to the access authority given to the user. Specifically, the services provided by the server include a service that can be provided to all mobile agents accessing the server and a service in which available mobile agents are limited, and the use of the latter is limited. In a service, only a mobile agent of a user who has an access right to the service in advance can access the service. Then, as described above, in order for the server to determine whether or not the mobile agent can access the execution environment and to control the access of the mobile agent, a list that defines user rights is required.

[0004] However, this list is divided by user,
Each service must be specified in detail, and since the format differs depending on the execution environment of each server (the type of OS, etc.), it is necessary to create and hold each server independently. For this reason, there is a disadvantage that the management of the access of the mobile agent to the server resources and the access to the service provided by the server becomes very complicated.

[0005] The present invention has been made in view of such circumstances, and a mobile agent manages a mobile agent by centrally managing information about whether or not access is made when using a service on a server on a network. An object of the present invention is to provide a data communication system and a data communication method for efficiently controlling access of an agent.

[0006]

In order to achieve the above object, the present invention provides a mobile agent which moves between servers in a network based on a task given by a user, and wherein the mobile agent is operable. A data communication system including a server having a program and a management server that centrally manages information of a server accessible by the user as access control information, wherein the server includes:
Control list requesting means for requesting the management server to transmit the access control information corresponding to the information of the user who generated the mobile agent when the mobile agent has moved; and A determination unit configured to determine whether the mobile agent is allowed to access based on the received access control information; and an access permission unit configured to permit access to a resource of the server when the access is possible. Receiving a control list request from the server, the management server extracts the access control information corresponding to the received user information, and transmits the extracted access control information to the server A data communication system comprising:

As described above, since the management server centrally manages the access control information in which the information on whether the mobile agent can access the server is provided, the data processing required for changing, deleting, and adding information in the access control information. Time and the amount of data to be processed can be reduced.

The control list requesting means, the judgment means, and the access permitting means in the server described above are processes executed by the access control unit on the agent middleware provided in the service providing server in the embodiment described later. Actually, the CPU in the service providing server
The (Central Processing Unit) executes the program stored in the storage device in the server to realize the above-described processing. Similarly, as for the extracting means and the transmitting means in the management server, the CPU (Central Processing Unit) in the management server actually executes a program stored in a storage device also mounted in the management server. By executing, the above-described processing is realized.

In the data communication system described above, the server includes data, and when it is determined that the mobile agent can access the server, the mobile agent gives the mobile agent access to the data. It is characterized by permission.

According to the above configuration, the server has a service that can be provided to the user, and provides its own service to the mobile agent accessing the server. As a result, the mobile agent can obtain a service corresponding to the task given by the user from the access destination server, and can provide the user with rich information.

Further, in the server of the data communication system, in the server, the determination means determines whether or not the mobile agent can access each data provided in the server based on the access control information. The access permitting means permits the mobile agent to access only data determined to be transmittable by the determining means.

The data provided by the server, that is, the service provided by the server to the user (actually, the mobile agent created by the user) includes services that can be provided to all the mobile agents accessing the server. And services for which available mobile agents are limited. According to the above configuration, the access control information managed by the management server indicates whether or not each agent provided to the user by each server can access the service by the agent. When the server receives an access request to the service provided by the mobile agent from the mobile agent, the server determines whether the mobile agent can access the mobile agent based on the access control information obtained from the management server. Can be easily determined.

Further, the present invention provides a mobile agent which moves between servers in a network based on a task given by a user, a server which can be accessed by the user, and data stored in the server. In addition to centrally managing access permission information as access control information,
A data communication system comprising: a management server having access information necessary for accessing the server or data included in the server; wherein the mobile agent is connected to a server having a program on which the mobile agent can operate. When accessing, or when accessing the data provided in the server, information necessary for identifying the user who generated the mobile agent and information on the server or data desired to be accessed are transmitted to the management server. The management server, comprising: transmission means for transmitting; and server access means for, when receiving information necessary for accessing the desired access destination from the management server, accessing the server using the information. From the information received from the mobile agent, Extracting means for extracting access control information corresponding to the above; determining means for determining whether or not the mobile agent can access the desired access destination based on the access control information; and the mobile agent is accessible. In this case, there is provided a data communication system comprising: transmission means for transmitting, to the mobile agent, access information necessary for accessing a desired access destination.

