JP2005339008A - Access control method and program, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To decrease a running cost for a manager who manages an access right by reducing troublesome work for setting access control information for each resource. <P>SOLUTION: A resource management device which receives an access request determines whether the access is permitted based on whether the identification information of the resource which is an access object of the access request is included in a permitted resource list (Step S209). When the resource management device 1 determines that the access is not permitted in the Step S209, it determines whether access according to the access request is permitted based on a preliminarily set access control information list (Step S210). When the access is determined to permit at least either in the Step S209 or in the Step S210, the resource management device obtains or generates a hyper text or a resource which is the access object for the permitted access request (Step S211). <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an access control method for preventing unauthorized access to an electronic file, function, service, or the like to be protected in an information system, and in particular, a hyperstructure structured by tags including links to other resources. The present invention relates to an access control method for controlling access to managed resources in a resource management apparatus that manages resources such as document files and image files linked from text and hypertext.

  Many of information distribution and service provision via a network are realized on a system called Web or WWW (World Wide Web). In a Web system, a request for hypertext described in the HTML (Hyper Text Markup Language) format specified in the RFC (Request For Comment) of the Internet Engineering Task Force (IETF) or the recommendation of the World Wide Web Consortium (W3C). By repeating the reply, browsing, and operation, the discovery of desired information and the commercial transaction are achieved (for example, see Non-Patent Documents 1 and 2). Since hypertext is a document structured by tags, both readability and machine processing are compatible, and other resources called hyperlinks or simply links, that is, other independent hypertexts, etc. It is characteristic to include references to document files and embedded image files. The resource referred to by the link is requested, returned, processed, and displayed in the management system by the user's operation or by the automatic determination of the user's hypertext browsing tool, so-called browser. Linking makes it easy to construct a document that contains various multimedia resources such as images, or a complex document that links multiple independent documents. This is the case for Web systems and the Internet. It can be said that it promoted the spread of computer networks. Recently, instead of preparing hypertext in a file in advance, various hypertexts are dynamically generated depending on attribute information such as the qualification and hobby preference of the user who requested access. The return system is widely used. This makes it possible to provide more appropriate information and services to the user who has requested access.

  By the way, when providing confidential documents within a company or providing services for specific parties such as membership services, only access requests from appropriate parties are accepted, and other requests are rejected. It is necessary to practice control. Regarding access control methods, many methods have been proposed that are flexible and have improved management costs, starting with role-based access control (see Non-Patent Document 3, for example). What is common to both methods is the combination of individual users who request access or a user group in which users are aggregated with individual resources to be protected or resource groups in which resources are aggregated. The administrator prepares in advance access control information that assigns permission or denial for each, and every time an access request is received, the access control information is used to determine whether access is permitted or not by the access request. Is a point. Depending on how access control information is configured and managed, it is broadly divided into access control list methods and capability methods. In either case, in order to determine the denial / permission of access for every possible access request. Therefore, it is necessary to prepare access control information having an amount of information corresponding to the number of resources or the groups and the amount corresponding to the number of users or the groups.

A resource that is referenced by a link from hypertext and embedded in the hypertext or displayed as a separate document that is referenced by a link from hypertext is a resource that is different from the original hypertext. Are treated as That is, when a user displays and uses one hypertext document or a group of hypertext documents, a request for access to each resource is generated, and the resource management system determines whether or not each request can be accessed. It is necessary to carry out. In other words, in providing information and services using hypertext, it is necessary to set and manage a large amount of access control information and implement access control.
Internet Engineering Task Force, Request For Comments: 1866 "Hypertext Markup Language-2.0", 1995 World Wide Web Consortium Recommendation "HTML 4.01 Specification", 1999 DF Ferraiolo and DR Kuhn "Role Based Access Control" 15th National Computer Security Conference ", 1992

  In the above prior art, as the amount of resources to be protected increases, the amount of access control information to be prepared in advance becomes enormous, and in particular, the operation cost for an administrator who manages a large number of resources is difficult to ignore. In addition, the design of the link that is usually included in the hypertext is made in consideration of including the link to the resource that should be provided to the user to whom the hypertext is provided, but the access control information is designed separately. However, it is twice as troublesome for the manager to require the setting work.

  Moreover, in a system that provides hypertext generated dynamically and in various contents depending on the situation, which is often seen in recent years, all hypertext contents that can be dynamically generated are displayed. It was a very difficult and time-consuming task for the administrator, as it was required to grasp in advance in advance and implement access control information according to these various contents in advance.

  The present invention has been made in view of such a problem, and when performing access control of various resources such as hypertext, which are referred to by hyperlinks and links from hypertext, and which are related or embedded. To provide an access control method capable of reducing the operation cost of the administrator who manages the access right by appropriately reducing the access right while appropriately controlling the access right and reducing the effort of setting the access control information for each resource. Objective.

In order to achieve the above object, the access control method of the present invention is managed in a resource management apparatus that manages hypertext structured by tags including links to other resources and resources linked from hypertext. An access control method for controlling access to a resource,
When an access request is received from a user terminal device, the permitted resource list in which the identification information of the resource to be accessed by the access request is listed and the identification information of the resource that is permitted to be accessed by the user is listed And when the identification information of the resource to be accessed is included in the permitted resource list, an authorized resource determination step for determining that the access according to the access request is permitted,
When the access request received in the permitted resource determination step is determined to be permitted, a resource acquisition generation step for acquiring or generating a hypertext or a resource that is permitted to be accessed by the permitted access request;
Specific link extraction condition data in which a condition for extracting a link permitting subsequent access from the user terminal is set when the resource acquired or generated by the resource acquisition generation step is hypertext Are extracted from the hypertext, and all the links that match any one or more of the specific link extraction condition data included in the specific link extraction condition data list are extracted from the hypertext, A permitted resource list update step of adding identification information of a resource that is a link destination of each of the extracted one or more links to the permitted resource list;
An access response returning step of returning the resource acquired or generated in the resource acquisition generating step as an access response to the user terminal that has transmitted the access request.

  According to the present invention, when granting access rights based on links to other resources provided in the hypertext, only the type of link that matches the specific link extraction condition is extracted and the access rights are permitted and permitted. In addition to the resource list, when the next access is made, the resources whose identification information is listed in the permitted resource list are permitted to be accessed regardless of the access control information. Therefore, according to the present invention, it is possible to reduce the operation cost of the administrator while appropriately controlling the access right without giving the access right excessively.

In addition, another access control method of the present invention is a resource management apparatus that manages hypertext structured by tags including links to other resources and resources linked from the hypertext. An access control method for controlling access,
When an access request is received from a user terminal device, the permitted resource list in which the identification information of the resource to be accessed by the access request is listed and the identification information of the resource that is permitted to be accessed by the user is listed And when the identification information of the resource to be accessed is included in the permitted resource list, an authorized resource determination step for determining that the access according to the access request is permitted,
When it is determined that access is not permitted in the permitted resource determination step, the access is performed based on access control information that is information that associates a public resource with an accessor permitted to access the resource. An access authority determination step for determining whether or not access by a request should be permitted;
A resource acquisition and generation step of acquiring or generating a hypertext or a resource that is permitted to be accessed by the permitted access request when it is determined that at least one of the permitted resource determination step or the access authority determination step;
Specific link extraction condition data in which a condition for extracting a link permitting subsequent access from the user terminal is set when the resource acquired or generated by the resource acquisition generation step is hypertext Are extracted from the hypertext, and all the links that match any one or more of the specific link extraction condition data included in the specific link extraction condition data list are extracted from the hypertext, A permitted resource list update step of adding identification information of a resource that is a link destination of each of the extracted one or more links to the permitted resource list;
An access response returning step of returning the resource acquired or generated in the resource acquisition generating step as an access response to the user terminal that has transmitted the access request.

