JP2004171525A - Service providing device, service providing method, service providing program and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To easily extend an expiration date of a ticket while keeping the security effect. <P>SOLUTION: This service providing device has an integral service providing means (a portal site) for collectively providing service provided by at least one or more of service providing means. The integral service providing means (the portal site) has an certification information making request transmitting means SQ21 for transmitting a making request for certification information having the expiration date on the service provided by a first service providing means (service A) to the first service providing means (the service A) being one in the service providing means, a certification information making response receiving means SQ22 for receiving a making response of the certification information including a certification information identifier for identifying the certification information and the expiration date of the certification information from the first service providing means (the service A) and an extension request transmitting means SQ28 for transmitting an extension request for the expiration date of the certification information to the first service providing means (the service A). <P>COPYRIGHT: (C)2004,JPO

Description

  The present invention relates to a service providing device, a service providing method, a service providing program, and a recording medium.

  In the conventional WWW (World Wide Web) service, each service company has a "homepage" and a "closed" service is developed on the homepage. On the homepage, only the service provided by the company that provides the homepage can be enjoyed. However, when the user wants to receive the service of another service company, the user separately sets the URL (Uniform Resource) of the other service company. Locator) and move to a homepage provided by the other service company.

  In recent years, “Web services” in which various services existing on the Web are distributed as “components” and provided by combining the components are becoming widespread.

  Communication between components in such a distributed component environment is performed by exchanging data in an Extensible Markup Language (XML) format, using a Simple Object Access Protocol (SOAP) protocol as a protocol for performing data access, and HTTP (Hypertext) as a lower protocol. Transfer Protocol) is often used.

  With this mechanism, Web services published on the Internet can be linked with each other, and the Web services can exchange with other Web services as one application without human intervention.

  For example, when it is desired to provide a Web service for printing and delivering paid contents, if existing payment services and delivery services can be used, development efficiency increases.

  If HTTP is used as a communication protocol, it is possible to communicate with a company that has introduced a firewall, and it is also possible to increase security by using SSL (Secure Sockets Layer).

  However, due to the low transmission speed on the Internet, response time (overhead) becomes a problem when transmitting and receiving a large amount of data.

  For this reason, a ticket for certifying the user's authentication and authority is prepared, and the ticket is further encrypted and transmitted on the network, thereby reducing the amount of data flowing on the network and solving the overhead problem. .

  Also, if secret information such as personal information and confidential documents frequently flows on the network, it is possible to minimize leakage by using this ticket even for problems such as spoofing, falsification or eavesdropping.

For example, the "file printing method, network system, computer system, file server, and print server" of Patent Document 1 operates as follows.
(1) Request authority from the client system to the file source.
(2) The file source creates a "reserved" certificate (ticket) including the identification name and the path to the file, and returns the certificate to the client.
(3) The client sends the reservation certificate to the print server and requests printing.
(4) The print server requests the file directly from the file source using the identification name of the file source and the path to the file in the received reservation certificate.
(5) The file source checks the content of the reservation certificate, and if the request is valid, sends the file directly to the print server.
(6) The print server prints the contents of the received file.

  As described above, the file source issues a certificate for delegating the authority to operate a file in the file source called a reservation certificate (ticket), thereby reducing the number of times secret information flows on the network and reducing the number of times the file This eliminates the need to move the file twice, such as downloading a file from the source to the client and then uploading the file from the client to the print server and requesting printing. It becomes possible to reduce.

  Also, in the case of coordinating a plurality of Web services distributed on a network, once a user performs authentication on a server that performs centralized authentication, all services based on user authentication can be received. Is single sign-on (Single-Sign-On).

  For example, in a file server and a mail server that provide services independently of each other, each server must receive user authentication in order to receive those services. On the other hand, with services that support single sign-on, if authentication is performed by a server that performs user authentication centrally, the user can use any network service that supports this user authentication server, assuming that he is an authenticated user Become like

  As described above, this ticket is used to prove that it has been authenticated by many systems, but the ticket is used semipermanently, for example, by extending the expiration date of the issued ticket. The ability to protect services from malicious clients that would otherwise be inevitable. For this reason, tickets are often provided with a short expiration date so as not to be a security hole.

  However, if the processing of the Web service is extended more than expected, the validity period of the ticket expires, and there is a possibility that the processing requested by the client cannot be performed.

  In such a case, the client needs to extend the expiration date of the ticket. However, if the ticket is leaked, there is a possibility that the client will be abused. Therefore, it is necessary to take security measures.

  In the technique of Patent Document 1 described above, if the client does not use the ticket for a while after receiving the ticket, or if the file source or the print server is broken or turned off, the ticket expires. There is no suggestion on what to do if it does.

To solve this problem, in Patent Document 2 “Client-side public key authentication method and device using short-lived certificate”, a key distribution center (KDC) generates and stores a public-private key pair and a certificate template. When a user requests authentication from the KDC, the KDC generates and signs a short-lived certificate to recertify the user's public key.
Japanese Patent No. 3218107 JP 2002-501218 A

  However, there is a problem that the user has to recertify each time a short-lived certificate whose life has expired is used. Further, when the Web service is operated by single sign-on, there is a problem that the effect cannot be enjoyed.

  The present invention has been made in view of the above points, and has as its object to easily extend the expiration date of a ticket while maintaining a security effect.

  Therefore, in order to solve the above problem, the present invention provides a service providing apparatus having integrated service providing means for collectively providing services provided by at least one or more service providing means, wherein the integrated service providing means comprises: A certification information creation request for transmitting a creation request for certification information having an expiration date to a service provided by the first service providing means to the first service providing means which is one of the service providing means. Transmitting means, from the first service providing means, a proof information identifier for identifying the proof information, an expiration date of the proof information, a proof information creation response receiving means for receiving a proof information creation response including, Extension request transmitting means for transmitting a request to extend the expiration date of the certification information to the first service providing means.

  According to the present invention, there is provided a service providing apparatus having integrated service providing means for collectively providing services provided by at least one or more service providing means, wherein the integrated service providing means includes one of the service providing means. A certifying information creation request transmitting means for transmitting a certifying information creating request having an expiration date to a service provided by the first service providing means to the first service providing means; A service information providing means for receiving a certificate information creation response including a certificate information identifier for identifying the certificate information and an expiration date of the certificate information; and a first service providing means. On the other hand, by having an extension request transmitting means for transmitting a request for extending the expiration date of the certification information, It is possible to extend the expiration date of the ticket to easy.

  The integrated service providing means corresponds to, for example, a portal site described later. The first service providing unit corresponds to, for example, an authentication service (service A) described later. The proof information corresponds to, for example, an authentication ticket described later.

  Further, as means for solving the above problems, a service providing method, a service providing program, and a recording medium may be used.

  According to the present invention, it is possible to easily extend the expiration date of a ticket while maintaining the security effect.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  Hereinafter, an embodiment according to the present invention will be described with reference to FIG. FIG. 1 is a diagram for explaining an example of a pay content sales service.

  The paid content sales service shown in FIG. 1 includes a portal site that provides a paid content sales service, a service A that authenticates a user, a plurality of services B that store paid content, and a service that purchases paid content. And a service D for printing and delivering purchased content.

  In addition, each service is generally configured by software that realizes the function of the service that runs on the computer system. Each service may be included in one device (service providing device), or may be distributed and included in a plurality of devices (service providing devices).

The paid content selling service operates as follows, so that the user can purchase the content.
(1) The user logs in to the portal site with his / her user name and password.
(2) The portal site requests service A (authentication service) for authentication using this user name and password (A). The portal site temporarily stores the user name and the password, so that, for example, when the expiration date of an authentication ticket described later expires, the authentication request can be again requested to the authentication service A. it can.
(3) The service A refers to a user registration file or the like in which the user name and the password are registered, and creates an authentication ticket for certifying the user if the combination is correct and the user name and the password. An authentication ticket ID for identifying the authentication ticket is returned to the portal site (B). The portal site holds the authentication ticket ID and the like acquired from the service A, and can establish a session with, for example, the service B, the service C, and the service D using the authentication ticket ID.
(4) When the user is authenticated, the user searches for a content to be purchased from a plurality of pay contents registered in the portal site.

When the user determines the content to be purchased and issues a request to print the content, the portal site requests a print ticket for certifying the print authority of the content to the corresponding service (for example, service B). (C). The service B confirms whether or not the requested portal site has the printing right, and if so, creates a print ticket and returns a print ticket ID or the like for identifying the print ticket to the portal site ( D).
(5) When the user has the printing authority, the portal site sends the payment method designated by the user and the authentication ticket ID to the service C (settlement service) and requests the settlement (E). The service C refers to the service A using the authentication ticket ID to confirm the identity (F, G), and returns the settlement result to the portal site (H).
(6) Upon settlement, the portal site sends the print ticket ID to service D (print / delivery service) to request printing and delivery of the content (I).

  The service D sends the print ticket ID to the service B, and requests that the content be sent (J).

  The service B confirms that the print ticket (or the print ticket ID) is issued by the service B itself, and sends the requested content to the service D (K).

  The service D prints the sent content, delivers it to the user, and returns the result to the portal site (L).

  Hereinafter, a hardware configuration of an example of the service providing apparatus of the present invention will be described with reference to FIG. FIG. 2 is a hardware configuration diagram of an example of the service providing apparatus.

  The hardware configuration of the service providing apparatus shown in FIG. 2 includes an input device 11, a display device 12, a drive device 13, a recording medium 14, and a ROM (Read Only Memory) 15, which are mutually connected by a bus. And a RAM (Random Access Memory) 16, a CPU (Central Processing Unit) 17, an interface device 18, and a HDD (Hard Disk Drive) 19.