[0014] According to the above configuration, the management server centrally manages information on whether or not the mobile agent can access each server and the service provided by each server. If the mobile agent has an access destination, the information of the access destination and information necessary for identifying the user who generated the agent (for example, identification information of the user who generated the self) Or a predetermined password given by the user along with the task)
Is transmitted to the management server, the management server determines from the access control information of the user who generated the agent whether or not the agent can access the desired access destination. Transmits, to the mobile agent, a module (a small program that can be used from other software), which is information necessary for the agent to access the desired access destination.

Thus, the mobile agent can use the module received from the management server to access a desired access destination and use a desired service. Further, in the present invention, since the processing related to the access of the mobile agent is performed between the mobile agent and the management server, the server to which the mobile agent accesses does not need to perform any particular operation, so the processing performed by the server is reduced. Therefore, it is possible to reduce the amount of programs and data included in the server. In the above description, the transmission means and the server access means possessed by the mobile agent are actually operation contents provided in the program of the mobile agent itself, and are actually executed by the CPU of the access destination server or the management server. Is performed. In addition, the extraction means, the determination means, and the transmission means of the management server are actually a CPU (Central Pr
The above-described processing is realized by an execution unit executing a program stored in a storage device mounted on the management server.

Further, the present invention is a data communication method in which a mobile agent moves between servers existing in a network based on a task given by a user, wherein information of a server accessible by the user is stored. Storing the access control information; and requesting the access control information corresponding to the information of the user who generated the mobile agent when the mobile agent accesses the server; Extracting access control information corresponding to the information of the user from access control information, obtaining the extracted access control information, and determining whether the mobile agent can access the mobile agent based on the obtained access control information. Judgment process and, if access is possible, access to the server's resources To provide a data communication method characterized by comprising the allowable process.

According to such a data communication method, access control information in which information on whether or not the mobile agent can access each server is centrally managed, and the access control of the mobile agent is performed based on the access control information. Therefore, the format of the access control information can be unified. For this reason, it is possible to reduce the data processing time and the amount of data to be processed required for changing, deleting, and adding information in the access control information.

The present invention also relates to a data communication method in which a mobile agent moves between servers existing in a network based on a task given by a user, the server being accessible by the user and the server thereof. Storing, as access control information, information on whether access to data is possessed, and storing access information required when accessing the server or data included in the server; and When accessing the data provided by the server, or when accessing the data provided by the server, information necessary to identify the user who generated the mobile agent and information on the server or data to which the mobile agent desires access And the information of the user who generated the mobile agent Extracting corresponding access control information, determining whether or not the mobile agent can access the desired access destination based on the access control information, and if the mobile agent is accessible, Transmitting access information required to access a desired access destination.

According to such a data communication method, the information on whether or not the mobile agent can access each server and the service provided by each server is centrally managed, and the information on the access destination from the mobile agent and the information on the access destination are provided. Upon receiving information necessary for identifying the user who has generated the mobile agent (for example, identification information of the user who has created the mobile agent, a predetermined password given with the task from the user, etc.) It is determined from the access control information of the user who generated the agent whether or not the agent can access the desired destination,
Further, if the access is possible, a module (a small program that can be used from other software), which is information necessary for the agent to access the desired destination, is transmitted to the mobile agent. I do. As a result, the mobile agent can use the received module to access a desired access destination and use a desired service.

[0020]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the present invention will be described below with reference to the drawings. First, the outline of the data communication system of the present invention will be briefly described with reference to FIG. FIG. 3 is a diagram illustrating an example of a network configuration of a data communication system according to an embodiment of the present invention. In the figure,
An environment in which a management server 10, a service providing server 20 for providing various services, and an agent registration / occurrence server 30 are connected to each other in a computer network, and a user agent called an agent can move on the network ( Agent middleware) is built on each server. Also, the user terminal 4
0 is a personal computer, mobile phone or PH
S, etc., each of which has a display unit (not shown) for displaying a message and a screen, and an input means (not shown) for inputting information, and can receive services on the Internet. A WWW browser application program is installed.