  In the present invention, the permitted resource determination step using the permitted resource list and the access authority determination step using the access control information are performed, and at least one of the permitted resource determination step or the access authority determination step is determined to be permitted. If so, the access request is permitted. Therefore, according to the present invention, it is possible to reduce the operation cost of the administrator while appropriately controlling the access right without excessively giving the right to access, and other resources provided in the hypertext. Since the amount of access control information that must be prepared in advance is greatly reduced and the structure is simplified, the access rights are managed. Administrator operating costs can be reduced.

Furthermore, another access control method of the present invention provides a hypertext structured by a tag including a link to another resource and a resource management apparatus that manages a resource linked from the hypertext. An access control method for controlling access,
When an access request from a user terminal device is received, the resource to be accessed by the access request is changed to access control information, which is information associating a public resource with an accessor permitted to access the resource. An access control information confirmation step for determining whether or not it is registered;
In the access control information confirmation step, if it is determined that the resource that is the access target of the access request is registered in the access control information, should access be permitted by the access request based on the access control information? An access authority determination step for determining whether or not,
If it is determined in the access control information confirmation step that the resource that is the access target of the access request is not registered in the access control information, the identification information of the resource that is the access target of the access request is the user Check whether the identification information of the resource that is permitted to access is included in the enumerated permitted resource list, and the identification information of the resource to be accessed is included in the permitted resource list Includes an allowed resource determination step of determining that access by the access request is permitted, and
A resource acquisition and generation step of acquiring or generating a hypertext or a resource that is permitted to be accessed by the permitted access request when it is determined that at least one of the permitted resource determination step or the access authority determination step;
Specific link extraction condition data in which a condition for extracting a link permitting subsequent access from the user terminal is set when the resource acquired or generated by the resource acquisition generation step is hypertext Are extracted from the hypertext, and all the links that match any one or more of the specific link extraction condition data included in the specific link extraction condition data list are extracted from the hypertext, A permitted resource list update step of adding identification information of a resource that is a link destination of each of the extracted one or more links to the permitted resource list;
An access response returning step of returning the resource acquired or generated in the resource acquisition generating step as an access response to the user terminal that has transmitted the access request.

  In the access control information confirmation step, the present invention confirms whether or not the identification information of the resource to be accessed is registered in the access control information, and if it is registered, determines whether or not access is possible based on the access control information. If it is not registered, it is determined whether or not access is possible based on the permitted resource list. Therefore, for resources for which access control information has been explicitly set, whether access is permitted or not is determined only by the setting contents of the access control information, regardless of the permitted resource list, and is described in the access control information. Since the access right beyond the access permission instruction is not given, high security can be ensured.

As described above, according to the present invention, the following effects can be obtained.
(1) Since the link to other resources provided in the hypertext is used to determine whether access is possible, the amount of access control information that must be prepared in advance is greatly reduced, and the structure This simplifies the operation cost of the administrator who manages the access right.
(2) When granting access rights based on links to other resources provided in hypertext, only the types of links that meet the specific link extraction conditions are extracted and access rights are granted. Without granting access rights, it is possible to reduce the operational costs of the administrator while appropriately controlling the access rights.
(3) An access right can be given by extracting a link based on a keyword included in the comment tag. As a result, it is possible to dynamically apply a desired access right without imposing any restrictions on the layout of the hypertext.
(4) Since the link extraction from the hypertext is dynamically performed at the time of access control rather than in advance, it is directly applied to a system that dynamically generates resources in response to an access request. Can be obtained. In addition, since access rights are managed for each session with a user, appropriate access control can be performed without granting access rights to an inappropriate user.
(5) When the access right granted based on the link extracted from the hypertext is exercised, the validity of the access right is determined based on a preset validity period. As a result, the access control can be appropriately maintained against the risk of hijacking of the communication session that rises with time.
(6) When extracting links for granting access rights, the hypertext that is the source of extraction is limited to those registered in advance by the administrator, or the hypertext that is the source of extraction By restricting the creator or deployer to those that are trusted and registered in advance by the administrator, when a large number of users share a resource management device, excessive use due to malicious or negligence of other users Prevent granting access. That is, the above-described effects can be obtained even in a resource management system shared by a plurality of users.
(7) For resources for which access control information is set, access permission is not granted and authorized by links from other hypertexts, and access permission is strictly determined based only on the access control information. . This makes it possible to use dynamic and flexible access rights based on links and strict access rights based on explicit access control information, and various access controls according to the administrator's policy. Can practice the method.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(First embodiment)
FIG. 1 shows a configuration example of a hypertext document browsing system that implements the access control method according to the first embodiment of the present invention. The hypertext document browsing system according to the present embodiment manages a resource management device 1 that manages resources such as hypertext, image files, and document files to be protected, and a plurality of resource management devices 1 that request and acquire resource access. User terminal device 2. The resource management device 1 and the user terminal device 2 are connected by a communication network 3 and can communicate with each other.

  The user terminal device 2 is equipped with a so-called web browser such as Internet Explorer (registered trademark) of Microsoft (registered trademark) as a hypertext browsing tool, and the user of the user terminal device 2 operates the browsing tool. Alternatively, a request conforming to HTTP (Hyper Text Transfer Protocol) is transmitted to the resource management device 1 by an automatic operation by the browsing tool, and this is used to request access to the resource on the resource management device 1.

  Upon receiving the HTTP request, the resource management device 1 determines whether or not the resource indicated by this request should be provided, that is, whether or not the access indicated by this request should be permitted. If it is determined to be permitted, the corresponding resource is returned as an HTTP response. If it is determined that the access is not permitted, an HTTP response indicating that access is denied is returned.

  In the present embodiment, the host name of the resource management device 1 is serverA, and the resource management device 1 accepts an HTTP request through the communication port 80. A resource managed by the resource management device 1 and identified by “/example.html” inside the resource management device 1 is http: // serverA: 80 / example as a global identifier, that is, a URI (Uniform Resource Identifier). It has .html or http: //serverA/example.html. When the user of the user terminal device 2 instructs a reference request for http: // serverA: 80 / example.html, "GET / example" is set to port 80 of serverA by a browsing tool or a program such as a library under it. An HTTP request “.html” will be sent.

  In the present embodiment, the present invention is described using a text file described in HTML format as hypertext and using HTTP as the transmission / reception protocol. However, the present invention is limited to these formats and protocols. It is not something. In addition, the system may be configured to accept access to resources via a plurality of ports in one resource management device 1. In this case, the system may be configured on the assumption that there is a virtually different resource management device for each port, or the system may be configured so that resources are identified separately for each port on one resource management device. May be.

  In the access control method according to the present embodiment, an administrator who wants to control the provision of resources in the resource management apparatus 1 prepares and deploys a resource generation program that dynamically generates a file or resource corresponding to the resource in advance, Set access control information for these resources. Here, the access control information is information associating a public resource with an accessor permitted to access the resource. That is, by referring to the access control information, it is possible to determine whether or not the accessor who has made the access request has the authority to access the resource to be accessed. Furthermore, in the access control method according to the present embodiment, among the links appearing in the hypertext provided to the user, the access is permitted without depending on the access control information for the access person who has permitted access to the hypertext of the link source. One or a plurality of specific link extraction condition data corresponding to the type of link to the resource that is permitted is set. The specific link extraction condition data is data in which conditions for extracting a link permitting subsequent access from the user terminal are set, and a list including one or more specific link extraction condition data is It is called a specific link extraction condition data list. The resource generation program can be realized by using a common gateway interface (CGI), a Java server page (JSP), an active server page (ASP), a servlet, or the like.

