JP2002333928A - License control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To easily provide a batch log-in service to an ASP entrepreneur. SOLUTION: This license control systems is a computer system coverning a license control method in an application service provider to be used on the Internet, and it is characterized in that it is provided with an authenticating means for holding a DB for executing authentication by using an enterprise ID, a user ID and a password, a means for extracting a license method from the license DB owned by a user, a means for transmitting application start permission information to a WEB server side based on the license information derived by the extracting means, and a means for dynamically generating a display picture file for allowing the WEB server to perform an access to the user based on user attributes derived by the extracting means.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to batch login of user authentication at a plurality of sites on the Internet.
In particular, the present invention relates to a billing technique using a technique linked with an external server.

[0002]

2. Description of the Related Art To digitize business processes on the Internet, it is necessary to develop a plurality of application software corresponding to each business process in order to digitize many business processes. Normally, multiple application softwares to be developed require an authentication mechanism for security measures such as maintenance of ID / password and access control, and it takes time and cost to develop user authentication for each application software. ing. In addition, from the viewpoint of the end user, this means that a plurality of IDs and passwords must be used properly, which is inconvenient. Therefore, a system has been proposed for use in a batch login system that integrates an authentication mechanism while ensuring high security.

[0003] For example, at Entrust Technology, Inc. of the United States, for security-related Internet authentication and authority management, software that integrates authentication systems as Web security management software, from batch login to individual access control, is implemented by software. There is a product called "getAccess" (Fig. 1). By using this product, key systems such as “salary statement reference”, “sales information management”, “electronic approval”, and “management meeting” within one company are integrated, and the position and qualification It is possible to build a collective login site according to detailed access control settings in units such as. In the implementation example,
As shown in FIG. 1, there is a technique for displaying information on the web on a user's browser based on each individual's access authority. FIG. 2 shows that the resources that can be accessed are restricted depending on the position and the like.

[0004]

In recent years, there have been many application service providers (ASPs) that provide application software on the Web and collect license fees only when using the software. Here, in the case of a service provided by one company, it is possible to realize a collective log-in even though the implementation is difficult, by using the above-mentioned system. However, ASP providers have services with their own characteristics, and when they actually want to use them, they apply to each provider for each optimal software, and as a result, the ID and password are flooded. There is a problem that the disadvantages cannot be solved. Also, A
From the point of view of the SP provider, in order to provide a collective login service, a single product such as the above-described package must be purchased (that is, a similar product is required even when trying to cooperate with other companies). ), Combined with the difficulty of implementation, it was difficult to provide a batch login service.
Also, from the user's point of view, there is a need to digitize the work even if the ordering side pays the license fee for the collaborative work, but there was no billing method across other companies, so the small license fee There was a problem that it was not possible to replace.

[0005]

In view of the above points, the inventor of the present invention has solved the problems by the following means. The present invention relates to a computer system that controls a license control method in an application service provider used on the Internet, and includes an authentication unit that holds a DB that performs authentication using a company ID, a user ID, and a password, and a license that the user holds. Means for extracting a license method from the DB;
Means for transmitting application start permission information to a web server based on the license information derived by the extraction means; and a user screen derived by the extraction means to obtain a display screen file accessible by the web server to the user. A license control system that dynamically generates the file based on attributes.

When dynamically generating the display screen file, link information including session information is transmitted in the display screen file with respect to transmission of application start permission in an application server outside a network having a license controller. Is a license control system. After the display screen file is generated, when the application in the application server is started, the session information in the license controller is transmitted with respect to the transmission of the application start permission in the application server outside the network having the license controller. The license control system is characterized in that the license is converted to an external application server and transmitted to a user's browser. The log information relating to the use of an application program is a license control system having means for recording a license access log by an electronic certificate authority while the same application is running.

[0007]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Next, an embodiment will be described with reference to the drawings. FIG. 3 shows an overall view of a network used in the present invention. In FIG. 3, reference numeral 1 denotes the Internet, a PC 3 used by a client, a mobile phone 6 or a personal information terminal (PDA) 9 connected to the mobile phone, a LAN 2 connected by a modem 2, a router 7, and a mobile phone base station, respectively. 5 and the mobile phone network 4. A system of a license control server 12 used in the present invention is connected to the Internet 1, and a firewall 10 and a WWW server 11 are provided at connection points. The license control server 12 and the ASP application server 1 (1
3), ASP application server 2 (14), and DB1 (16) to DB3 in which necessary DBs are stored.
(18) is connected. Also, the VPN management server 20
Via the Internet 1 via the Internet
Application server 3 (15) and a DB 4 (19) connected to the server. This server group has a well-known OS,
On this, the license control server of the present invention and each application server program operate. In addition, various servers, such as a settlement server, may be connected as necessary, and the server group may be further arranged outside through the Internet.