The user terminal 40 is connected to the agent registration / occurrence server 30. The user operates the user terminal 40 to operate the agent registration / occurrence server 3.
The agent is generated by accessing 0 and transmitting a task or the like. The mobile agent A is a mobile agent that operates on agent middleware, for example, is an autonomous computer program described in JAVA (registered trademark) language or XML language, and operates while executing its own program. Can be interrupted, and the user can move between different servers while retaining the interrupted data to further understand the execution.

The mobile agent A autonomously moves on the network as necessary, uses various resources on the network, and executes various processes while communicating with other mobile agents. For example, based on a predetermined process, a mobile agent may perform a process of moving and processing between servers in a fixed order, and determine a server to be moved next according to a process of a destination server. It is possible to do. Also, in a dial-up environment, the line is disconnected after the user registers and wakes up the mobile agent, and the mobile agent is called again as soon as the processing at the destination is completed, thereby reducing unnecessary communication costs. be able to.

Next, FIG. 1 shows a schematic configuration of a data communication system according to the first embodiment of the present invention. In FIG. 1, the management server 10 describes information of a service providing server that can be used by each user and information indicating whether the user can use each service provided by each service providing server. Centralized access control information.

The service providing server 20 has a C (not shown)
PU (Central Processing Unit), RAM (Random Ac)
cess memory), a storage device, and the like. FIG. 1 shows a hierarchical model of software of the service providing server. That is, an OS (Operat) such as UNIX (registered trademark) is installed in the service providing server.
ion System) 201, a VM running on the OS 201
(Virtual Machine) 202, and a hierarchical software operating environment (platform) including an agent middleware 203 operating on the VM 202 is constructed. The above-described VM is, for example, a JAVA.
An environment for interpreting and executing a program based on an intermediate code generated by the A compiler. The agent middleware is, for example, JAVA (Sun Micr
It is written in a programming language called an object-oriented interpreter language developed by osystems. In the agent middleware, an access control unit that exchanges information with the mobile agent A and controls access to the mobile agent is constructed.

The provision of the software operating environment having such a hierarchy in the service providing server makes it possible to prepare an environment in which the mobile agent A can operate. In addition, since the agent middleware is constructed, for example, the OS It is possible to provide the mobile agent A with a common function even if the service providing servers differ from each other. It is assumed that the above-described VM 202 and agent middleware 203 are stored in a recording medium in the service providing server 20. Furthermore,
The service providing server 20 stores various services (information) 60
And provide these services (information) to users. The contents of this service are information that can be normally acquired by the user on the Internet, such as information on travel, information on ticket sales, information on multimedia such as movies, etc.

Next, the operation of the data communication system according to the first embodiment of the present invention will be described with reference to FIGS. Note that the mobile agent A is actually a kind of computer program, and the service providing server 2
The CPU (Central Processing Unit) in 0 operates by executing this. As described above, although the operation is actually performed by the CPU (not shown) of the service providing server 20 executing the mobile agent A, the service providing server 20 is executed by executing the mobile agent A for convenience of explanation. The processing to be performed will be described assuming that the mobile agent A independently performs the processing of the operation. Further, before the processing described below is performed, the user needs to access the management server 10 from the user terminal 40 in advance and perform an operation of registering a service or the like that the user wants to use. As a result, the management server manages, as access control information, information on services available to the user among the servers available to the user and the services provided by the server. The registration of the service to be used is registered by directly accessing the management server 10 from the user terminal 40, and when the user directly accesses each service using server 20 from the user terminal 40 via the Internet or the like. Available services may be registered in the service providing server. In this case, the service providing server transmits information on services available to the user to the management server. Thereby, the service providing server 2 is stored in the access control information managed by the management server.
The service received from 0 is added as an available service.