  Next, the flow of processing when an access request is received in the access control method according to the present embodiment will be described with reference to FIG.

  In step S201, the resource management device 1 that has received the access request from the user terminal device 2 extracts the identification information of the resource to be accessed by this access request from the received access request in step S202, and unprotected target resources. If the information matches, the resource is determined to be an unprotected resource. If it is determined that the resource is a non-protection target resource, the resource management device 1 determines that access by the access request is unconditionally permitted, and acquires a resource corresponding to the identification information from the file system in step S203. Alternatively, it is generated by a resource generation program, and the resource is returned in step S214.

  If it is determined in step S202 that the resource to be accessed by the access request is not a non-protected resource, that is, a protected resource, the resource management device 1 acquires the session management information in step S204. It is determined whether a communication session has already been established with the user terminal device 2 that has referred to and transmitted the access request (session confirmation step). If a session has been established, the process proceeds to step S208.

  If the session is not established, the resource management device 1 authenticates the user of the user terminal device 2 in step S205 in order to generate a new communication session. For example, the name of the group to which the user belongs is acquired (user authentication step). As a user authentication method, an arbitrary authentication mechanism such as authentication based on a password, public key encryption, or authentication using PKI (Public Key Infrastructure) can be used. As a method for acquiring user attributes, a method of acquiring from the user information database held by the resource management apparatus 1 using the user ID as a search key, a method of acquiring by attribute authentication using an attribute certificate, or the like is adopted. Is possible.

  Thereafter, in step S206, it is determined whether or not the user authentication is successful. If the user authentication is unsuccessful, the resource management device 1 determines that the access by the access request is not permitted, and proceeds to S215. A response indicating rejection is returned to the user terminal device 2.

  If the user authentication is successful in step S206, the resource management device 1 proceeds to step S207, generates session information for recording information related to the communication session with the user terminal device 2, and adds it to the session management information Then, the process proceeds to step S210. The newly generated session information includes the ID of the session, the user ID of the communication partner, the user's confirmed attributes, and an empty allowed resource list. Here, the permitted resource list is a list in which identification information of resources permitted to access the user who has requested access is listed. The communication session is maintained and confirmed by storing information including the session ID in a data piece called a cookie and transmitting it to the user terminal device 2, and then attached to the access request received from the user terminal device 2. It can be realized by confirming whether the content of the cookie matches the session ID in the session information included in the session management information stored in the resource management device 1. Further, the resource management device 1 manages the session information together with the date and time when the session is established, and when determining whether or not the session is established in step S204, the resource management device 1 has exceeded the predetermined session validity period. It may be configured so that re-authentication by so-called time-out is performed, in which user authentication is performed again in step S205.

  If it is confirmed in step S204 that a session has been established, the resource management device 1 acquires session information corresponding to the session in step S208, and proceeds to step S209. In step S209, the resource management device 1 verifies whether the identification information of the resource to be accessed by the access request is included in the permitted resource list of the session information corresponding to the session (permitted resource determination step). . When the identification information of the resource to be accessed is included in the permitted resource list, the resource management device 1 determines that access according to this access request is permitted and proceeds to step S211. Determines that it is not permitted, and proceeds to step S210.

  In step S210, the resource management device 1 determines whether access according to the access request should be permitted based on a preset list of access control information (access authority determination step). If it is determined not to be permitted, the process proceeds to step S215, and a response indicating access rejection is returned to the user terminal device 2. If it is determined to be permitted, the process proceeds to step S211.

  In step S211, a file corresponding to the identification information of the resource to be accessed indicated by the access request is acquired from the file system, or an appropriate parameter is given to the resource generation program corresponding to this identification information to dynamically allocate the resource. Generate and acquire (resource acquisition generation step).

  Next, in step S212, it is determined whether or not the resource generated or acquired in step S211 is hypertext. If it is determined that the resource generated or acquired in step S211 is hypertext, the process proceeds to step S213. If it is determined that the resource is not hypertext, the process proceeds to step S214.

  In step S213, all the links that match any one or more preset specific link extraction condition data are extracted from the contents of the target hypertext, and the extracted one or more links are extracted. The identification information of each linked resource is added to the permitted resource list, and the process proceeds to step S214 (permitted resource list update step).

  In this permitted resource list update step, the identification information of the resource to be accessed by the access request from the user terminal device 2 may also be added to the permitted resource list.

  In addition, a permission determination effective time that represents an effective period of access permission determination by an elapsed time from the permission determination may be set in advance (effective time setting step). In this case, in the permitted resource list update step, the resource identification information and the registration date and time of this identification information are paired and added to the permitted resource list. In the permitted resource determination step, the user terminal device When determining whether or not to permit an access request for the identification information of the resource to be accessed by the access request from 2 if the elapsed time from the registration date and time of this identification information does not exceed the permission determination valid time Only the access by the access request may be determined to be permitted. Then, the identification information of the resource whose elapsed time from the registration date and time exceeds the permission determination valid time may be deleted from the permitted resource list (expired expired permitted resource deletion step).

  In the present embodiment, resources such as hypertext that are permitted to be accessed by an authorized access request when at least one of the authorized resource determination step (step S209) or the access authority determination step (step S210) is determined to be permitted. It is acquired or generated.

  In step S213, in addition to the extracted resource identification information, in addition to this, the identification information of the resource currently being processed may be added to the permitted resource list. In this case, when an access request occurs for the same resource, the access permission determination is performed more efficiently rather than a method with high processing cost such as access permission determination based on the access control information. Can do.

  Further, the system may be configured so that step S211, step S212, and step S213 are realized in the same step. This has the effect of increasing the efficiency of processing particularly when step S211 dynamically generates resources.

  Finally, in step S214, the resource generated or acquired in step S211 is returned as an access response to the user terminal device 2 that is the source of the access request (access response return step).

  Hereinafter, the access control method of the present embodiment will be described in detail using a specific example.

  FIG. 3 shows a part of resources managed by the resource management apparatus 1 in a specific embodiment of the present invention. These are resource identification information on the resource management device 1 or regular expressions thereof. The identification information 32 is a resource that is dynamically generated by a resource generation program in response to an access request. This resource generation program generates different hypertexts according to the value of the group attribute of the user who requested access.

  The resource corresponding to the identification information 31 is the hypertext 40 generated and deployed in advance as a file. The contents are shown in FIG. The hypertext 40 includes an element name IMG tag 41 including a link to a resource of identification information “/public/img/title.gif” and an element A including a link to a resource of identification information “/member.jsp”. And a tag 43 of element name A including a link to a resource of identification information “/public/index.html”. A tag 41 with an element name IMG instructs the viewing tool to display the image resource “/public/img/title.gif” embedded in the hypertext 40. The tag 42 and the tag 43 of the element A display hyperlinks corresponding to the hypertexts “/member.jsp” and “/public/index.html”, respectively, and according to the user clicking on the corresponding part. The browsing tool is instructed to move the screen to each hypertext document.

  Further, the resource corresponding to the identification information 33, 34, 35 is an image file generated and deployed in advance, and the resource corresponding to the identification information 36 is hypertext generated in advance and deployed at a predetermined position.

  In this embodiment, since the resource is identified only by the location information, the location information is used as the resource identification information. However, if the access method to the resource is, for example, the HTTP protocol, GET, POST, HEAD, etc. The location information and the access type may be used as resource identification information.