Next, the flow of the entire system will be described with reference to FIGS. When the user accesses the page for calling the login screen at 25, an input screen for the company ID, the user ID, and the password appears at 26. At this time, if necessary information is input and the transmission button is pressed, the information is sent to the license controller 31 via the Internet (a). Then, if the authentication is confirmed (b), an application menu is displayed (27). Here, when the menu is selected, the screen shifts to the screen 28. When a request is made to the application server 32 at this time (c), the license controller 33 checks whether this user has a license. (D). Thereafter, when confirmation is made, permission information is transmitted to the application server 32 (e), and a screen 28 is displayed. As long as the user is using the same application, unless the browser is forcibly terminated using the electronic authentication function of the license controller (during the same session).
The screen transition is performed while confirming the user by electronic authentication. That is, when shifting from 28 to 29, the electronic authentication is requested by g, and by sending back h from the electronic authentication side, the application continues to be used. Similarly, when shifting from 29 to 30, the electronic authentication is performed by i. Authentication is requested, and j is sent back from the electronic authentication side.

FIG. 5 is an overall flowchart showing the above process. When a URL request is received from the user browser in S1, the web server returns a login screen display to the user browser in S2. Thereafter, when login is performed from the user's browser in S3, the license controller transmits a cookie ID to the user browser (S4), and at the same time, the user's cookie ID is also transmitted to the web server.
Is transmitted (S5). At this time, the available license is inquired from the WEB server (S6), and in response to this, the license controller transmits the held license information to the WEB server (S7). And
The menu displayed by this web server is CGI or JAVA.
HTM that can be displayed by a user to generate a screen dynamically displayed on a browser using (registered trademark) SERVLET
An L file is created (S8), and a menu is displayed from the WEB server to the user's browser (S9).
Thereafter, when the user accesses the application server to use the program, the actions of each program are performed after S11.

FIG. 6 shows the WEB in the overall flow described above.
It is a detailed flowchart of a server. When the server starts in S20, a request is received from the user in S21. Next, a login screen is transmitted to the user in S22. Thereafter, when the user logs in, the cookie ID (similar to the browser of the user) having the identification number held by the user is received from the license controller in S23, and the license information held by the user is sent to the license controller in S24. Request. Thereafter, in S25, the license information received from the license controller is received, and in S26, the program (CGI or JAVA SEVELET
In such a case, an HTML file that can be displayed by the user is created in order to dynamically generate a screen to be displayed on the browser.
It ends when it reaches 28.

FIG. 7 shows the details of login in the license controller. In FIG. 7, when the license controller starts (S30), a login is accepted from the user in S31. In S32, it is determined whether or not the login is OK.
And send the cookie to the user browser. Then, the cookie ID is also transmitted to the WEB server in S34. After that, when available license information is received from the WEB server, matching with the DB is performed, and the license information held on the WEB server is dynamically converted to an HTML file by the WE file.
The transmission is performed so that the B server can perform the processing (S36), and the processing ends. If the authentication is not performed in S32,
Go to S37, send error information to WEB server and S3
8 and it ends.

FIG. 8 shows a case where the application menu is connected to an external application server at 40 (A). At this time, a and b are their own sites, but c is an external server, and ht is used as a link.
tp: //www.alles.ad.jp/asp/index.html (41) indicates a state that must be set. At this time, new login work must be avoided by taking over the session number of the browser.

FIG. 9 shows a first implementation example. At 40 (b), the user selects an application service outside the license controller in menu 3. To display the menu,
When displaying the user screen of the web server, a link is embedded to access the application server.
At this time, for external application resources, the session number is embedded in the link.
When the HTML file has been sent and the user selects menu 3, this link http://www.alles.ad.jp?sessi
on = 0a9b (42) is called, and the application server 43 is called. The external application server transmits to the license controller 44 (a) that the session number 0a9b has been taken over,
The license controller 44 (a) notifies that the takeover has been completed, and shifts to an application menu 45.