  The input device 11 includes a keyboard and a mouse operated by a user of the service providing device, and is used to input various operation signals to the service providing device.

  The display device 12 is configured by a display or the like used by a user of the service providing device, and displays various information.

  The interface device 18 is an interface for connecting the service providing device to a network or the like.

  An application program corresponding to the service (for example, service A) and / or an application program corresponding to the portal site, a main program for controlling the entire processing of the service providing apparatus, and the like are stored in the recording medium 14 such as a CD-ROM. Provided to the providing device or downloaded through the network. The recording medium 14 is set in the drive device 13, and the application program, the main program, and the like are installed in the ROM 15 from the recording medium 14 via the drive device 13.

  The ROM 15 stores data, the application program, the main program, and the like. The RAM 16 reads and stores the application program, the main program, and the like from the ROM 15 when the service providing apparatus is started. The CPU 17 executes processing according to the application program, the main program, and the like read and stored in the RAM 16.

  The HDD 19 stores data, files, and the like. For example, the HDD 19 stores a ticket, a client list, and the like.

  Hereinafter, an example of a functional configuration of a service that configures a pay content selling service will be described with reference to FIG. FIG. 3 is a diagram illustrating an example of a functional configuration of a service.

  3, the service includes a service providing unit 70, a Web service I / F 10, a request processing unit 20, a ticket creation unit 30, a ticket storage unit 40, a ticket update unit 50, a ticket verification unit 60, including.

  The service providing unit 70 receives a request from another service (in the above example, a portal site, services A, B, C, D, and the like) and returns a processed result.

  For example, the service A that performs the above-described authentication service performs functional processes such as user authentication requested from the portal site, the return of the authentication ticket (authentication ticket ID), and the identity confirmation request from each service.

  In the service B for performing the content storage service described above, in addition to functional processing such as search and content confirmation from a portal site in response to a content browsing request from a user, portal B in response to a content print request from a user. The transfer of the content is performed by checking the print authority of the content from the site, returning the print ticket (print ticket ID), and referring to the print ticket from the service D (print service).

  The Web service I / F 10 is an interface that mediates with a core Web service function when the service providing unit 70 executes a function.

  The request processing unit 20 executes the ticket creation unit 30 when the request from the service providing unit 70 received via the Web service I / F 10 creates a ticket, and executes the ticket update unit 50 when the request is a ticket update. If the request is for ticket verification, the ticket verification unit 60 is executed, and the execution result is returned to the service providing unit 70 via the Web service I / F 10.

  The ticket creating unit 30 is requested from another service, for example, a portal site or a service B or a service C or a service D (hereinafter, other services are also simply referred to as clients) when the service shown in FIG. 3 is the service A. A ticket is created, the created ticket is stored in the ticket storage unit 40, and the ticket ID and the expiration date of the ticket are returned to the client using the service providing unit 70.

Note that a client makes a ticket creation request by specifying the following data.
(1) Data on which the ticket is created For example, in the case of an authentication service, a user name and a password
In the case of a document storage or content storage service, an identifier (a file name or a path indicating a file) for identifying a document or content to be browsed, printed, or transferred, and a service of the request source and the document storage or Session ID for identifying a session with the content storage service.
(2) Expiration date of ticket Specify the expiration date of the issued ticket. If the expiration date is not an appropriate value, the expiration date is corrected to a preset expiration date. The expiration date is checked by the ticket verification unit 60, and the ticket whose expiration date has passed cannot be used.
(3) List of service names (IP address or host name and domain name, etc.) used by the client The ticket storage unit 40 manages the following data for the client as a client list in association with the ticket ( (See FIG. 4).

・ Identifier for identifying the client (client ID)
・ Information for identifying the client (client information)
For example, client name, IP address or host name / domain name, etc. For each service (client use service) used by the client,
Authority to use the service (eg, browsing, printing, forwarding, etc.) and authority to extend the validity period of the ticket. For example, if the service is service A, for example, one of the clients will be a portal site and, for example, a client use service Are service B, service C, service D, and the like.

  Note that, upon receipt of the ticket creation request, the ticket creation unit 30 may refer to the client list, check the use authority of each client using the ticket creation request, and create a ticket. .

  For example, when the service is a service B and a request to create a print ticket including a service D which is a print service is received from a portal site as a service name used by a client, the ticket creating unit 30 refers to the client list. It is determined whether or not the service D is included as a client use service of the portal site. If the service D is included, the use right of the service D is referred to, and the print authority and the browsing of the content are permitted in accordance with the use right (for example, ) A print ticket may be created.

  Note that the client list shown in FIG. 4 is an example of a client list managed in the ticket storage unit 40 of the service B.

  The created ticket includes a ticket ID for identifying the ticket, an expiration date, and a list of the ticket use service and the right to use the ticket service (see FIG. 5). The ticket use service is, for example, the client use service and / or client ID or client information shown in FIG.

  The ticket creation unit 30 adds the ticket ID to the created ticket, registers the ticket in the ticket storage unit 40, and returns the ticket ID and the expiration date of the ticket to the client.

  This ticket storage unit 40 stores the identifier of the client (client ID) and the content of the created ticket in association with the ticket ID (see FIG. 6). The contents shown in FIG. 6 may be included in the ticket shown in FIG.

  Upon receiving the request for extending the expiration date, the ticket update unit 50 checks the ticket storage unit 40 with the ticket ID received from the client and the identifier (client ID) of the client, and determines whether the ticket is issued by the service. Find out. If the ticket is not a ticket issued by the service, the ticket updating unit 50 returns the extension request to the client as unsuccessful.

  If the ticket is issued by the service, the ticket updating unit 50 compares the expiration date included in the ticket corresponding to the ticket ID with the current time. If the current time is not within the validity period of the print ticket, the ticket updating unit 50 returns the extension request to the client as unsuccessful.

  If the current time is within the expiration date of the print ticket, the ticket update unit 50 refers to the client list and checks whether the client requesting the extension of the expiration date has the right to update the ticket. . If the client does not have the right to update the ticket, the ticket updating unit 50 returns the extension request to the client as unsuccessful. On the other hand, if the client has the right to update the ticket, the ticket updating unit 50 sets an expiration date extended by the extension period specified by the client or an extension period set in advance, and sets the new expiration date to the ticket. The registration is made in the storage unit 40 (see FIG. 6), and the ticket ID and the expiration date of the updated ticket are returned to the client.

  Here, the preset extension period is determined by the security level of the service, and the person in charge of the service that issues the ticket sets the definition file in the HDD 19 or the like.

  Note that the client list shown in FIG. 4 includes information (client ID and client information) relating to the client who has issued the ticket creation request, but the client list is configured so as not to include the item. You may do so.

  In the description below, it is assumed that the client that has issued the ticket creation request has the authority to update the ticket.

  Upon receiving the service use request, the ticket verification unit 60 checks the ticket storage unit 40 with the ticket ID received from the client requesting the use of the service and the identifier of the client (client ID), and issues the service. Find out if it is a ticket. If the ticket is not issued by the service, the verification request is returned to the client as an error.

  If the ticket is issued by the service, the ticket verification unit 60 compares the expiration date of the ticket included in the ticket corresponding to the received ticket ID with the current time, If the current time has been exceeded, the validation request returns an error to the client. Here, if an extended expiration date is set in the ticket storage unit 40, the ticket verification unit 60 compares the extended expiration date with the current time.

  If the expiration date has not expired, the ticket verification unit 60 takes out the right to use the service requested by the client and returns it to the service providing unit 70. The service providing unit 70 specifies the service using the specified service in accordance with the use right. Perform service processing.

  In the example of the above-mentioned paid content sales service, after the portal site receives a print ticket of the content from the service B (content storage service), it takes time to process the service C (settlement service) and goes to the service D (print service). The print ticket may expire before being given. Therefore, if the portal site requests the service B to extend (update) the expiration date of the print ticket after the service B returns a response or during the processing of the service C, the expiration date of the ticket is expired. Can solve the problem.

  By configuring the service as described above, it is possible to limit the clients that can extend the expiration date of the ticket, and to restrict the update of the ticket by a client different from the original intention.

  Hereinafter, an example of the expiration date extension process according to the first embodiment will be described with reference to FIG. FIG. 7 is a flowchart illustrating an example of an expiration date extension process according to the first embodiment. In the following, for simplification of the description, an example of the process of extending the expiration date using the service B will be described.

  In step S10, the service B receives a request to extend the expiration date of the print ticket from, for example, a portal site.

  Proceeding to step S11 following step S10, the service B uses FIG. 6 based on the print ticket ID included in the request for extending the expiration date of the print ticket received in step S10 and the client ID for identifying the portal site. Referring to the data in the ticket storage unit 40 as shown, it is determined whether the print ticket is issued by the service B.

  If the service B determines that the print ticket is issued by itself (YES in step S11), the process proceeds to step S12. If it is determined that the service B is not a print ticket issued by itself (NO in step S11), the process proceeds to step S15. .

  In step S12, the service B compares the expiration date of the ticket included in the ticket corresponding to the print ticket ID with the current time, and determines whether the current time is within the expiration date of the print ticket.

  If the service B determines that the current time is within the validity period of the print ticket (YES in step S12), the process proceeds to step S13, and determines that the current time is not within the validity period of the print ticket (NO in step S12). ), And proceed to step S15. If an extended expiration date is set in the ticket storage unit 40, the service B compares the extended expiration date with the current time.