  FIG. 5A shows a setting example of the access control information 50 in the present embodiment. Each row represents one access control information for a resource or a set of resources. A column 51 represents identification information of a resource targeted by the access control information or a regular expression thereof, and a column 52 represents an attribute of a user who should be allowed to access one or more resources corresponding to the column 51.

  The access control information 53 means that any authenticated user is allowed to access a resource having the identification information “/member.jsp”, and the access control information 54 includes the identification information “/ img. This means that access to a resource having "/imageGold.png" is allowed only to users whose rank attribute value is "GOLD". The access control information 55 indicates that access to resources having identification information “/limited/map.class” is only for users whose group attribute value is “GROUP-A” or “GROUP-B”. Means to allow. The access authority confirmation using the access control information in the present embodiment is performed in principle as a denial, and it is determined that a set of resources and permitted users that are not listed in the access control information is denied.

  In the present embodiment, data having a structure in which the concept of a group is applied to a so-called access control list (ACL) is used as access control information. However, even if access control information in another ACL format is used, the capability is not limited. The access control information in a form that enumerates the resources permitted to the subject or the combination of the resource and the access type by paying attention to the accessor, that is, the subject as described above, or OASIS (Organization for the Advancement of Structured). Policy-based access control information such as XACML (eXtensible Access Control Markup Language) defined in Information Standards may be used, and the difference does not affect the effect of the present invention.

  Further, according to the access control method of the present embodiment, it is possible to determine whether or not access is possible for resources linked from other managed hypertexts without depending on access control information. Therefore, it is not necessary to set access control information regarding all resources to be managed. In other words, the amount of access control information that is generally large and complicated can be realized with a small amount of data and a simple structure, thereby reducing the labor of the administrator required for setting and maintaining the access control information. be able to.

  For example, it is common to divide a large quantity of documents into multiple documents and provide them in order. In such cases, hyperlinks to hypertext corresponding to subsequent pages are permitted. By describing the specific link extraction condition data and the hypertext corresponding to the first page so as to be extracted in the determination step, only access control information related to the hypertext corresponding to the first page needs to be set. . This is because, when a user who is permitted to access the first page obtains the first page, the identification information of the subsequent page is registered in the permitted resource list, and thus the subsequent page is accessed. This is because access is automatically permitted regardless of the presence / absence of access control information and setting contents.

  FIG. 5B is an example of setting contents of the non-protection target resource information 56 that is setting information related to a resource provided to an arbitrary user. Non-protection target resource information 56 lists resource identification information provided to an arbitrary user or regular expressions thereof. The first line of the unprotected target resource information 56 indicates a resource having the identification information “/index.html”, and the second line indicates a resource that matches the identification information regular expression “/ public / *”. The resource indicated by the non-protection target resource information 56 is permitted to access any user who has requested access without even performing user authentication. In addition, when there is a resource to which access is permitted for an arbitrary user, access control information related to the resource can be accessed for an arbitrary user without introducing and setting the unprotected target resource information 56. Although the same access permission determination result can be obtained by setting to permit, in this embodiment, it is separately managed in order to improve the processing efficiency.

  FIG. 6 shows a setting example of the specific link extraction condition data list 60 in the present embodiment. Each row is one specific link extraction condition data. A column 61 indicates element names of tags that are candidates for extraction. A column 62 indicates a condition regarding an attribute of the tag as a candidate for extraction as a pair of attribute name and attribute value. A column 63 indicates the attribute name of the attribute in the tag from which the link is to be extracted when the condition regarding the attribute value is satisfied. For example, the specific link extraction condition data 65 means that the link indicated by the “data” attribute of the tag of the element name OBJECT whose “type” attribute value is “image / gif” is extracted. . In this case, even if the element name is OBJECT, if the value of its "type" attribute is different from "image / gif", such as "image / jpg", the link from the tag will be Not extracted.

  Like the specific link extraction condition data 64, when the attribute value condition in the column 62 is blank, it indicates that there is no special condition. That is, it means that the link indicated by the value of the “src” attribute or “longdesc” attribute of the tag whose element name is IMG is extracted unconditionally. The same applies to the specific link extraction condition data 66 to the specific link extraction condition data 68.

  In this way, when the specific link extraction condition data is composed of a pair of the element name of the tag constituting the hypertext and the attribute name of one attribute among the attributes that the tag can have, the permitted resource In the list update step, select a tag with the same element name as the element name indicated by the specific link extraction condition data from the tags in the hypertext acquired or generated by the resource acquisition generation step, and extract the link to the selected tag When the attribute value of the attribute name pointed to by the condition data is included, the resource identification information included in the attribute value is extracted and added to the allowed resource list.

  The specific link extraction condition data includes the element name of the tag constituting the hypertext, the attribute name of the first attribute among the attributes that the tag may have, and the conditional expression regarding the attribute value of the first attribute, When the tag is configured with the attribute name of the second attribute among the attributes that the tag can have, in the permitted resource list update step, the tag in the hypertext acquired or generated by the resource acquisition generation step The tag having the same element name as the element name indicated by the specific link extraction condition data is selected, and the selected tag includes an attribute value having the first attribute name indicated by the specific link extraction condition data, and When the attribute value matches the conditional expression indicated by the specific link extraction condition data, the resource identification information included in the attribute value having the second attribute name indicated by the specific link extraction condition data is extracted. So as to add to the authorized resource list Te.

  Furthermore, when the specific link extraction condition data is a character string, in the permitted resource list update step, the character indicated by the specific link extraction condition data from the tag in the hypertext acquired or generated by the resource acquisition generation step. The identification information of the resource included in the attribute value of the attribute indicating the link to the other resource included in the tag that appears immediately after the comment tag including the column is extracted and added to the allowed resource list. In this case, the comment tag included in the hypertext may be deleted after the extracted identification information is added to the permitted resource list.

  FIG. 6 shows a setting example of the specific link extraction condition data list, but in the following, the mode of the resource group to be managed, the access control rules desired by the administrator for the resource group, and the administrator in the resource group The relationship between the hyperlink to be placed and the specific link extraction condition data to be set will be described in detail. However, the following shows a typical case, and the access control method according to the present invention is also applied to other resource group modes and a pair of access control rules desired by the administrator for the resource group. May be applicable.

<Example of a long document consisting of a series of multiple document files>
When publishing a large amount of documents to users, divide the document into multiple document files, and describe the hyperlinks to the subsequent document files inside each document file. It takes the form of being provided as a series of documents. Specifically, the description of the hyperlink to the subsequent document file is a tag in which the element name is A and the link attribute “href” is identification information of the subsequent document file, as shown in FIG. Means to describe. For example, a tag 111A whose element name is A with the identification information of the next document file 112A as the value of the link attribute “href” is described at the end of the first document file 110A. The same applies to subsequent document files. The user accesses and refers to each document file, and then requests and refers to access to the subsequent document file by following the hyperlink prepared in each document file.

  When the document administrator wants to restrict access to the entire document with uniform rules, that is, when the access authority is to be managed not for each divided document file but for the entire document. In the conventional access control method, it is necessary to describe the same access control information for each of the divided document files. Or, you can reduce the amount of access control information by placing multiple document files in the same folder and describing the access control information for that folder, but you must share the folder, or This imposes great restrictions on the creation and preparation of documents, such as the inability to place other document files in a folder.

  On the other hand, in the access control method according to the present embodiment, the administrator describes the access control information only for the first document file, and as shown in FIG. That is, it is only necessary to describe the specific link extraction condition data 125A for extracting the value of the link attribute “href” from the tag whose element name is A. With this setting, when a user who is permitted to access the first document file acquires the first document file, the identification information of the subsequent document file is displayed in the permitted resource list. When registered and subsequent document files are accessed, the access is automatically permitted and can be referred to. There are no restrictions on the file name or placement folder of each document file.