The operation of the data communication system according to this embodiment will be described below. First, the user uses the user terminal 40 to register the agent registration / occurrence server 30.
To request a desired task (work), a mobile agent A is generated (step SP10 in FIG. 3). At this time, the identification information of the user and the identification information of the mobile agent A generated by the user are associated with each other and transmitted from the agent registration / occurrence server 30 to the management server 10 (see FIG. 3). Step SP11). The management server 10 registers the agent
By holding the information of both of them associated with each other received from the occurrence server 30, when the identification information of the mobile agent A is received in the processing described later, the user who has generated the mobile agent A can be identified. it can.

On the other hand, the generated mobile agent A is
The server moves to the server corresponding to the task given by the user (step SP12 in FIG. 3). For example, when the user gives a task such as “travel” to the mobile agent A, the mobile agent A moves to the service providing server 20 that provides information on “travel”. Each service providing server 20 presents the attribute of the data that the service providing server 20 has (the attribute of the provided service) to the mobile agent A. Thereby, the mobile agent A can determine whether or not the service providing server 20 corresponds to the given task.
In addition, a list in which services provided by each service providing server 20 are written is managed somewhere on the network, and the mobile agent A extracts the service providing server 20 corresponding to the task from the information. Then, the selected service providing server 20 may be sequentially accessed.

When moving to the service providing server 20 corresponding to the task given by the user, the mobile agent A transmits an access request to the service providing server 20 (step SP13 in FIG. 1). Upon receiving the access request from the mobile agent A, the access control unit 204 of the service providing server 20 transmits the information of the mobile agent A (identification information of the mobile agent A) to the management server 10, so that the mobile agent A Is requested (step SP14 in FIG. 4).

The management server 10 is a service providing server 2
0, a request for transmission of access control information is received from the identification information of the mobile agent A, the information of the user who caused the mobile agent A is authenticated, and the access control information corresponding to the user is extracted, It is returned to the service providing server 20 (step SP1 in FIG. 1).
5). Here, the mobile agent A holds the secret information set by the user, passes the secret information to the management server 10, and the management server 10 checks the received secret information to identify the mobile agent A. Authentication of the user who has caused the authentication may be performed. Although various methods have been proposed for this user authentication method, basically, information in which the identification information of the mobile agent A and the information of the user who caused the mobile agent A are associated with each other is used. This becomes possible by having the management server 10 or the mobile agent A itself.

When the access control unit 204 of the service providing server 20 receives the access control information, the mobile agent A that has issued an access request to the service providing server 20 can access the server based on the access control information. Is determined, and if accessible, the mobile agent A is accepted. As a result, the mobile agent A communicates with the service providing server 2
From 0, information along the user's task can be obtained (step SP16 in FIG. 1).

When the mobile agent A uses a desired service and moves from the service providing server 20 to another service providing server 20, the information of the access control information relating to the moved mobile agent A is deleted. . Since the above-mentioned access control information describes whether or not the service that the agent can receive is provided, the access control unit 204 of the service providing server 20 performs the access control of the mobile agent A based on this list, thereby simplifying the access control. In this way, only available services can be provided quickly and accurately, and confidentiality of information can be maintained. Further, once the access control information is obtained, it is possible to easily determine whether or not the mobile agent A can access the service provided by the service providing server 20. In particular, in the service providing server 20 that provides a large number of services, once the access control information is obtained, the access control of the mobile agent A can be performed for all the provided services, so that the efficiency is improved. Access control can be performed well.

Next, the configuration of the data communication system according to the second embodiment of the present invention will be described. In the first embodiment, the access control unit of the service providing server determines whether the mobile agent can access based on the access control information received from the management server. However, in the second embodiment, the mobile agent The user himself / herself obtains information on whether or not access is possible from the management server, and uses a service from a desired service providing server based on the information.

FIG. 2 is a diagram showing a configuration of a data communication system according to the second embodiment. As shown in the figure,
The management server has server information that can be used by the user and access control information that describes information indicating which services are available and which services are unavailable among the services provided by each server. In addition, it manages modules that require a mobile agent to use each service. This module is a small program that can be used by other software. In this case, the module acts as an intermediary for information exchange between the mobile agent B and the service providing server. This module is also called a proxy (PROXY), driver, or socket.