  In step S13, the service B refers to the client list as shown in FIG. 4 and determines whether or not the portal site that has issued the request to extend the expiration date of the print ticket has the authority to update the print ticket.

  If the service B determines that the portal site has the authority to update the print ticket (YES in step S13), the process proceeds to step S14, and if it determines that the portal site does not have the authority to update the print ticket (NO in step S13), the process proceeds to step S14. Proceed to S15.

  In step S14, it is determined whether the service B is extended by the predetermined extension period or the extension period requested by the portal site included in the request for extending the expiration date of the print ticket received in step S10. I do.

  If it is determined that the service B is to be extended for the requested extension period (YES in step S14), the process proceeds to step S16. If it is determined that the service B is to be extended for the predetermined extension period (NO in step S14), the process proceeds to step S17.

  For example, the service B refers to a flag or the like defined in a definition file stored in the HDD 19 or the like, and determines whether to extend for a predetermined extension period or to extend for a requested extension period. .

  On the other hand, in step S15, the service B creates an expiration date extension response including information indicating that the extension request has failed.

  In step S16, the service B extends the expiration date included in the print ticket corresponding to the print ticket ID by the requested extension period.

  In step S17, the service B extends the expiration date included in the print ticket corresponding to the print ticket ID by a predetermined extension period.

  In step S18, the service B stores the validity period (update validity period) extended in step S16 or step S17 in the ticket storage unit 40 as shown in FIG.

  Proceeding to step S19 following step S18, the service B creates an expiration date extension response including information indicating that the extension request was successful, the ticket ID, and the extended expiration date (update expiration date).

  In step S20, the service B sends the expiration date extension response created in step S15 or step S19 to the requesting portal site.

  By performing the processing shown in FIG. 7, the service can extend the expiration date of the corresponding ticket in response to a request to extend the expiration date from a client having the right to extend the expiration date of the ticket.

  Hereinafter, an example of the service providing process according to the first embodiment will be described with reference to FIG. FIG. 8 is a flowchart illustrating an example of a service providing process according to the first embodiment. In the following, an example of the service providing process will be described using the service B for simplification of the description.

  In step S30, the service B receives, for example, a service use request provided by the service B from the service D.

  Proceeding to step S31 following step S30, the service B performs the processing shown in FIG. 6 based on the print ticket ID included in the service use request received in step S30 and the client ID for identifying the service D. By referring to the data in the ticket storage unit 40, it is determined whether or not the print ticket is issued by the service B.

  If the service B determines that the print ticket is issued by itself (YES in step S31), the process proceeds to step S32, and if it is determined that the service B is not a print ticket issued by itself (NO in step S31), the process proceeds to step S34. .

  In step S32, the service B compares the expiration date of the ticket included in the ticket corresponding to the print ticket ID with the current time, and determines whether the current time is within the expiration date of the print ticket.

  If the service B determines that the current time is within the validity period of the print ticket (YES in step S32), the process proceeds to step S33, and determines that the current time is not within the validity period of the print ticket (NO in step S32). ), And proceed to step S34. If an extended expiration date is set in the ticket storage unit 40, the service B compares the extended expiration date with the current time.

  In step S33, the service B shown in FIG. 4 based on the client ID for identifying the service D included in the service use request received in step S30 and the service use type (for example, acquisition of content). By referring to such a client list, it is determined whether or not the service D has the authority to acquire, for example, content.

  If the service B determines that the requesting client has the right to use the requested service (YES in step S33), the process proceeds to step S35, where the requesting client has the right to use the requested service. If it is determined that there is not (NO in step S33), the process proceeds to step S34.

  In step S34, the service B creates a service use response including information indicating that the service use request has failed.

  On the other hand, in step S35, the service B performs a process of providing the service requested by the service D, for example, a process of acquiring a corresponding content from the content held and managed by the service B, and the like.

  Proceeding to step S36 following step S35, the service B creates a service use response including information indicating that the service use request was successful and the content acquired in step S35, for example.

  In step S37, the service B transmits the service use response created in step S34 or step S36 to the service D of the request source.

  By performing the processing shown in FIG. 8, the service can provide a corresponding service in response to a service use request from a client having service use authority.

  In the configuration of the first embodiment, the validity period is simply extended, and if the ticket is stolen, the ticket may be misused.

  Therefore, in the second embodiment, when a request to extend the expiration date of a ticket is received, the current ticket is discarded and a new ticket is issued.

  The functional configuration of the service according to the second embodiment is, similarly to FIG. 3, a service providing unit 70, a Web service I / F 10, a request processing unit 20, a ticket creating unit 30, a ticket storing unit 40, a ticket Since the updating unit 50 and the ticket verification unit 60 are included, only the differences will be described below.

  Upon receiving the request for extending the expiration date, the ticket update unit 50 checks the ticket storage unit 40 with the ticket ID received from the client and the client identifier (client ID), and checks whether the ticket is issued by the service. . If the ticket is not issued by the service, the extension request is returned to the client as unsuccessful.

  If the ticket is issued by the service, the ticket updating unit 50 compares the expiration date included in the ticket corresponding to the ticket ID with the current time. If the current time is not within the validity period of the print ticket, the ticket updating unit 50 returns the extension request to the client as unsuccessful.

  If the current time is within the expiration date of the print ticket, the ticket update unit 50 refers to the client list and checks whether the client requesting the extension of the expiration date has the right to update the ticket. . If the client does not have the right to update the ticket, the ticket updating unit 50 returns the extension request to the client as unsuccessful. On the other hand, if the client has the right to update the ticket, the ticket updating unit 50 sets a validity period extended by the extension period designated by the client or the extension period set in advance, and newly creates a ticket. Is registered in the ticket storage unit 40 (see FIG. 9). Further, the ticket updating unit 50 returns the ticket ID for identifying the newly created ticket and the expiration date of the extended ticket to the client. The ticket update unit 50 deletes the old ticket from the ticket storage unit 40. Instead of deleting the old ticket, an unusable flag or the like may be set on the old ticket. However, for the sake of simplicity, the following description is based on the assumption that old tickets are deleted from the ticket storage unit 40.

  Upon receiving the service use request, the ticket verification unit 60 checks the ticket storage unit 40 with the ticket ID received from the client requesting the use of the service and the identifier of the client (client ID), and issues the service. Find out if it is a ticket. If the ticket is not issued by the service, the verification request is returned to the client as an error.

  If the ticket is issued by the service, the ticket verification unit 60 compares the expiration date of the ticket included in the ticket corresponding to the received ticket ID with the current time, If the current time has been exceeded, the validation request returns an error to the client.

  If the expiration date has not expired, the ticket verification unit 60 takes out the right to use the service requested by the client and returns it to the service providing unit 70. The service providing unit 70 specifies the service using the specified service in accordance with the use right. Perform service processing.

  By configuring the service as above, even if the ticket is stolen before the expiration date of the ticket, the old ticket can no longer be used after the expiration date, and the expiration date can be safely extended. .

  Hereinafter, an example of the expiration date extension process according to the second embodiment will be described with reference to FIG. FIG. 10 is a flowchart illustrating an example of an expiration date extension process according to the second embodiment. In the following, for simplification of the description, an example of the process of extending the expiration date using the service B will be described.

  In step S40, the service B receives a request to extend the expiration date of the print ticket from, for example, a portal site.

  Proceeding to step S41 following step S40, the service B uses FIG. 9 based on the print ticket ID included in the print ticket ID included in the print ticket expiration date extension request received in step S40 and the client ID for identifying the portal site. Referring to the data in the ticket storage unit 40 as shown, it is determined whether the print ticket is issued by the service B.

  If the service B determines that the print ticket is issued by itself (YES in step S41), the process proceeds to step S42, and if it is determined that the service B is not a print ticket issued by itself (NO in step S41), the process proceeds to step S45. .

  In step S42, the service B compares the expiration date of the ticket included in the ticket corresponding to the print ticket ID with the current time, and determines whether the current time is within the expiration date of the print ticket.

  If the service B determines that the current time is within the validity period of the print ticket (YES in step S42), the process proceeds to step S43, and determines that the current time is not within the validity period of the print ticket (NO in step S42). ), And proceed to step S45.

  In step S43, the service B refers to the client list as shown in FIG. 4 and determines whether or not the portal site that has issued the request to extend the expiration date of the print ticket has the authority to update the print ticket.

  If the service B determines that the portal site has the authority to update the print ticket (YES in step S43), the process proceeds to step S44, and if the service B determines that the portal site does not have the authority to update the print ticket (NO in step S43), the process proceeds to step S44. Proceed to S45.

  In step S44, it is determined whether the service B is extended by the predetermined extension period or by the extension period requested from the portal site included in the request for extending the expiration date of the print ticket received in step S40. I do.

  If it is determined that the service B is to be extended for the requested extension period (YES in step S44), the process proceeds to step S46. If it is determined that the service B is to be extended for the predetermined extension period (NO in step S44), the process proceeds to step S47.

  For example, the service B refers to a flag or the like defined in a definition file stored in the HDD 19 or the like, and determines whether to extend for a predetermined extension period or to extend for a requested extension period. .

  On the other hand, in step S45, the service B creates an expiration date extension response including information indicating that the extension request has failed.

  In step S46, the service B extends the expiration date included in the print ticket corresponding to the print ticket ID by the requested extension period.

  In step S47, the service B extends the expiration date included in the print ticket corresponding to the print ticket ID by a predetermined extension period.

  In step S48, the service B creates a new print ticket including the expiration date (update expiration date) extended in step S46 or step S47 and the newly reassigned print ticket ID.