  Note that the document file that constitutes a series of documents as described above includes a hyperlink to another independent document, and the access to the independent document is controlled by access to the original document. When it is desired to perform the determination independently of whether or not it is possible, as shown in FIG. 9, the hyperlink to the subsequent document is set to “Next” by setting the value of the link attribute “rel” of the tag to “Next”. The specific link extraction condition data to be explicitly described and set as “specific link extraction condition data 125B in FIG. 10” is “hyperlink to subsequent document file”. ", That is, the value of the link attribute" href "is extracted only from the tag whose element name is A and the value of the link attribute" rel "is" Next ". realizable.

<Example of a multimedia document including an embedded image>
Next, an example relating to a multimedia document including an embedded image in the document will be given.

  As shown in FIG. 11, the embedding of an image in a document is identification information of an image file in which an element name is IMG and a link attribute “src” is embedded at a predetermined position where an embedding source document file is to be embedded. It means to describe such a tag. For example, the document file 116 describes a tag 117 whose element name is IMG with the identification information of the image file of the image to be embedded and displayed as the value of the link attribute “src”. When a user accesses and refers to an embedded document file, many browsers detect a hyperlink indicating image embedding, automatically request access to the image file, obtain it, and retrieve it. It is embedded in a predetermined position of the embedding source document and displayed to the user.

  When the document administrator wants to restrict access to a document with uniform rules including images embedded in the document, that is, for users who are allowed to refer to the document, refer to the image embedded in the document. In the conventional access control method, it is necessary to describe similar access control information for each of the document file and the embedded image file.

  On the other hand, in the access control method according to the present embodiment, the administrator describes access control information only for a document file, and as shown in FIG. 12, a hyperlink to an embedded image file, that is, It is only necessary to describe the specific link extraction condition data 125C for extracting the value of the link attribute “src” from the tag whose element name is IMG. With this setting, when a user who is permitted to access a document file acquires the document file, the identification information of the embedded image file is registered in the permitted resource list, and When an embedded image file is accessed, the access is automatically permitted and can be referred to.

  In the present embodiment, as described above, the specific link extraction condition data is expressed as a combination of the element name of the tag as a candidate for extraction, the condition relating to the attribute value of the tag, and the attribute name of the attribute from which the link should be extracted. A configuration in which a condition regarding the attribute value is not given is also possible. This is equivalent to leaving all the attribute value condition fields blank in the specific link extraction condition data prepared in the form of the specific link extraction condition data list 60.

  The specific link extraction condition data can also be specified by a method of describing a keyword included in a comment tag arranged immediately before a tag including a link to be extracted. In this case, at the time of link extraction described later, the attribute value of the attribute representing the link in an arbitrary tag that appears immediately after the comment tag including the keyword described in the specific link extraction condition data is extracted. . Since the comment tag does not affect the display contents of the hypertext browsing tool including the comment tag, any link can be extracted without any restriction on the layout of the hypertext. Note that the system may be configured to delete the comment tag from the hypertext after extracting the link. In this way, the user of the user terminal device 2 is notified of the fact that the access right has been given based on the comment tag and what kind of keyword the comment tag is used to give the access right. Can be concealed.

  Furthermore, these multiple forms of specific link extraction condition data may be applied in any combination.

  Note that the preparation of the resource or the resource generation program by the administrator and the setting of the specific link extraction condition data may be performed in order or may be performed in parallel. That is, even if the specific link extraction condition data is set according to the state of the link in the prepared resource or the state of the link that should appear in the resource generated by the prepared program, and the access control policy considered by the administrator. Alternatively, the resource or the program that generates the resource may be generated or modified according to the specific link extraction condition data set in advance.

  In the latter procedure, the specific link extraction condition data is set without depending on the aspect of each resource, but such specific link extraction condition data is included in the hypertext of the reference source. It is considered that a tag and its attribute corresponding to an embedded type link, that is, a src attribute of an IMG tag and a background attribute of a BODY tag can be widely used.

  In addition, when the specific link extraction condition data is configured by keywords included in the comment tag, the specific link extraction condition data, that is, a special comment character string is set first, and then a resource or a resource is generated. It is considered that a general operation mode is such that a program is prepared by placing a comment tag including the special comment character string in front of a specific link.

  Next, the processing in the resource management device 1 when receiving an access request from the user terminal device 2 will be described with reference to FIG. 13 showing an outline of communication between the user terminal device 2 and the resource management device 1. Detailed explanation based on typical cases.

  When the resource management device 1 receives the access request M701 transmitted by the user of the user terminal device 2 operating the browsing tool, the access control process in the resource management device 1 is started.

  The resource management apparatus 1 that has received the access request M701 in step S201 extracts the identification information “/index.html” of the access target resource from the access request M701, compares it with the non-protection target resource information 56, and It is confirmed whether it is a resource (step S202). In this example, the identification information “/index.html” of the resource matches the first line of the non-protection target resource information 56, and thus is determined as a non-protection target resource. Therefore, the resource corresponding to the identification information “/index.html”, that is, the hypertext 40 is acquired from the file system (step S203), and the resource is returned to the user terminal device 2 as the access response M702 (step S214). .

  The browsing tool that has received the access response M702 sent back to the user terminal device 2 acquires the hypertext 40 from the access response M702, analyzes it, and installs a display corresponding to the content on the user terminal device 2. Output to the screen. Since the hypertext 40 includes an IMG tag 41 that means a link to the embedded image “/public/img/title.gif”, this browsing tool does not depend on the user's operation, but the resource “/ public / img An access request M703 for "/title.gif" is transmitted.

  The resource management apparatus 1 that has received the access request M703 extracts the identification information “/public/img/title.gif” of the access target resource from the access request M703, and confirms whether it is a non-protection target resource (step) S202). In this example, since the identification information “/public/img/title.gif” matches the second line “/ public / *” of the non-protected target resource information 56, it is determined as a non-protected target resource. Therefore, in the same manner as before, the image file 71 corresponding to “/public/img/title.gif” is acquired (step S203), and this is returned as the access response M704 to the user terminal device 2 (step S214). .

  Next, it is assumed that the user who browses the hypertext 40 displayed on the screen by the browsing tool clicks the portion corresponding to the tag 42 on the screen by operating the browsing tool. The clicked portion is a hyperlink to the resource “/member.jsp”, and an access request M705 for “/member.jsp” is transmitted to the resource management apparatus 1.

  The resource management device 1 that has received the access request M705 extracts the identification information “/member.jsp” of the access target resource from the access request M705, and collates it with the unprotected target resource information 56 (step S202). In this example, since the identification information “/member.jsp” of the resource does not match any of the non-protection target resource information 56, it is determined as a protection target resource.

  Therefore, it progresses to step S204 and it is determined whether the communication session is already established between the user terminal devices 2 which transmitted this access request with reference to session management information. In this example, since the session has not been established, the user of the user terminal device 2 is authenticated and an attempt is made to acquire the user ID and attributes (step S205). In this embodiment, it is assumed that the authentication is successful, and the group attribute value “GROUP-A” and the rank attribute value “SILVER” can be acquired as the user attributes together with the user ID. Next, whether or not the authentication is successful is determined (step S206). In this example, since it was successful, the user ID acquired by the authentication and the group attribute “GROUP-A” and the rank attribute are added to the issued session ID. Session information associating “SILVER” with an empty permitted resource list is generated, added to the session management information (step S207), and the process proceeds to step S210. The reason for not proceeding to step S209 is that the session of the access request has just been established, that is, it is clear that the allowed resource list is empty.