The configuration of the service providing server 20 'is basically substantially the same as the configuration of the service providing server 20 in the first embodiment. However, in this embodiment, since the mobile agent B itself performs access control, The difference is that the access control unit of the first embodiment is not required.
As described above, in the second embodiment, since the service providing server 20 'does not require the access control unit 204, the configuration of the service providing server 20' can be simplified, and the data amount can be extremely reduced. Can be.

Next, the operation of the data communication system according to this embodiment will be described. Here, the process of generating the mobile agent B and the service providing server 20 'corresponding to the task given by the user are performed by the mobile agent B.
The process until is extracted is the same as in the above-described first embodiment, and will not be described. When the mobile agent B accesses the server corresponding to the task given by the user, the mobile agent B requests the management server 10 ′ to use its own identification information and information on the access destination, for example, which service of which server. Is transmitted, and a service access request is made (step SP21).

The management server 10 'first authenticates the user who generated the mobile agent B from the identification information of the mobile agent B, and extracts the access control information associated with the user. Further, from the extracted access control information, information of a service corresponding to the access destination of the mobile agent B is extracted, and it is determined whether the mobile agent B can access the service. Then, if the mobile agent B is accessible, information necessary for using the service, that is, a module is transmitted to the mobile agent B (step SP22). Then, upon receiving the module from the management server 10 ', the mobile agent B accesses the service of the access destination using the received module, and acquires the desired information (step SP23).

As described above, in the second embodiment, the agent is restricted by the management server 10 '.
Since the access control information itself need not be transmitted to the mobile agent B, the amount of data transmitted and received between the mobile agent B and the management server 10 'can be minimized, and the time required for data communication can be reduced as much as possible. can do. Further, in the first embodiment, the service providing server 20 '
The need for an access control unit is eliminated, and the amount of data in the agent middleware can be reduced, so that it can be applied to terminals such as mobile communication terminals where the data amount is not very large. Become.

Although the embodiments of the present invention have been described in detail with reference to the drawings, the specific configuration is not limited to the embodiments, and includes a design and the like without departing from the gist of the present invention. It is.

[0040]

As described above, according to the data communication system of the present invention, the management server integrally manages the access control information in which the information on whether or not the mobile agent can access the server is provided. It is possible to reduce the amount of data processing time and data processing time required for changing, deleting, and adding information in control information
The access control of the mobile agent can be efficiently performed. In addition, since the format of the access control information can be unified as described above, the mobile agent can use the service by moving not only on the same platform but also on a different platform. A wide range of services can be provided. As described above, by expanding and diversifying opportunities for service provision in a mobile agent environment, a great effect of promoting service provision to users can be obtained. Further, since the information concealment of the access control can be enhanced, the effect of improving the security level of the entire environment of the mobile agent can be obtained.

Further, according to the data communication system of the present invention, the server has a service that can be provided to the user, and when the mobile agent determines that the server can be accessed, the server accesses the server. It provides its own services to the mobile agents it has done. As a result, the mobile agent can obtain a service corresponding to the task given by the user from the access destination server, and can provide the user with rich information.

According to the data communication system of the present invention, the access control information managed by the management server includes, for each service provided to the user by each server, the agent for the service. Since information indicating whether access is possible or not is described, the server receives the request for access to the service provided by the mobile agent based on the access control information obtained from the management server when receiving the request for access. It is possible to easily determine whether or not the mobile agent can access.

Further, according to the data communication system of the present invention, the management server centrally manages information on whether or not the mobile agent can access each server and the service provided by each server. If the mobile agent has an access destination, the information of the access destination and information necessary to authenticate itself are transmitted to the management server. It is determined from the access control information of the user who generated the agent whether or not the access is possible. If the access is possible, the information is necessary for the agent to access the desired access destination. Since a certain module is transmitted to the mobile agent, the mobile agent can use the module received from the management server to access a desired access destination and use a desired service. Further, in the present invention, since the processing related to the access of the mobile agent is performed between the mobile agent and the management server, the server to which the mobile agent accesses does not need to perform any particular operation, so the processing performed by the server is reduced. Therefore, it is possible to reduce the amount of programs and data included in the server.