  Proceeding to step S49 following step S48, the service B registers the print ticket newly created in step S48 in the ticket storage unit 40.

  Proceeding to step S50 following step S49, the service B deletes the print ticket corresponding to the print ticket ID included in the request to extend the expiration date of the print ticket received in step S40 from the ticket storage unit 40.

  Proceeding to step S51 following step S50, the service B stores information indicating that the extension request was successful, the ticket ID of the newly created print ticket, and the expiration date included in the newly created print ticket. Create an extended expiration response that includes

  In step S52, the service B transmits the expiration date extension response created in step S45 or step S51 to the requesting portal site.

  The service performs the processing shown in FIG. 10 to disable the corresponding old ticket in response to a request to extend the expiration date from a client having the authority to extend the expiration date of the ticket, and to extend the expiration date. You can create a simple ticket.

  Hereinafter, an example of the service providing process according to the second embodiment will be described with reference to FIG. FIG. 11 is a flowchart illustrating an example of a service providing process according to the second embodiment. In the following, an example of the service providing process will be described using the service B for simplification of the description.

  In step S60, the service B receives, for example, a service use request provided by the service B from the service D.

  Proceeding to step S61 following step S60, the service B performs the processing shown in FIG. 9 based on the print ticket ID included in the service use request received in step S60 and the client ID identifying the service D. By referring to the data in the ticket storage unit 40, it is determined whether or not the print ticket is issued by the service B.

  If the service B determines that the print ticket is issued by itself (YES in step S61), the process proceeds to step S62. If it is determined that the service B is not a print ticket issued by itself (NO in step S61), the process proceeds to step S64. .

  In step S62, the service B compares the expiration date of the ticket included in the ticket corresponding to the print ticket ID with the current time, and determines whether the current time is within the expiration date of the print ticket.

  When the service B determines that the current time is within the validity period of the print ticket (YES in step S62), the process proceeds to step S63, and determines that the current time is not within the validity period of the print ticket (NO in step S62). ), And proceed to step S64.

  In step S63, the service B is shown in FIG. 4 based on the client ID identifying the service D included in the service use request received in step S60 and the service use type (for example, acquisition of content). By referring to such a client list, it is determined whether or not the service D has the authority to acquire, for example, content.

  If the service B determines that the requesting client has the right to use the requested service (YES in step S63), the process proceeds to step S65, where the requesting client has the right to use the requested service. If it is determined that there is not (NO in step S63), the process proceeds to step S64.

  In step S64, the service B creates a service use response including information indicating that the service use request has failed.

  On the other hand, in step S65, the service B performs a process of providing the service requested by the service D, for example, a process of acquiring a corresponding content from the content held and managed by the service B, and the like.

  Proceeding to step S66 following step S65, the service B creates a service use response including information indicating that the service use request has been successful and, for example, the content acquired in step S65.

  In step S67, the service B transmits the service use response created in step S64 or step S66 to the requesting service D.

  By performing the processing shown in FIG. 11, the service can provide a corresponding service in response to a service use request from a client having the service use authority.

  In the above-described first and second embodiments, if a malicious client obtains an issued ticket and can create a ticket with a semi-permanent expiration date, it becomes a major security threat. Would.

  Therefore, in the third embodiment, when issuing a ticket or extending the expiration date, the length of the expiration date is limited so as to solve the security problem.

  The functional configuration of the service according to the third embodiment is, similarly to FIG. 3, a service providing unit 70, a Web service I / F 10, a request processing unit 20, a ticket creation unit 30, a ticket storage unit 40, a ticket An update unit 50 and a ticket verification unit 60 are included. Since the function of each unit is based on the configuration of either the first embodiment or the second embodiment, only the differences will be described below.

  The ticket creation unit 30 creates a ticket in the same manner as in the first and second embodiments, and stores the created ticket in the ticket storage unit 40.

  The ticket to be created includes a ticket ID for identifying the ticket, a maximum extension expiration date, an expiration date, a list of a ticket use service and a right to use the ticket service (see FIG. 12).

  The maximum extension expiration date is, for example, the maximum value of the extension period preset in the definition file or the like stored in the HDD 19 or the like by the administrator of the service that issues the ticket, and the ticket creation time (creation date). And the time) are calculated by the ticket creating unit 30 and the like and included in the ticket. Here, the preset maximum value of the extension period is determined and set according to the security level of the service.

  The ticket updating unit 50 extends the expiration date of the ticket as in the first or second embodiment.

  Here, if the expiration date extended by the extension period specified by the client or the extension period set in advance is larger than the maximum extension expiration date, replace the maximum extension expiration date with a new expiration date, Update a ticket.

  Here, the preset extension period is determined by the security level of the service, and the person in charge of the service that issues the ticket sets the definition file in the HDD 19 or the like.

  By configuring the service as described above, it is possible to avoid the existence of a ticket that is valid semi-permanently, so that even if a malicious client gets the ticket and extends the expiration date, the ticket will be permanently deleted. Not available.

  Hereinafter, an example of the expiration date extension process according to the third embodiment will be described with reference to FIG. FIG. 13 is a flowchart illustrating an example of an expiration date extension process according to the third embodiment. In the following, for simplification of the description, an example of the process of extending the expiration date using the service B will be described. Further, as described in the second embodiment, an example of the expiration date extension process in the third embodiment will be described using a method of deleting an old ticket and creating a new ticket.

  In step S70, the service B receives a request to extend the expiration date of the print ticket from, for example, a portal site.

  Proceeding to step S71 following step S70, the service B uses FIG. 9 based on the print ticket ID included in the request to extend the expiration date of the print ticket received in step S70 and the client ID for identifying the portal site. Referring to the data in the ticket storage unit 40 as shown, it is determined whether the print ticket is issued by the service B.

  If the service B determines that the print ticket is issued by itself (YES in step S71), the process proceeds to step S72, and if it is determined that the print ticket is not a print ticket issued by itself (NO in step S71), the process proceeds to step S75. .

  In step S72, the service B compares the expiration date of the ticket included in the ticket corresponding to the print ticket ID with the current time, and determines whether the current time is within the expiration date of the print ticket.

  If the service B determines that the current time is within the validity period of the print ticket (YES in step S72), the process proceeds to step S73, and determines that the current time is not within the validity period of the print ticket (NO in step S72). ), And proceed to step S75.

  In step S73, the service B refers to the client list as shown in FIG. 4 and determines whether or not the portal site that has issued the request to extend the expiration date of the print ticket has the authority to update the print ticket.

  If the service B determines that the portal site has the right to update the print ticket (YES in step S73), the process proceeds to step S74, and if the service B determines that the portal site does not have the right to update the print ticket (NO in step S73), the process proceeds to step S74. Proceed to S75.

  In step S74, it is determined whether the service B is extended by the predetermined extension period or the extension period requested by the portal site included in the request for extending the expiration date of the print ticket received in step S70. I do.

  If it is determined that the service B is to be extended for the requested extension period (YES in step S74), the process proceeds to step S76. If it is determined that the service B is to be extended for the predetermined extension period (NO in step S74), the process proceeds to step S77.

  For example, the service B refers to a flag or the like defined in a definition file stored in the HDD 19 or the like, and determines whether to extend for a predetermined extension period or to extend for a requested extension period. .

  On the other hand, in step S75, the service B creates an expiration date extension response including information indicating that the extension request has failed.

  In step S76, the service B extends the expiration date included in the print ticket corresponding to the print ticket ID by the requested extension period.

  In step S77, the service B extends the expiration date included in the print ticket corresponding to the print ticket ID by a predetermined extension period.

  In step S78, the service B compares the expiration date (renewal expiration date) extended in step S76 or step S77 with the maximum extension expiration date included in the corresponding ticket as shown in FIG. It is determined whether the expiration date is within the maximum extension expiration date.

  If the service B determines that the update expiration date is within the maximum extension expiration date (YES in step S78), the process proceeds to step S79, and determines that the update expiration date is not within the maximum extension expiration date (NO in step S78). ), And proceed to step S80.

  In step S79, the service B creates a new print ticket including the update expiration date and the newly reassigned print ticket ID.

  On the other hand, in step S80, the service B transmits a new print ticket including, as the expiration date, the maximum extension expiration date of the print ticket corresponding to the print ticket ID included in the request for extending the expiration date of the print ticket received in step S70. create. The print ticket also includes the newly reassigned print ticket ID, similarly to the print ticket created in step S79.

  In step S81, the service B registers the print ticket newly created in step S79 or step S80 in the ticket storage unit 40.

  Proceeding to step S82 following step S81, the service B deletes the print ticket corresponding to the print ticket ID included in the request to extend the expiration date of the print ticket received in step S70 from the ticket storage unit 40.

  Proceeding to step S83 following step S82, the service B stores information indicating that the extension request was successful, the ticket ID of the newly created print ticket, and the expiration date included in the newly created print ticket. Create an extended expiration response that includes

  In step S84, the service B transmits the expiration date extension response created in step S75 or step S83 to the requesting portal site.

  The service extends the expiration date within a predetermined maximum extension expiration date in response to a request for extending the expiration date from a client having the right to extend the expiration date of the ticket by performing the processing shown in FIG. New tickets can be created.

  In the above-described first, second, and third embodiments, when a malicious client acquires an issued ticket, it repeatedly repeats a request to extend the expiration date before the expiration date expires. This makes it possible to use the ticket permanently, which poses a major security threat.