  In step S210, whether or not the access request can be made is determined based on the access control information 53 regarding the identification information “/member.jsp” of the resource to be accessed. In this example, the access control information 53 indicates that all authenticated users are allowed to provide the resource “/member.jsp”, so that the access according to the access request is determined to be permitted. The Accordingly, the process proceeds to step S211, and the resource identified by “/member.jsp” is acquired. As described above, the resource corresponding to “/member.jsp” is generated by the resource generation program and differs depending on the value of the group attribute of the user who requested access. Here, it is assumed that the hypertext 80 shown in FIG. 14 is generated according to the value “GROUP-A” of the group attribute of the user.

  In a succeeding step S212, it is determined whether or not the generated resource is hypertext. In this example, since the generated resource is the hypertext 80, the process proceeds to step S213, and the permitted resource list is updated based on the hypertext 80. Tags that match any of the specific link extraction condition data 64-68 included in the specific link extraction condition data list 60 are searched from the tags included in the hypertext 80. The tag 81 included in the hypertext 80 matches the specific link extraction condition data 65 because the element name is OBJECT and the attribute value of the attribute name “data” is “image / gif”. Therefore, the value of the attribute “data” specified in the column 63 of the specific link extraction condition data 65, that is, “/img/imageCommon.gif” is extracted from the hypertext 80, and the session management of the session to which the access request belongs. Added to the allowed resource list for the data. Although the tag 82 included in the hypertext 80 has an element name of OBJECT, the attribute value of the attribute name “data” is “image / png” and does not match any specific link extraction condition data. No links are extracted from. Therefore, the link extracted from the present hypertext 80 is only one extracted from the tag 81. The state of the permitted resource list 90 at this time is shown in FIG.

  Finally, the resource management device 1 returns the hypertext 80 as the access response M706 to the user terminal device 2 (step S214).

  The browsing tool that has received the access response M706 sent back to the user terminal device 2 acquires the hypertext 80 from the access response M706, analyzes it, and installs a display corresponding to the content on the user terminal device 2. Output to the screen. Since the hypertext 80 includes a tag 81 and a tag 82 having an attribute that signifies a link to an image, this browsing tool does not depend on a user's operation, and image resources corresponding to the tags 81 and 82 respectively. Access requests M707 and M709 are transmitted. In the following, when these access requests are serialized, that is, the user terminal device 2 transmits the access request M707 first, receives the response, and then transmits the access request M709. Two access requests may be implemented in parallel.

  First, the user terminal device 2 transmits an access request M707 for the resource “/img/imageCommon.gif”. The resource management device 1 that has received the access request M707 compares the identification information “/img/imageCommon.gif” of the access target extracted from the access request M707 with the non-protection target resource information 56 (Step S202). Therefore, it is determined that the resource is a protection target resource, and it is then determined by referring to the session management information whether a communication session has already been established with the user terminal device 2 that transmitted the access request (step S204). In the case of this example, the resource management device 1 proceeds to step S208 because the session has been established first, and acquires the session information of the session to which the access request belongs. Then, the resource management device 1 searches for the identification information “/img/imageCommon.gif” of the requested resource from the permitted resource list 90 corresponding to the session (step S209). In this example, since the corresponding identification information 91 is in the permitted resource list 90, the access request is determined to be permitted. Then, an image file that is a resource corresponding to the identification information “/img/imageCommon.gif” is acquired from the file system (step S211), and it is determined whether or not the resource is hypertext (step S211). Since it is not text, the image file is immediately returned to the user terminal device 2 as an access response M708 (step S214).

  The browsing tool that has received the access response M708 displays the image file included in the access response M708 at a predetermined position in the hypertext 80 and transmits an access request M709 for an image resource corresponding to the remaining tag 82. The resource management device 1 that has received the access request M709 compares the identification information “/img/imageGold.png” of the access target resource extracted from the access request M709 with the unprotected target resource information 56 (Step S202). Therefore, it is determined that the resource is a protection target resource, and next, referring to the session management information, confirms whether a communication session has already been established with the user terminal device 2 that has transmitted the access request (step S204), Since it is established, the process proceeds to step S208, and the session information of the session to which the access request belongs is acquired. Then, the identification information “/img/imageGold.png” of the requested resource is searched from the permitted resource list 90 corresponding to the session (step S209). Based on the access control information 54 relating to “/img/imageGold.png”, it is determined whether or not the access request can be made (step S210). In this example, the access control information 54 indicates that the provision of the resource “/img/imageGold.png” is permitted only for users whose rank attribute is “GOLD”. Since the rank attribute of the user who transmitted this access request is “SILVER” when referring to the session information, the resource management device 1 determines that this access request is not permitted, and proceeds to step S215 to indicate a response indicating access rejection. M710 is returned to the user terminal device 2.

  The resource management device 1 continues to determine whether or not the access request can be made based on the access control information or the permitted resource list in response to the access request repeated from the user terminal device 2 and to the user terminal device 2. The extraction of the link from the hypertext to be returned, the update of the allowed resource list, and the resource return are sequentially repeated.

  In this embodiment, the permitted resource list 90 is configured by enumerating the resource identification information 91, but each row is configured by a pair of resource identification information and the registration date and time of the identification information in the permitted resource list 90. In step S209, the access request may be determined to be permitted only when the elapsed time from the date and time when the identification information is registered does not exceed a preset valid time. In this case, the principle of timeout of the communication session described above is applied to an entry corresponding to each resource registered in the permitted resource list. Further, such an expired entry may be automatically deleted from the permitted resource list. The automatic deletion trigger may be configured to monitor and execute whether there is an expired entry at a fixed time interval, or an expiration date is detected at the time of determination using the permitted resource list in step S209. May be carried out continuously.

  Further, when the resource management device 1 is shared by a plurality of users, each user places a unique resource and receives access from the user terminal 2, a security threat is obtained by a malicious user. May receive. That is, a hypertext that represents a hyperlink to a resource managed by the first user and has a tag that matches the specific link extraction condition data set in the resource management apparatus 1 is malicious. When the second user prepares, the resource managed by the first user included in this hypertext is posted to the authorized resource list corresponding to the user who is not assumed by the first user, and the result As a result, the resource managed by the first user is disclosed to the user.

  As a first measure for preventing such a problem, there is a method of limiting the hypertext to be subjected to link extraction in step S213 to the hypertext registered by the administrator in advance. In this method, an administrator registers hypertext identification information that is a target of link extraction in a link extraction target resource list in response to a request from a user (link extraction target resource registration step). If there is a request from a user, the administrator can trust the user, and the link extraction target hypertext does not contain a link that violates the user's security policy for other users' resources Only when it is determined that there is no problem, the identification information of the hypertext is registered in the link extraction target resource list. Then, at the time of the link extraction process in step S213, it is confirmed whether or not the resource targeted by the access request, that is, the hypertext that is the source of updating the permitted resource list is registered in the link extraction target resource list. Only when registered, a link is extracted from the hypertext to update the allowed resource list.

  As a second measure, a user who can be trusted by an administrator is registered in the trusted user list as a valid resource provider, and the hypertext that is the object of the link extraction processing in step S213 is the trusted user list. It was verified whether it was placed by a user registered in the list or a resource generation program placed by a user registered in the trusted user list, and passed the verification. Only in such a case, there is a method of extracting the link from the hypertext and updating the allowed resource list.