FIG. 10 shows a second implementation example. When the user selects an external application service in the menu 3 at 40 (c), the following process occurs.

1) The link of menu 3 of 40 (c) is lc.b
The information of the application to be used is passed to eingcorp.co.jp using parameters. That is, (4
7) http://lc.beingcorp.co.jp/nextAsp?url=www.al
les.ad.jp/asp/index.html Where ne
xtAsp includes a servlet for transitioning to the next ASP,
url indicates the URL of the application to be displayed next.

2) The servlet inside the LC that received the request is lc.al, which represents the same server in another domain.
Perform redirection (re-instruction) to les.ad.jp. For example, http://lc.alles.ad.jp/currentAsp?url=www.all
Redirect to es.ad.jp/asp/index.html&session=0a9b. At this time, lc.beingcorp.co.jp and
lc.alles.or.jp is the same server, currentAsp: URL of the servlet to be redirected url: URL of the application to be displayed next session: User's session I
D is shown. In the license controller 44 (b), the transition from α to β ends at this time (4
8).

3) The redirected servlet acquires the session parameter, and writes the session ID into the cookie 46 of the user's browser. further,
Redirect to URL specified by url parameter.

4) The redirected application server 50 transmits an HTML page to the user's browser and performs a list operation of shifting to an application menu of 49.

FIG. 11 is a flowchart showing the operation of the license controller with respect to the selection of an application. When the process is started in S40, application selection information is received in S41. Then S4
In step 2, the session number is transmitted to the application server. Further, when an action signal is received from the application (S43), it is determined whether or not a transition of the action within the same application is made (S44).
In the case of S, the process for giving an electronic authentication is started (S4
5) If NO, application change processing is performed (S46). At this time, if you have a license,
The process proceeds to S47, where a new session number is provided (even if the session number is the same, the site address is different, so the session number is different when viewed as a whole), and the process ends in S48. If the user does not have a possession license in S46, the process ends (S48).

FIG. 12 is a flowchart showing the operation on the application server side in FIG. S5
When the process starts at 0, in S51, license information is requested to determine whether or not to permit the license controller to use the license.
This registration shall be made in advance. Next, S52
It is determined whether or not the license information has been received. If YES, the application is started (S53). If NO, an error message is transmitted to the WEB server, and the process ends at S60. Next, when an action of the application occurs in S53 due to the user's work, an electronic authentication is requested (S55).
The process proceeds to the next task of the application (S56).
During a series of operations, the processes from S54 to S56 are repeated. Then, when the application is terminated in S57, it is determined whether or not another application is activated in S59. If YES, the process returns to S51. If NO, the process proceeds to S60 and ends. Next, the accounting calculation in the present invention will be described.

FIG. 13 is a flowchart for recording a log which is the basis of accounting calculation. When log management starts in S70, application information is received from the user in S71. Next, in S72,
Pass the session number to the application. S73
It is determined whether or not an electronic authentication request has been received from the application server within the timeout period, and YES
If so, the process proceeds to S74, where the application end information is received, and in S75, the end time information is recorded in a log. If “NO” in the step S73, the process shifts to a step S76 to instruct the forced termination of the application. Here, in S77, it is determined whether or not the automatic rollback processing is performed. If the electronic authentication time of the last access is deemed to be the end of the access time, the process proceeds to S78, where the final electronic authentication time information is recorded in a log. If the automatic rollback processing is not to be performed, the all-commit processing is performed in step S79. In step S80, information of the final electronic authentication time + timeout time is recorded in a log.
Exit at 81.

Next, a billing system using the present invention will be disclosed. FIG. 14 is a conceptual diagram showing a billing method for authentication and license according to the present invention. User C is shown in FIG.
The user ID “XYZ001” is held as in 50 of 4. Using the server of the present invention, this user can use the license 51, “L0001”, license 2, “L0002”, license 3, “L00”
03 ", license 4, and" L0004 ". This license includes the application drawing sharing “AP0001” and the drawing sharing “AP0”
002 ", process management" 0003 ", process management" 000 "
4 "is linked. Then, a billing method is determined for each application. In this case, in the case of 53, “AP0001” and “AP0003”
000 yen and 1,500 yen per month.
0002 ”and“ AP0004 ”have a storage capacity of 1
The price is set at 10 yen per MB. At this time, the billing destination is designated at 54, and the monthly fee (a) and (b) is paid by T Construction at 53, and the company K is paid for the pay-as-you-go fee (c) at 53. It has become.