  Therefore, in the fourth embodiment, when issuing a ticket or extending the expiration date, a maximum value is set for the number of times the expiration date is extended, thereby solving the security problem.

  The functional configuration of the service according to the fourth embodiment is, similarly to FIG. 3, a service providing unit 70, a Web service I / F 10, a request processing unit 20, a ticket creation unit 30, a ticket storage unit 40, a ticket storage unit 40, An update unit 50 and a ticket verification unit 60 are included. Since the function of each unit is based on any of the configurations of the above-described embodiments (1, 2, and 3), only the differences will be described below.

  Upon receipt of the ticket creation request, the ticket creation unit 30 creates a ticket in the same manner as in the above-described embodiment, stores the created ticket in the ticket storage unit 40, and stores the stored ticket expiration request extension count Is set to zero (see FIGS. 14 and 15).

  Here, FIG. 14 illustrates the ticket storage unit 40 corresponding to the first embodiment, and FIG. 15 illustrates the ticket storage unit 40 corresponding to the second embodiment.

  Note that the ticket created by the ticket creation unit 30 includes a ticket ID for identifying the ticket, an upper limit number of times, an expiration date, a ticket use service and a list of authority to use the ticket service (FIG. 16).

  The extension upper limit number is the maximum value of the number of times that the validity period of the ticket set in advance is extended. The preset maximum number of extensions is determined by the security level of the service. For example, especially in the case of an important ticket such as an authentication ticket for single sign-on, the maximum number of extensions is reduced. For example, the person in charge of the service that issues the ticket sets the definition file stored in the HDD 19 or the like.

  Upon receiving the request for extending the expiration date, the ticket updating unit 50 extends the expiration date of the ticket as in the above-described embodiment.

  Here, when extending the expiration date of the ticket, the ticket updating unit 50 returns the extension of the expiration date to the client as an error if the number exceeds the extension upper limit. On the other hand, when the ticket updating unit 50 updates the ticket, the ticket updating unit 50 counts up the number of requests for extending the validity period of the ticket in the ticket storage unit 40 by one.

  Upon receiving the service use request, the ticket verification unit 60 first checks the ticket storage unit 40 with the ticket ID received from the client and the client identifier (client ID), and determines whether the ticket is issued by the service. Find out. If the ticket is not issued by the service, the verification request is returned to the client as an error.

  If the ticket is issued by the service, the ticket verification unit 60 compares the expiration date of the ticket included in the ticket corresponding to the received ticket ID with the current time, If the current time has been exceeded, the validation request returns an error to the client.

  If the expiration date has not expired, the ticket verification unit 60 takes out the right to use the service requested by the client and returns it to the service providing unit 70. The service providing unit 70 specifies the service using the specified service in accordance with the use right. Perform service processing.

  By configuring the service as described above, the ticket issuer sets the number of times that the expiration date can be extended, so a malicious client acquires the ticket and tries to extend the expiration date However, they cannot use tickets semi-permanently.

  Hereinafter, an example of the expiration date extension process according to the fourth embodiment will be described with reference to FIG. FIG. 17 is a flowchart illustrating an example of an expiration date extension process according to the fourth embodiment. In the following, for simplification of the description, an example of the process of extending the expiration date using the service B will be described. Further, as described in the second embodiment, an example of the expiration date extension process in the fourth embodiment will be described using a method of deleting an old ticket and creating a new ticket.

  In step S90, the service B receives a request to extend the expiration date of the print ticket from, for example, a portal site.

  Proceeding to step S91 following step S90, the service B uses FIG. 9 based on the print ticket ID included in the request for extending the expiration date of the print ticket received in step S90 and the client ID for identifying the portal site. Referring to the data in the ticket storage unit 40 as shown, it is determined whether the print ticket is issued by the service B.

  When the service B determines that the print ticket is issued by itself (YES in step S91), the process proceeds to step S92, and when it is determined that the service B is not a print ticket issued by itself (NO in step S91), the process proceeds to step S96. .

  In step S92, the service B compares the expiration date of the ticket included in the ticket corresponding to the print ticket ID with the current time, and determines whether the current time is within the expiration date of the print ticket.

  If the service B determines that the current time is within the validity period of the print ticket (YES in step S92), the process proceeds to step S93, and determines that the current time is not within the validity period of the print ticket (NO in step S92). ), And proceed to step S96.

  In step S93, the service B refers to the client list as shown in FIG. 4 and determines whether or not the portal site that has issued the request to extend the expiration date of the print ticket has the authority to update the print ticket.

  If the service B determines that the portal site has the authority to update the print ticket (YES in step S93), the process proceeds to step S94, and if the service B determines that the portal site does not have the authority to update the print ticket (NO in step S93), the process proceeds to step S94. Proceed to S96.

  In step S94, based on the print ticket ID included in the request to extend the expiration date of the print ticket received in step S90, the service B determines the number of times the print ticket can be extended as shown in FIG. By comparing the number of requests for extending the expiration date of the data in the ticket storage unit 40 as described above, it is determined whether the number of requests for extending the expiration date is within the extension upper limit number.

  If the service B determines that the number of requests for extension of the validity period is within the extension upper limit number (YES in step S94), the process proceeds to step S95, and determines that the number of requests for extension of the validity period is not within the extension upper limit number (step S94). NO in step S96), and proceeds to step S96.

  In step S95, it is determined whether the service B is extended by the predetermined extension period or by the extension period requested from the portal site included in the request for extending the expiration date of the print ticket received in step S90. I do.

  If it is determined that the service B is to be extended by the requested extension period (YES in step S95), the process proceeds to step S97. If it is determined that the service B is extended by the predetermined extension period (NO in step S95), the process proceeds to step S98.

  For example, the service B refers to a flag or the like defined in a definition file stored in the HDD 19 or the like, and determines whether to extend for a predetermined extension period or to extend for a requested extension period. .

  On the other hand, in step S96, the service B creates an expiration date extension response including information indicating that the extension request has failed.

  In step S97, the service B extends the expiration date included in the print ticket corresponding to the print ticket ID by the requested extension period.

  In step S98, the service B extends the expiration date included in the print ticket corresponding to the print ticket ID by a predetermined extension period.

  In step S99, the service B increments the number of requests for extending the validity period of the data in the ticket storage unit 40 by one as shown in FIG.

  Proceeding to step S100 following step S99, the service B creates a new print ticket including the expiration date (renewal expiration date) extended in step S97 or step S98 and the newly reassigned print ticket ID. .

  Proceeding to step S101 following step S100, the service B registers the print ticket newly created in step S100 in the ticket storage unit 40.

  Proceeding to step S102 following step S101, the service B deletes the print ticket corresponding to the print ticket ID included in the request for extending the expiration date of the print ticket received in step S90 from the ticket storage unit 40.

  Proceeding to step S103 following step S102, the service B transmits information indicating that the extension request has been successful, the ticket ID of the newly created print ticket, and the expiration date included in the newly created print ticket. Create an extended expiration response that includes

  In step S104, the service B transmits the expiration date extension response created in step S96 or S103 to the requesting portal site.

By performing the processing as shown in FIG. 17, the service extends the expiration date by a predetermined extension upper limit only in response to a request to extend the expiration date from a client having the right to extend the expiration date of the ticket, New tickets can be created.
(Modification of Embodiment 4)

In the above-described fourth embodiment, the upper limit of the number of times of extension of the validity period is set as the limitation of the extension of the validity period.
In this case, the functions of the ticket creation unit 30, the ticket storage unit 40, the ticket update unit 50, and the ticket verification unit 60 are added as follows.

  Upon receipt of the ticket creation request, the ticket creation unit 30 creates a ticket in the same manner as in the above-described embodiment, stores the created ticket in the ticket storage unit 40, and sets the stored ticket usage count to zero. I do.

  The ticket created by the ticket creation unit 30 includes a ticket ID for identifying the ticket, an upper limit number of use, an expiration date, a ticket use service and a list of authority to use the ticket service (FIG. 18).

  The maximum number of times of use is the maximum value of the number of times of use of the ticket set in advance. The maximum value of the preset number of times of use is determined by the security level of the service, and the person responsible for the service that issues the ticket sets the definition file stored in the HDD 19 or the like.

  Upon receiving the request for extending the expiration date, the ticket updating unit 50 extends the expiration date of the ticket as in the above-described embodiment.

  Here, when extending the expiration date of the ticket, if the number of times of use exceeds the upper limit, the ticket updating unit 50 returns the extension of the expiration date to the client as an error. On the other hand, when updating the ticket, the ticket updating unit 50 increments the number of times the ticket is used in the ticket storage unit 40 by one.

  Upon receipt of the service use request, the ticket verification unit 60 first checks the ticket storage unit 40 with the ticket ID received from the client and the client identifier (client ID), as in the above-described embodiment. Check if the ticket is issued. If the ticket is not issued by the service, the verification request is returned to the client as an error.

  Further, if the ticket is issued by the service, the ticket verification unit 60 compares the number of times of use of the ticket included in the ticket corresponding to the received ticket ID with the maximum number of times of use of the ticket, and uses the ticket. If the number of times exceeds the upper limit number of times the ticket can be used, the verification request is returned to the client as an error.

  Furthermore, if the ticket is issued by the service, the ticket verification unit 60 compares the expiration date of the ticket included in the ticket corresponding to the received ticket ID with the current time, and If the current time has been exceeded, the validation request returns an error to the client.

  If the expiration date has not expired, the ticket verification unit 60 takes out the right to use the service requested by the client and returns it to the service providing unit 70. The service providing unit 70 specifies the service using the specified service in accordance with the use right. Perform service processing.