  The resource creator / arranger is verified by a method in which a digital signature of the resource creator / arranger is given to the resource in advance and the digital signature is verified prior to link extraction in step S213. It is feasible. For dynamically generated types of resources, give a digital signature to the resource generation program and start the resource generation program after verifying this signature, or give the resource generation program a signature key, The signature key is given authority as a proxy of the user who is the creator or deployer of the resource generation program by an authority delegation certificate (Proxy Certificate) or the like, and step S213 is executed between the execution process of this program. This can be realized by a method of performing authentication or giving a digital signature by the resource generation program to a resource output from the execution process of the resource generation program and verifying the digital signature.

  Since the second policy is determined based on the trust relationship with the user, there is a possibility that an unexpected access permission is left due to the user's betrayal or negligence, but the hypertext that is the source of the link extraction is left behind. When it is desired to change or increase / decrease frequently, there is an advantage in terms of flexibility compared to the first policy.

(Second Embodiment)
Next, a second embodiment of the access control method according to the present invention will be described. The flow of processing of the access control method in this embodiment is shown in the flowchart of FIG.

  In the flowchart of FIG. 16, the process of step S220 is added to the flowchart showing the process flow of the access control method of the first embodiment shown in FIG. The difference is that the destination when the resource is not an authorized resource is changed from the process of step S210 to the process of step S215.

  When the second embodiment is compared with the first embodiment, in the second embodiment, prior to the determination of accessibility using the permitted resource list performed in step S209, the process proceeds to step S220. It is determined whether or not access control information related to the resource to be accessed by the access request is set. If set, the process proceeds to step S210, and if not set, the process proceeds to step S209. It is characteristic. Also, in this embodiment, when it is determined that access is not permitted by the access permission determination using the permitted resource list in step S209, an access rejection response is returned without performing further access permission determination. Is characteristic.

  In other words, in the present embodiment, whether or not an access is permitted for a resource for which access control information is set is determined only by the setting contents of the access control information without depending on the permitted resource list.

  When the specific example used in the first embodiment is applied to the resource management apparatus 1 according to the second embodiment, the contents of the access control processing in the resource management apparatus 1 for the access requests M701, M703, and M705 are not changed. . Also, the access control for the access requests M707 and M709 does not change the result, but the processing flow is different as follows.

  First, the access request M707 proceeds in the same manner as in the first embodiment up to step S208, but thereafter, in step S220, access control related to the requested resource identification information "/img/imageCommon.gif". Check if the information is set. Since there is no corresponding access control information in the access control information list 50, the process proceeds to step S209. Thereafter, the process proceeds again in the same manner as in the first embodiment. As a result, an image file which is a resource corresponding to “/img/imageCommon.gif” is returned to the user terminal device 2 as an access response M708.

  The flow of access control processing for the access request M709 is as follows. This also proceeds to step S208 in the same manner as in the first embodiment, but thereafter, in step S220, access control information 54 regarding the requested resource identification information "/img/imageGold.png" is set. Is confirmed, and the process proceeds to step S210. Thereafter, the process proceeds again in the same manner as in the first embodiment, and a response M710 indicating access rejection is returned to the user terminal device 2.

  In the second embodiment, if there is access control information related to the resource requested to be accessed, the access permission information using the permitted resource list is not determined. Therefore, when access control information is explicitly set, an access right beyond the access permission instruction described in this access control information is not granted. There is. However, if access control information is to be used in an auxiliary manner, that is, a specific hypertext is permitted to a user who has accessed the resource by following a link provided in the specific hypertext, while the specific hypertext is permitted. For a user who directly accesses the resource instead of a link from the text, it is inappropriate to set access control information in order to determine again whether or not access is possible.

  In the first and second embodiments, the resource acquisition generation step (step S212) and the permitted resource list update step (step S213) have been described as being performed in separate steps. However, the resource acquisition generation step (Step S212) and the permitted resource list update step (Step S213) may be performed in the same step.

  Although not shown in the figure, the resource management device 1 according to the first and second embodiments of the present invention described above records a program for executing the access control method described above. It has a medium. This recording medium may be a magnetic disk, a semiconductor memory, or another recording medium. This program is read from the recording medium into the resource management apparatus 1 and controls the operation of the resource management apparatus 1. Specifically, the above processing is realized by the CPU in the resource management device 1 instructing the hardware resource of the resource management device 1 to perform a specific processing under the control of this program.

It is a block diagram which shows the structure of the hypertext document browsing system of the 1st Embodiment of this invention. It is a flowchart which shows the flow of a process at the time of the access request reception in the hypertext document browsing system of the 1st Embodiment of this invention. It is a figure which shows a part of resource managed with the resource management apparatus 1 of FIG. It is a figure which shows the content of the resource in the 1st Embodiment of this invention. It is the figure (FIG.5 (a)) which shows the access control information in the 1st Embodiment of this invention, and the figure (FIG.5 (b)) which shows non-protection object resource information. It is a figure which shows the specific link extraction condition data list in the 1st Embodiment of this invention. It is a figure which shows an example of the hyperlink to a subsequent document when publishing a series of several document files. It is a figure which shows an example of the specific link extraction condition data set when publishing a series of several document files. FIG. 10 is a diagram illustrating another example of a hyperlink to a subsequent document when a series of a plurality of document files is released. It is a figure which shows the other example of specific link extraction condition data set when publishing a series of several document files. FIG. 3 is a diagram illustrating an example of a hyperlink to an image file to be embedded when a multimedia document including an embedded image is published. It is a figure which shows an example of the specific link extraction condition data set when publishing the multimedia document containing an embedded image. It is a sequence chart which shows the mode of the communication performed between the user terminal 2 and the resource management apparatus 1 in the 1st Embodiment of this invention. It is a figure which shows an example of the hypertext in the 1st Embodiment of this invention. It is a figure which shows an example of the permitted resource list | wrist in the 1st Embodiment of this invention. It is a flowchart which shows the flow of a process at the time of the access request reception in the hypertext document browsing system of the 2nd Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Resource management apparatus 2 User terminal device 3 Network 31-36 Identification information 40 Hypertext 41, 42, 43 Tag 50 Access control information 51, 52 Column 53, 54, 55 Access control information 56 Non-protection target resource information 60 Specific link Extraction condition data list 61, 62, 63 columns 64-68 Specific link extraction condition data list 71 Image file 80 Hypertext 90 Permitted resource list 110A, 110B Document file 111A, 111B Tag 112A, 112B Document file 113A, 113B Tag 114A, 114B Document file 115A, 115B Tag 116 Document file 117 Tag 120 Specific link extraction condition data list 121 Element name 123 Attribute value condition 124 Link attribute 125A-12 C specific link extraction condition data M701, M703, M705, M707, M709 access request M702, M704, M706, M708, M710 access response S201~S215, S220 step

Claims (18)