[Brief description of the drawings]

FIG. 1 is a diagram showing a configuration of a data communication system according to a first embodiment of the present invention.

FIG. 2 is a diagram illustrating a configuration of a data communication system according to a second embodiment of the present invention.

FIG. 3 is a diagram illustrating a configuration example of a network according to an embodiment of the present invention.

[Explanation of symbols]

10, 10 '... management server, 20, 20' ... service providing server (server), 30 ... agent registration / occurrence server, 40 ... user terminal, 60 ... service (data),
201, 201 '... OS, 202, 202' ... VM, 2
03,203 '... Agent middleware, 204
... Access control unit, A, B ... Mobile agent

 ────────────────────────────────────────────────── ─── Continuing on the front page (72) Koji Nakao, Inventor 2-1-1-15 Ohara, Kamifukuoka-shi, Saitama F-term in Kaididi Laboratory Co., Ltd. 5B045 GG01 GG09 5B098 AA10 GD11 GD21

Claims (6)

[Claims] 1. A mobile agent that moves between servers in a network based on a task given by a user, a server having a program that can operate the mobile agent, and a server that can be accessed by the user. A data communication system including a management server that centrally manages information as access control information, wherein the server includes:
Control list requesting means for requesting the management server to transmit the access control information corresponding to the information of the user possessed by the mobile agent when the mobile agent has moved, and received from the management server A determination unit configured to determine whether the mobile agent is allowed to access based on the access control information; and an access permission unit configured to permit access to a resource of the server when the access is possible. The management server, when receiving a control list request from the server, extracting means for extracting access control information corresponding to the received user information, and transmitting the extracted access control information to the server. And a data communication system. 2. The server according to claim 1, wherein the server comprises data, and, when it is determined that the mobile agent can access the server, the mobile agent permits the mobile agent to access the data. Item 2. The data communication system according to Item 1. 3. The server according to claim 2, wherein:
The mobile agent determines whether or not the mobile agent is accessible for each data included in the server based on the access control information, and the access permitting unit restricts only the data determined to be transmittable by the determining unit. 3. The data communication system according to claim 2, wherein the access of the mobile agent is permitted. 4. A mobile agent that moves between servers in a network based on a task given by a user, information on a server accessible by the user, and information on whether data can be accessed by the server. And a management server holding access information required when accessing the server or data provided in the server, wherein the mobile agent is the mobile agent. When accessing a server equipped with a program that can operate, or when accessing data provided by the server, information necessary for identifying a user who has generated the mobile agent and a server that desires access Or transmitting means for transmitting data information to the management server And server access means for, when receiving information necessary for accessing the desired access destination from the management server, using the information to access the server, wherein the management server Extracting means for extracting access control information corresponding to the user from the information received from the agent, and determining means for determining whether or not the mobile agent can access the desired access destination based on the access control information And a transmission means for transmitting, to the mobile agent, access information necessary to access a desired access destination when the mobile agent is accessible. 5. A data communication method in which a mobile agent moves between servers existing in a network based on a task given by a user, wherein information on a server accessible by the user is used as access control information. Storing, and when the mobile agent accesses the server, requesting the access control information corresponding to the information of the user who generated the mobile agent; and Extracting access control information corresponding to the information of the user, obtaining the extracted access control information, and determining whether the mobile agent can access based on the obtained access control information. If access is possible, the process of allowing access to the resources of the server; A data communication method comprising: 6. A data communication method in which a mobile agent moves between servers existing in a network based on a task given by a user, comprising: a server accessible by the user; Storing information on whether or not access to data is available as access control information, and storing access information required when accessing the server or data included in the server; and when the mobile agent accesses the server. Or a step of acquiring, when accessing data provided by the server, information necessary for identifying a user who has generated the mobile agent and information on a server or data to which the mobile agent desires access. And an access corresponding to the information of the user who generated the mobile agent. Extracting the access control information; determining whether the mobile agent can access the desired access destination based on the access control information; Transmitting the access information required to access the data first.