  After performing the process of the designated service, the ticket verification unit 60 counts up the number of times the ticket is used in the ticket storage unit 40 by one.

  In the modification of the fourth embodiment, the extension of the expiration date has been described in the number of uses, but only the use of the service may be counted as the number of uses.

  As described in the first embodiment, in the case of the paid content sales service, after the portal site receives the content print ticket from the service B (content storage service), it takes time to process the service C (settlement service), and the service D The print ticket may expire before being passed to the (print service). In this case, if the expiration date of the print ticket expires on the way, the ticket must be re-acquired, and the portal site needs to extend the expiration date of the ticket.

  Therefore, in the fifth embodiment, when the expiration date of a ticket is about to expire, the requester of the notified ticket issues a request to extend the expiration date of the ticket by notifying the expiration date to the requester of the ticket. By doing so, the problem of expiration of the ticket can be solved.

  As shown in FIG. 19, the functional configuration of the service according to the fifth embodiment includes a service providing unit 70, a Web service I / F 10, a request processing unit 20, a ticket creation unit 30, a ticket storage unit 40, It includes a ticket update unit 50, a ticket verification unit 60, and an expiration date monitoring unit 80.

  Here, the functions of the service providing unit 70, the Web service I / F 10, the request processing unit 20, the ticket creation unit 30, the ticket storage unit 40, the ticket update unit 50, and the ticket verification unit 60 are as described above. Since it is based on any of the configurations of the embodiments described above, only the expiration date monitoring unit 80 will be described below.

  The expiration date monitoring unit 80 compares the expiration date of each ticket registered in the ticket storage unit 40 with the current time at every predetermined time (for example, 5 minutes), and determines a predetermined time (for example, 3 minutes). Minutes).

  If a ticket within the predetermined time is found, the expiration date monitoring unit 80 obtains contact information (client information) for the client that made the ticket creation request from the client list corresponding to the ticket. . In addition, the expiration date monitoring unit 80 acquires the expiration date of the ticket included in the ticket from the ticket within the predetermined time.

  The expiration date monitoring unit 80 notifies the acquired contact date (client information) to the client of the expiration date of the acquired ticket.

  For example, the following example can be considered as a message transmitted to a contact to a client.

Example 1: FROM2002-08-27T00: 00: 20ZTO2002-08-27T00: 04: 20Z_XXXXXX
This example shows that the ticket is valid from 00:00:20 on August 27, 2002 to 00:04:20 on August 27, 2002.

Example 2: (Example using XML)
<Ticket>
<From> 2002-08-27T00: 00: 20Z </ From>
<To> 2002-08-27T00: 04: 20Z <// To>
<Challenge> XXXXXXXX <// Challenge>
</ Ticket>
As in the fifth embodiment, when the service that issued the ticket monitors the expiration date of the ticket and notifies the expiration date of the ticket, the service that uses the ticket before the expiration date of the ticket expires. You can issue an expiration date extension request.

  Further, as in the fifth embodiment, when the service that issued the ticket monitors the expiration date of the ticket and notifies the expiration date of the ticket, the ticket issuance (creation) is performed in order to know the expiration date. The requested service does not need to inquire the service that issued the ticket. In the case of a Web service, it is important that there is no need to make an inquiry because the overhead of a request and a response is larger than that of a COM (Component Object Model).

  As for the timing of extending the expiration date of the ticket, the expiration date of the expiration date is monitored on the client side that has requested the ticket generation without relying on the notification from the ticket generation side as in the fifth embodiment. If it is about to expire, a request to extend the expiration date may be issued.

  In this case, the client that has requested creation of the ticket receives the ticket created or updated based on the request and the expiration date at the time of creation or update from the ticket creation side.

  When the expiration date monitoring unit 80 monitors the expiration date of the ticket, if the expiration date of the ticket is about to expire (it is within a predetermined time), the client requesting the ticket is requested. If the ticket updating authority is provided, the expiration date monitoring unit 80 may notify the ticket updating unit 50 and the ticket updating unit 50 may automatically extend the ticket expiration date.

  Hereinafter, an example of a notification process related to extension of the expiration date according to the fifth embodiment will be described with reference to FIG. FIG. 20 is a flowchart illustrating an example of a notification process related to extension of an expiration date according to the fifth embodiment. Hereinafter, for simplification of the description, an example of a notification process related to extension of the expiration date using service B will be described.

  In step S110, the service B compares the expiration date of each ticket registered in the ticket storage unit 40 with the current time at every predetermined time (for example, 5 minutes), and the expiration date is set in advance. It is determined whether there is a ticket within the time (for example, 3 minutes).

  If the service B determines that there is a ticket whose expiration date is within a predetermined time (for example, 3 minutes) (YES in step S110), the process proceeds to step S111, where the expiration date is set to the predetermined time. If it is determined that there is no ticket within (for example, 3 minutes) (NO in step S110), the process of step S110 is repeated.

  The predetermined time for monitoring the ticket (5 minutes in the above example) and the predetermined time (3 minutes in the above example) are stored in the HDD 19 or the like, for example, the person in charge of the service that issues the ticket. In the defined definition file.

  Proceeding to step S111 following step S110, the service B acquires the expiration date of the corresponding ticket and the client information from the ticket storage unit 40.

  Proceeding to step S112 following step S111, the service B transmits a message including the expiration date of the ticket acquired in step S111 to the client included in the client information acquired in step S111.

  By performing the processing shown in FIG. 20, the service can transmit information relating to the extension of the expiration date to the client that has issued the ticket creation request.

  By combining the above-described embodiments as necessary, the expiration date of the ticket can be extended while maintaining higher security.

  In the first to fifth embodiments described above, the configuration of the service A as the authentication service or the service B as the content storage service and the processing in the service A or the service B are mainly described. In the seventh embodiment, the configuration of the portal site in FIG. 1 and the processing in the portal site will be described.

  FIG. 21 is a sequence diagram illustrating an example of the embodiment.

  As described in FIG. 1, the portal site receives an authentication request including, for example, a user name and a password from the user terminal device (sequence SQ1).

  Upon receiving an authentication request including, for example, a user name and a password from the user terminal device, the portal site temporarily stores the user name and the password, and then creates an authentication ticket creation request including the user name and the password. I do. As described in the first embodiment and the like, the portal site includes, in addition to the user name and the password, the expiration date of the ticket and the services (for example, service B, service C, and service D) used by the portal site. An authentication ticket creation request including the authentication ticket is created and transmitted to service A, which is an authentication service (sequence SQ2).

  Here, the portal site stores the user name and the password so that, for example, even if the authentication ticket expires, the authentication is performed again using the stored user name and the password. A new authentication ticket creation request can be transmitted to service A, which is a service.

  Upon receiving the authentication ticket creation request from the portal site, the service A authenticates the user based on, for example, the user name and the password included in the authentication ticket creation request. While creating, holding, and managing an authentication ticket having an expiration date as described in (1) to (5), an authentication ticket ID for identifying the authentication ticket, an expiration date included in the authentication ticket, and a message indicating that the authentication was successful An authentication ticket creation response including the information is generated and transmitted to the requesting portal site (sequence SQ3).

  Upon receiving from the service A an authentication ticket creation response including the authentication ticket ID for identifying the authentication ticket, the expiration date included in the authentication ticket, and information indicating that the authentication has succeeded, the portal site transmits the authentication ticket ID and While maintaining and managing the expiration date of the authentication ticket, an authentication response including information indicating that the authentication is successful is created and transmitted to the requesting user terminal device (sequence SQ4).

  Further, the portal site creates a session creation request including an authentication ticket ID held and managed in order to establish a session with a service (for example, service B, service C, service D) used by the portal site, The service is transmitted to the service (service B in the example of FIG. 21) used by the portal site (sequence SQ5).

  Upon receiving the session creation request from the portal site, service B creates a confirmation request for the authentication ticket ID including the authentication ticket ID included in the session creation request, and transmits it to service A (sequence SQ6).

  When the service A receives the confirmation request including the authentication ticket ID, the service A determines whether the authentication ticket ID is the authentication ticket ID of the valid authentication ticket created by the service A, and determines that the authentication ticket ID is the authentication ticket ID of the valid authentication ticket. An authentication ticket ID confirmation response including information indicating that the authentication ticket ID is an appropriate authentication ticket ID is created and transmitted to the requesting service B (sequence SQ7).

  When the service B receives a confirmation response of the authentication ticket ID including information indicating that the service is a valid authentication ticket ID from the service A, for example, the authentication ticket ID, the session ID for identifying the session, and the expiration date of the session Is created (see FIG. 22) and stored and managed, and a session creation response including the session ID is created and transmitted to the requesting portal site (sequence SQ8).

  On the other hand, the service A monitors the expiration date of the authentication ticket created in response to the authentication ticket creation request of the sequence SQ2, for example, at a predetermined time (for example, 5 minutes) as described in the fifth embodiment. When the expiration date of the authentication ticket is within a predetermined time (for example, 3 minutes), a notification message indicating that the expiration date is within the predetermined time, that is, the expiration date of the authentication ticket is issued. It is created and transmitted to the portal site that made the authentication ticket creation request (sequence SQ9).

  Upon receiving the notification message from the service A indicating that the authentication ticket expires, the portal site determines whether to extend the expiration date of the authentication ticket. When the portal site determines that the expiration date of the authentication ticket is to be extended, the portal site creates an expiration date extension request including the authentication ticket ID, the requested extension period, and an identifier for identifying the portal site. Transmit (sequence SQ10).