An access control method for controlling access to a managed resource in a resource management device that manages hypertext structured by tags including links to other resources and resources linked from hypertext. ,
When an access request is received from a user terminal device, the permitted resource list in which the identification information of the resource to be accessed by the access request is listed and the identification information of the resource that is permitted to be accessed by the user is listed And when the identification information of the resource to be accessed is included in the permitted resource list, an authorized resource determination step for determining that the access according to the access request is permitted,
When the access request received in the permitted resource determination step is determined to be permitted, a resource acquisition generation step for acquiring or generating a hypertext or a resource that is permitted to be accessed by the permitted access request;
Specific link extraction condition data in which a condition for extracting a link permitting subsequent access from the user terminal is set when the resource acquired or generated by the resource acquisition generation step is hypertext Are extracted from the hypertext, and all the links that match any one or more of the specific link extraction condition data included in the specific link extraction condition data list are extracted from the hypertext, A permitted resource list update step of adding identification information of a resource that is a link destination of each of the extracted one or more links to the permitted resource list;
An access response reply step of returning the resource acquired or generated in the resource acquisition generation step as an access response to the user terminal that has transmitted the access request;
An access control method comprising: An access control method for controlling access to a managed resource in a resource management device that manages hypertext structured by tags including links to other resources and resources linked from hypertext. ,
When an access request is received from a user terminal device, the permitted resource list in which the identification information of the resource to be accessed by the access request is listed and the identification information of the resource that is permitted to be accessed by the user is listed And when the identification information of the resource to be accessed is included in the permitted resource list, an authorized resource determination step for determining that the access according to the access request is permitted,
When it is determined that access is not permitted in the permitted resource determination step, the access is performed based on access control information that is information that associates a public resource with an accessor permitted to access the resource. An access authority determination step for determining whether or not access by a request should be permitted;
A resource acquisition and generation step of acquiring or generating a hypertext or a resource that is permitted to be accessed by the permitted access request when it is determined that at least one of the permitted resource determination step or the access authority determination step;
Specific link extraction condition data in which a condition for extracting a link permitting subsequent access from the user terminal is set when the resource acquired or generated by the resource acquisition generation step is hypertext Are extracted from the hypertext, and all the links that match any one or more of the specific link extraction condition data included in the specific link extraction condition data list are extracted from the hypertext, A permitted resource list update step of adding identification information of a resource that is a link destination of each of the extracted one or more links to the permitted resource list;
An access response reply step of returning the resource acquired or generated in the resource acquisition generation step as an access response to the user terminal that has transmitted the access request;
An access control method comprising: The specific link extraction condition data includes a pair of an element name of a tag constituting the hypertext and an attribute name of one attribute among attributes that the tag may have,
In the allowed resource list update step, a tag having the same element name as the element name indicated by the specific link extraction condition data is selected from the tags in the hypertext acquired or generated by the resource acquisition generation step, and selected. When the attribute value of the attribute name indicated by the link extraction condition data is included in the tag, the identification information of the resource included in the attribute value is extracted and added to the allowed resource list. The access control method according to claim 1 or 2. The specific link extraction condition data includes an element name of a tag constituting the hypertext, a conditional expression relating to an attribute name of the first attribute and an attribute value of the first attribute among attributes that the tag may have, It consists of the attribute name of the second attribute among the attributes that the tag can have,
In the allowed resource list update step, a tag having the same element name as the element name indicated by the specific link extraction condition data is selected from the tags in the hypertext acquired or generated by the resource acquisition generation step, and selected. If the attribute value having the first attribute name pointed to by the specific link extraction condition data is included in the tag and the attribute value matches the conditional expression pointed to by the specific link extraction condition data, the specific link 3. The access control method according to claim 1, wherein the identification information of the resource included in the attribute value having the second attribute name indicated by the extraction condition data is extracted and added to the permitted resource list. The specific link extraction condition data is a character string;
In the permitted resource list update step, included in a tag appearing immediately after a comment tag including a character string pointed to by the specific link extraction condition data, from a tag in the hypertext acquired or generated by the resource acquisition generation step 3. The access control method according to claim 1, further comprising: extracting resource identification information included in an attribute value of an attribute indicating a link to another resource and adding the extracted information to the permitted resource list.   In the permitted resource list update step, included in a tag appearing immediately after a comment tag including a character string pointed to by the specific link extraction condition data, from a tag in the hypertext acquired or generated by the resource acquisition generation step Extracting the identification information of the resource included in the attribute value of the attribute indicating the link to the other resource to be added and adding it to the allowed resource list, and then deleting the comment tag included in the hypertext The access control method according to claim 5.   The access control method according to claim 1, wherein the resource identification information includes resource location information and a set of access methods. When an access request is received from the user terminal device, it is confirmed whether a communication session has already been established with the user terminal device that has transmitted the access request. A session confirmation step of generating a communication session in
The permitted resource list is stored in association with the session, and is established with the user terminal device that has transmitted the access request in the permitted resource list update step and the permitted resource determination step. The access control method according to claim 1, wherein the permitted resource list corresponding to the communication session is updated or referred to.   When receiving an access request from the user terminal device or establishing the communication session, the method further comprises a user authentication step of authenticating an accessor or a user terminal used by the accessor. The access control method according to any one of claims 1 to 8.   10. The authorized resource list update step further includes adding, to the authorized resource list, identification information of a resource to be accessed by an access request from the user terminal device. The access control method according to item. An effective time setting step of presetting a permission determination effective time that represents an effective period of access permission determination by an elapsed time from the permission determination;
In the permitted resource list update step, the resource identification information and the registration date and time of the identification information are paired and added to the permitted resource list,
In the permitted resource determination step, when the access request from the user terminal device determines whether to permit an access request for the identification information of the resource to be accessed, the elapsed time from the registration date of the identification information The access control method according to any one of claims 1 to 10, wherein access is determined to be permitted only when the time does not exceed the permission determination valid time.   The expired permitted resource deletion step of deleting, from the permitted resource list, identification information of a resource whose elapsed time from the registration date and time exceeds the permission determination valid time. Access control method. A link extraction target resource registration step of registering one or a plurality of hypertexts that are allowed to be a link extraction target as a link extraction target resource;
In the permitted resource list update step, the hypertext is used only when the resource to be accessed by the access request from the user terminal device is the hypertext registered by the link extraction target resource registration step. The access control method according to claim 1, wherein the permitted resource list is updated.   In the permitted resource list update step, the resource to be accessed by the access request from the user terminal device is a hypertext deployed by an authorized resource provider, or deployed by an authorized resource provider. 14. The hypertext generated by the means is verified, and the approved resource list is updated using the hypertext only when the verification is passed. The access control method according to any one of claims. An access control method for controlling access to a managed resource in a resource management device that manages hypertext structured by tags including links to other resources and resources linked from hypertext. ,
When an access request from a user terminal device is received, the resource to be accessed by the access request is changed to access control information, which is information associating a public resource with an accessor permitted to access the resource. An access control information confirmation step for determining whether or not it is registered;
In the access control information confirmation step, if it is determined that the resource that is the access target of the access request is registered in the access control information, should access be permitted by the access request based on the access control information? An access authority determination step for determining whether or not,
If it is determined in the access control information confirmation step that the resource that is the access target of the access request is not registered in the access control information, the identification information of the resource that is the access target of the access request is the user Check whether the identification information of the resource that is permitted to access is included in the enumerated permitted resource list, and the identification information of the resource to be accessed is included in the permitted resource list Includes an allowed resource determination step of determining that access by the access request is permitted, and
A resource acquisition and generation step of acquiring or generating a hypertext or a resource that is permitted to be accessed by the permitted access request when it is determined that at least one of the permitted resource determination step or the access authority determination step;
Specific link extraction condition data in which a condition for extracting a link permitting subsequent access from the user terminal is set when the resource acquired or generated by the resource acquisition generation step is hypertext Are extracted from the hypertext, and all the links that match any one or more of the specific link extraction condition data included in the specific link extraction condition data list are extracted from the hypertext, A permitted resource list update step of adding identification information of a resource that is a link destination of each of the extracted one or more links to the permitted resource list;
An access response reply step of returning the resource acquired or generated in the resource acquisition generation step as an access response to the user terminal that has transmitted the access request;
An access control method comprising:   The access control method according to claim 1, wherein the resource acquisition generation step and the allowed resource list update step are performed in the same step.   A program for causing a computer to execute the access control method according to any one of claims 1 to 16.   A computer-readable recording medium on which the program according to claim 17 is recorded.

Images