A DB for realizing the conceptual diagram of FIG.
Is used. The fields of this DB are as defined in FIGS. The authentication process is as disclosed in the above flowchart.

In FIG. 15, user information is specified. The user information includes personal attribute information such as an identification ID, a company ID, a company name, a postal code, an address, a Tel number, a fax number, a department name, a name, and an email. Here, when the user logs in, the user accesses the DB in FIG. 16 and performs authentication using the user ID, company ID, and password. At this time, if an unauthorized access is made, it is recorded in the field, and using the email address on the DB,
You can also notify where needed. Once authenticated,
In the operation 51 shown in FIG. 14, license information is defined as shown in FIG. 17, and an identification ID, a license ID, and a user ID are acquired by an identification ID assigned to each user, and usable license information is acquired. .

Next, at 52 in FIG. 14, the DB as shown in FIG. 18 is acquired, and the identification ID, application name, URL, description, store ID (providing destination ID), and UR for activation are obtained.
Information such as L, category ID (reserved), category SubID (reserved), registration date and time, and deletion date and time is acquired. As a result, the application holding destination is specified and the application is actually started. As for the charging pattern (52) in the application, an identification ID, an application ID, a charging pattern, and the like are defined by FIG. 19, and information such as a use time is separately provided in a log file or the like.

The billing destination 54 in FIG. 14 is defined according to FIG. 20, and in the DB in FIG.
A license ID, an application ID, a license name, a billing pattern, a billing company, a department, a start date, an end date, a registration date, a deletion date, and the like are defined, and a necessary bill is generated based on this information. As described above, in this billing calculation system, the holder of the license controller may calculate the billing and bill the user in a lump, or may make various user settings and issue a bill for each department. .

【The invention's effect】

As described above, according to the present invention, the license management in the ASP of the application server outside the license controller can be easily performed without requiring a special program. In addition, the billing process has a remarkable effect that not only billing but also billing or division of a plurality of licenses, management by department, change of fee type, and the like can be easily performed.

[Brief description of the drawings]

FIG. 1 is an example of a conventional collective login system.

FIG. 2 is a conceptual diagram of collective login.

FIG. 3 is a configuration diagram of an entire network.

FIG. 4 is an overall transition diagram.

FIG. 5 is a flowchart in the whole system.

FIG. 6 is a flowchart of a login process in a web server.

FIG. 7 is a flowchart illustrating details of login in the license controller.

FIG. 8 is a diagram illustrating a case where an application menu is connected to an external application server;

FIG. 9 shows a first implementation example of handover of a session number of a browser.

FIG. 10 shows a second implementation example of handover of a session number of a browser.

FIG. 11 relates to selection of an application.
6 is a flowchart showing the operation of the license controller.

FIG. 12 is a flowchart showing the operation on the application server side in FIG. 11;

FIG. 13 is a flowchart for recording a log serving as a basis for billing calculation.

FIG. 14 is a conceptual diagram illustrating a billing method for authentication and license according to the present invention.

FIG. 15 is a DB in which user information is defined;
It is.

FIG. 16 is a DB for managing login.

FIG. 17 is a DB for identifying licenses usable by a user;

FIG. 18 is a DB that specifies an application provision destination.

FIG. 19 is a DB that defines a charging pattern for each application.

FIG. 20 is a diagram illustrating a D that defines a license billing destination;
B.

Claims (4)

[Claims] 1. A computer system for controlling a license in an application service provider used on the Internet, comprising: an authentication unit for holding a DB for performing authentication using a company ID, a user ID, and a password; Means for extracting a license method from the license DB, means for transmitting application activation permission information to the web server based on the license information derived by the extracting means, and display which allows the web server to access the user. A license control system, wherein a screen file is dynamically generated based on a user attribute derived by the extraction means. 2. When dynamically generating the display screen file, generating link information including session information in the display screen file regarding transmission of application start permission in an application server outside a network having a license controller. The license control system according to claim 1, wherein: 3. When the application in the application server is activated after the generation of the display screen file, session information is transmitted from the license controller to the external application server in the application server outside the network having the license controller. 2. The license control system according to claim 1, wherein the license control system converts the cookie ID into a cookie ID for a server and transmits the cookie ID to an external application server and a user's browser. 4. The log information relating to the use of an application program has a means for recording a license access log by an electronic certification authority while the same application is running. License control system.