  Upon receiving the expiration date extension request from the portal site, the service A extends the expiration date by the method described in any of the above-described first to fifth embodiments, and transmits the extended expiration date and the authentication ticket having the extended expiration date. An expiration date extension response including the identification ticket ID to be identified is created and transmitted to the requesting portal site (sequence SQ11).

  The portal site can establish a session with another service other than the service B, for example, using the authentication ticket ID for identifying the authentication ticket whose validity has been extended.

  The processing of sequence SQ9 to sequence SQ11 may be performed before the processing of sequence SQ5.

  Hereinafter, a functional configuration of an example of the portal site will be described with reference to FIG. FIG. 23 is a block diagram illustrating a functional configuration of an example of a portal site.

  As shown in FIG. 23, the portal site includes a service providing unit 100, a Web service I / F 101, a data distribution / acquisition unit 102, a ticket information management unit 103, a session information management unit 104, an authentication information management Unit 105.

  The service providing unit 100 receives a request from the user terminal device and provides a corresponding service (for example, an authentication service or the like) to the user terminal device, or provides a service (for example, a service A, B, C, or D) A request is transmitted, and a result of processing from the service is received.

  For example, in response to an authentication request from the user terminal device, the service providing unit 100 transmits an authentication ticket creation request to the service A, which is an authentication service, receives an authentication ticket creation response from the service A, An authentication response indicating failure is transmitted to the requesting user terminal device. Further, the service providing unit 100 transmits, for example, a session creation request to the service B and the like, receives a session creation response from the service B, and transmits to the service A a request to extend the expiration date of the authentication ticket. Or an extension response of the authentication ticket is received from the service A.

  The Web service I / F 101 is an interface that mediates with a core Web service function when the service providing unit 100 executes a function.

  The data distribution / acquisition unit 102 stores data in the ticket information management unit 103, the session information management unit 104, or the authentication information management unit 105 according to the message transmitted and received by the service providing unit 100, and conversely, the ticket information management unit For example, data is obtained from the session information management unit 103 or the session information management unit 104 or the authentication information management unit 105.

  The ticket information management unit 103 manages information related to a ticket, for example, an authentication ticket ID, an expiration date of the authentication ticket, and the like (see FIG. 24). Note that the ticket information management unit 103 may also manage the print ticket ID described in the first embodiment and the like, the expiration date of the print ticket, and the like. However, in the following, for the sake of simplicity, the description will be made assuming that the ticket information management unit 103 manages the authentication ticket ID and the expiration date of the authentication ticket.

  The session information management unit 104 manages information related to a session between the portal site and the service, for example, a session ID and the like.

  The authentication information management unit 105 manages information related to authentication, for example, a user name and a password.

  Hereinafter, an example of the authentication ticket creation request processing in the portal site will be described with reference to FIG. FIG. 25 is a flowchart illustrating an example of an authentication ticket creation request process in a portal site.

  In step S200, the portal site receives an authentication request including, for example, a user name and a password from the user terminal device.

  Proceeding to step S201 following step S200, the portal site creates an authentication ticket creation request including the user name and password included in the authentication request received in step S200. As described above, the authentication ticket creation request includes an expiration date of the ticket, an identifier for identifying a service (for example, service B, service C, service D) used by the portal site, and the like.

  Proceeding to step S202 following step S201, the portal site transmits the authentication ticket creation request created in step S201 to the corresponding authentication service, service A.

  Proceeding to step S203 following step S202, the portal site includes, from the service A, an authentication ticket ID for identifying the authentication ticket, an expiration date included in the authentication ticket, and information indicating, for example, that authentication has been successful. Receive authentication ticket creation response. The portal site holds and manages an authentication ticket ID for identifying an authentication ticket included in the received authentication ticket creation response, and an expiration date included in the authentication ticket.

  Proceeding to step S204 following step S203, the portal site creates an authentication response including, for example, that the authentication has been successful.

  Proceeding to step S205 following step S204, the portal site transmits the authentication response created in step S204 to the user terminal device that has requested authentication.

  By performing the process shown in FIG. 25, the portal site causes the authentication service (service A) to perform authentication in response to the authentication request from the user terminal device, and sends the authentication result to the requesting user terminal device. Can be sent. Further, the portal site uses the acquired authentication ticket ID for identifying the authentication ticket for certifying the authentication, establishes a session with the service used by the portal site, and transmits a request for extending the expiration date to the authentication service. Or you can.

  Hereinafter, an example of the session creation request process in the portal site will be described with reference to FIG. FIG. 26 is a flowchart illustrating an example of a session creation request process in a portal site. In the following, for simplification of the description, the portal site will be described as having a session with the service B.

  In step S210, the portal site creates a session creation request including the authentication ticket ID.

  Proceeding to step S211 following step S210, the portal site transmits the session creation request created in step S210 to the service B.

  Proceeding to step S212 following step S211, the portal site receives a session creation response including a session ID for identifying the session from the service B. The portal site holds and manages the session ID included in the received session creation response, and uses it when using the service provided by the service B.

  By performing the processing shown in FIG. 26, the portal site can establish a session with a service (for example, service B, service C, or service D) used by the portal site using the authentication ticket ID. .

  Hereinafter, an example of the expiration date extension request process in the portal site will be described with reference to FIG. FIG. 27 is a flowchart illustrating an example of an expiration date extension request process in the portal site.

  In step S220, the portal site receives, for example, a notification message from the service A, which is an authentication service, indicating that the expiration date of the authentication ticket is within a predetermined time, that is, the expiration date of the authentication ticket. It is determined whether or not it has been done. If the portal site determines that the notification message that the authentication ticket expires is received (YES in step S220), the portal site proceeds to step S221 and determines that the notification message that the authentication ticket has expired is not received. If determined (NO in step S220), the process of step S220 is repeated.

  In step S221, the portal site determines whether to extend the expiration date of the authentication ticket notified of expiration in step S220. If the portal site determines that the expiration date of the authentication ticket is to be extended (YES in step S221), the process proceeds to step S222, and if the portal site determines that the expiration date of the authentication ticket is not to be extended (NO in step S221), the process from step S220 is performed. repeat.

  For example, if the user has effectively logged in to the portal site via the user terminal device, the portal site determines that the expiration date of the authentication ticket is to be extended, and has not logged in to the portal site effectively. It is determined that the expiration date of the authentication ticket is not extended.

  In step S222, the portal site creates an expiration date extension request including the authentication ticket ID, the requested extension period, and an identifier for identifying the portal site.

  Proceeding to step S223 following step S222, the portal site transmits the expiration date extension request created in step S222 to the service A.

  Proceeding to step S224 following step S223, the portal site transmits, from the service A, an expiration date extension response including, for example, an extended expiration date and an authentication ticket ID for identifying the authentication ticket having the extended expiration date. Receive.

  By performing the processing shown in FIG. 27, the portal site can make a request to extend the expiration date of the ticket.

  In the sixth embodiment described above, the authentication service monitors the expiration date of the authentication ticket and notifies the portal site that the expiration date has expired. However, the portal site monitors the expiration date of the authentication ticket, for example. When the expiration date is about to expire, a request to extend the expiration date may be transmitted to the authentication service.

  Hereinafter, an example of the embodiment in the case where the portal site monitors the expiration date of the ticket will be described with reference to FIG. FIG. 28 is a sequence diagram for explaining another example of the embodiment. Note that the processing from sequence SQ20 to sequence SQ27 in FIG. 28 is the same as the processing from sequence SQ1 to sequence SQ8 in FIG.

  As shown in FIG. 24, the portal site monitors the held and managed authentication ticket ID and the expiration date of the authentication ticket corresponding to the authentication ticket ID at predetermined times (for example, 5 minutes). When the expiration date falls within a predetermined time (for example, 3 minutes), it is determined whether or not to extend the expiration date of the corresponding authentication ticket.

  If the portal site determines that the expiration date of the authentication ticket is to be extended, the portal site creates an expiration date extension request including the authentication ticket ID, the requested extension period, and an identifier for identifying the portal site, and transmits the request to the service A. (Sequence SQ28).

  Upon receiving the expiration date extension request from the portal site, the service A extends the expiration date by the method described in any of the above-described first to fifth embodiments, and transmits the extended expiration date and the authentication ticket having the extended expiration date. An expiration date extension response including the authentication ticket ID to be identified is created and transmitted to the requesting portal site (sequence SQ29).

  The portal site can establish a session with another service other than the service B, for example, by using the authentication ticket ID for identifying the authentication ticket whose validity has been extended.

  The processing of sequence SQ28 and sequence SQ29 may be performed before the processing of sequence SQ24.

  Hereinafter, a functional configuration of another example of the portal site will be described with reference to FIG. FIG. 29 is a block diagram showing a functional configuration of another example of the portal site.

  As shown in FIG. 29, the portal site includes a service providing unit 100, a Web service I / F 101, a data distribution / acquisition unit 102, a ticket information management unit 103, a session information management unit 104, an authentication information management Unit 105 and an expiration date monitoring unit 106.

  Here, the functions of the service providing unit 100, the Web service I / F 101, the data distribution / acquisition unit 102, the ticket information management unit 103, the session information management unit 104, and the authentication information management unit 105 are as described above. Since the third embodiment is the same as the sixth embodiment, only the expiration date monitoring unit 106 will be described below.

  The expiration date monitoring unit 106 compares the expiration date of the ticket managed by the ticket information management unit 103 with the current time at every predetermined time (for example, 5 minutes), and determines a predetermined time (for example, 3 minutes).

  When determining that there is an expiration date within a predetermined time, the expiration date monitoring unit 106 determines whether to extend the expiration date, and when determining that the expiration date is to be extended, the Web service I / F 101. Notify the service providing unit 100 via the above.

  Upon receiving the notification from the expiration date management unit 106, the service providing unit 100 creates an expiration date extension request as described above, and transmits the expiration date extension request to the service A, which is an authentication service.

  Hereinafter, another example of the expiration date extension request process in the portal site will be described with reference to FIG. FIG. 30 is a flowchart for explaining another example of the expiration date extension request process in the portal site.

  In step S230, the portal site compares the expiration date of the ticket held and managed in the ticket information management unit 103 with the current time at every predetermined time (for example, 5 minutes), It is determined whether or not it is within a predetermined time (for example, 3 minutes).

  If the portal site determines that the expiration date is within a predetermined time (eg, 3 minutes) (YES in step S230), the process proceeds to step S231, where the expiration date is set to a predetermined time (eg, 3 minutes). If it is determined that it is not within minutes) (NO in step S230), the process of step S230 is repeated.

  The predetermined time for monitoring the ticket (5 minutes in the above example) and the predetermined time (3 minutes in the above example) are stored in the HDD 19 or the like by the administrator of the portal site, for example. In the definition file that exists.

  In step S231, the portal site determines whether to extend the expiration date determined to be within the predetermined time in step S230.

  If the portal site determines that the expiration date is to be extended (YES in step S231), the process proceeds to step S232, and if it determines that the expiration date is not to be extended (NO in step S231), the process from step S230 is repeated.

  For example, the portal site determines that the expiration date is to be extended if the user has effectively logged in to the portal site via the user terminal device. Is determined not to be extended.

  In step S232, the portal site creates an expiration date extension request including the authentication ticket ID, the requested extension period, and an identifier for identifying the portal site.

  Proceeding to step S233 following step S232, the portal site transmits the expiration date extension request created in step S232 to the service A.

  Proceeding to step S234 following step S233, the portal site sends, from the service A, an expiration date extension response including, for example, an extended expiration date and an authentication ticket ID for identifying the authentication ticket with the extended expiration date. Receive.

  By performing the processing shown in FIG. 30, the portal site monitors the expiration date of the ticket, and if it determines that the expiration date is to be extended, the portal site transmits a request to extend the expiration date of the ticket to the corresponding service. it can.

  Although the preferred embodiments of the present invention have been described in detail, the present invention is not limited to the specific embodiments, and various modifications may be made within the scope of the present invention described in the appended claims.・ Change is possible.

It is an example of a Web service for explaining the embodiment. FIG. 2 is a hardware configuration diagram of an example of a service providing apparatus. FIG. 3 is a block diagram illustrating a functional configuration of an example of a service. It is an example of a data structure of a client list. 5 is an example of a data structure of a ticket according to the first embodiment. 5 is an example of a data structure of a ticket storage unit according to the first embodiment. 6 is a flowchart illustrating an example of an expiration date extension process according to the first embodiment. 6 is a flowchart illustrating an example of a service providing process according to the first embodiment. 12 is an example of a data structure of a ticket storage unit according to the second embodiment. 13 is a flowchart illustrating an example of an expiration date extension process according to the second embodiment. 13 is a flowchart illustrating an example of a service providing process according to a second embodiment. 13 illustrates an example of a data structure of a ticket according to the third exemplary embodiment. 17 is a flowchart illustrating an example of an expiration date extension process according to a third embodiment. 14 illustrates a data structure example (part 1) of a ticket storage unit according to the fourth embodiment. 14 illustrates a data structure example (part 2) of the ticket storage unit according to the fourth embodiment. 14 illustrates an example of a data structure of a ticket according to the fourth embodiment. 19 is a flowchart illustrating an example of an expiration date extension process according to a fourth embodiment. 18 illustrates an example of a data structure of a ticket according to a modification of the fourth embodiment. It is a block diagram showing other functional composition of a service. 21 is a flowchart illustrating an example of a notification process related to extension of an expiration date according to a fifth embodiment. FIG. 4 is a sequence diagram for describing an example of the embodiment. Example session data structure FIG. 2 is a block diagram illustrating a functional configuration of an example of a portal site. FIG. 4 is a diagram for explaining an example of data managed by a ticket information management unit. It is a flowchart for demonstrating an example of the authentication ticket creation request process in a portal site. It is a flowchart for demonstrating an example of the session creation request process in a portal site. It is a flowchart for demonstrating an example of the expiration date extension request process in a portal site. It is a sequence diagram for explaining other examples of an embodiment. It is a block diagram showing the functional composition of other examples of a portal site. It is a flow chart for explaining other examples of expiration date extension request processing in a portal site.

Explanation of reference numerals

10 Web service I / F
Reference Signs List 20 request processing unit 30 ticket creation unit 40 ticket storage unit 50 ticket update unit 60 ticket verification unit 70 service provision unit 80 expiration date monitoring unit 100 service provision unit 101 Web service I / F
102 data distribution / acquisition unit 103 ticket information management unit 104 session information management unit 105 authentication information management unit 106 expiration date monitoring unit

Claims (24)

A service providing apparatus having integrated service providing means for collectively providing services provided by at least one or more service providing means,
The integrated service providing means includes:
Sending a proof information creation request for sending a request for creating proof information having an expiration date to a first service providing means, which is one of the service providing means, for a service provided by the first service providing means Means,
From the first service providing means, a proof information identifier for identifying the proof information, and an expiration date of the proof information, a proof information creation response receiving means for receiving a proof information creation response including:
Extension request transmission means for transmitting a request to extend the expiration date of the certification information to the first service providing means,
A service providing apparatus comprising:   2. The service providing apparatus according to claim 1, wherein the request for extending the expiration date of the certification information includes the certification information identifier and a requested extension period.   3. The service providing apparatus according to claim 2, wherein the request for extending the expiration date of the certification information further includes an integrated service providing unit identifier for identifying the integrated service providing unit.   4. The service providing apparatus according to claim 1, wherein the integrated service providing unit further includes a certifying information managing unit that manages the certifying information identifier and an expiration date of the certifying information. 5. .   The integrated service providing unit is configured to receive, from the first service providing unit, an expiration date extension response including a certification information identifier that identifies the certification information whose expiration date has been extended, and an extended expiration date. 5. The service providing apparatus according to claim 1, further comprising a response receiving unit.   6. The service providing apparatus according to claim 4, wherein the certification information management unit further manages a certification information identifier for identifying the certification information whose validity period has been extended and an extended validity period. .   The integrated service providing unit transmits a session start request including a certification information identifier for identifying the certification information to a second service providing unit different from the first service providing unit among the service providing units. 7. The service providing apparatus according to claim 1, further comprising a session start request transmitting unit.   9. The integrated service providing unit according to claim 7, further comprising a session start response receiving unit configured to receive, from the second service providing unit, a session start response including a session identifier for identifying the session. Service providing device.   9. The service providing apparatus according to claim 7, wherein the integrated service providing unit further includes a session management unit that manages a session identifier for identifying the session.   2. The expiration date information notification receiving unit that receives an expiration date information notification including information on an expiration date of the certification information from the first service providing unit, wherein the integrated service providing unit further includes an expiration date information notification receiving unit. 10. The service providing apparatus according to any one of claims 9 to 9.   10. The service providing apparatus according to claim 1, wherein the integrated service providing unit further includes an expiration date monitoring unit that monitors an expiration date of the certification information. A service providing method in an integrated service providing unit that collectively provides services provided by at least one or more service providing units,
Sending a proof information creation request for sending a request for creating proof information having an expiration date to a first service providing means, which is one of the service providing means, for a service provided by the first service providing means Stages and
From the first service providing means, a proof information identifier for identifying the proof information, and an expiration date of the proof information, a proof information creation response receiving step including receiving a proof information creation response including:
An extension request transmission step of transmitting an extension request for an expiration date of the certification information to the first service providing unit,
A service providing method, comprising:   13. The service providing method according to claim 12, wherein the request for extending the expiration date of the certification information includes the certification information identifier and a requested extension period.   14. The service providing method according to claim 13, wherein the request for extending the expiration date of the certification information further includes an integrated service providing unit identifier for identifying the integrated service providing unit.   15. The service providing method according to claim 12, further comprising a certification information management step of managing the certification information identifier and an expiration date of the certification information.   An extension response receiving step of receiving, from the first service providing unit, a certification information identifier for identifying the certification information having an extended validity period and an extended validity period response including the extended validity period. The service providing method according to any one of claims 12 to 15, wherein:   17. The service providing method according to claim 15, wherein the certifying information management step further manages a certifying information identifier for identifying the certifying information whose validity period has been extended and an extended validity period. .   A session start request transmitting step of transmitting a session start request including a proof information identifier for identifying the proof information to a second service providing means different from the first service providing means among the service providing means. The service providing method according to any one of claims 12 to 17, further comprising:   19. The service providing method according to claim 18, further comprising a session start response receiving step of receiving a session start response including a session identifier for identifying the session from the second service providing means.   20. The service providing method according to claim 18, further comprising a session management step of managing a session identifier for identifying the session.   21. The method according to claim 12, further comprising: receiving an expiration date information notification including an expiration date information notification including information on an expiration date of the certification information from the first service providing unit. Service provision method.   21. The service providing method according to claim 12, further comprising an expiration date monitoring step of monitoring an expiration date of the certification information.   A service providing program for causing a computer to execute the service providing method according to claim 12. A computer-readable recording medium on which the service providing program according to claim 23 is recorded.

Images