JP2006040219A - Content disclosure device, system and medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To minimize time for opening a network port to which contents are disclosed and to reduce required hardware resources. <P>SOLUTION: An HTTP server 1010 has a content disclosure processing part which discloses the contents, a content management part which registers/changes/deletes the contents and a network management part which specifies a port number to be disclosed to the contents and to make the port usable when there are the contents to be disclosed. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to control of a communication port of a network used for providing information and services in a system that provides information and services by a computer or the like connected to a network.

  In recent years, an increasing number of systems provide information and services described in HTML or the like using the HTTP protocol in a network such as TCP / IP.

  FIG. 6 is a diagram showing a conventional device configuration of such an information providing system. In the figure, 7010 is a server machine that stores information and services described in HTML or the like, that is, contents, and operates an HTTP server that distributes the contents in response to a request from the user, and 7020 is distributed from the server machine 7010. A content supply machine that creates content and supplies it to the server machine 7010, 7030 is a client machine for the user to browse the content distributed by the server machine 7010 using an HTML browser or the like, 7040 is a server machine 7010, and a content supply machine 7020 is a network connecting client machines 7030.

  FIG. 7 is a conceptual diagram showing access from the HTTP server and the client machine 7030 executed on the server machine 7010. In the case where two ports, TCP / IP port 80 and port 8080, are opened to allow access from the user. The conventional structure of is shown. In the figure, 8010 is an HTTP server for distributing content for port 80, 8020 is content distributed by an HTTP server for port 80, and 8030 is for distributing content for port 8080 The HTTP server 8040 is content distributed by the 8080 port HTTP server.

  Content distributed by the HTTP server is identified by a URL (Universal Resource Locator: RFC2396). The part that identifies the server in the URL consists of a host (described by a host name or IP address) and a port number. An example of the content URL delivered by the HTTP server is as follows.

http://www.foo.com:8000/test
In this example, access is made to port 8000 of the host machine www.foo.com, and content called test is acquired. The port number can be omitted. When the port number is omitted, a default port determined for each protocol is accessed. The default port for HTTP protocol is 80.

  While information transmission using computers has been flourishing in this way, it finds an open port, makes unauthorized access to the computer by exploiting the vulnerability of the server that communicates with that port, and various kinds of computer There are an increasing number of cases that make various attacks.

  Various countermeasures have been considered as countermeasures (for example, see Patent Document 1).

  As a general countermeasure, a so-called firewall is installed to monitor whether there is an unauthorized access to the open port without opening the port unnecessarily.

On the other hand, devices are generally managed using HTTP protocol and HTML. In this case, a separate management port is used instead of a general standard port. Management.
Japanese Patent Laid-Open No. 11-032075

  Even when a port is opened separately from a standard port for management or the like, there is a demand to keep the open time as short as possible so that the time exposed to external attacks is minimized.

  In addition, as shown in the conventional example, when information is provided at another port, it is necessary to separately provide a server that provides information using that port.

  Usually, an administrator who manages such a server requires administrator privileges, and it is not easy to perform operations such as starting and stopping the server simply and frequently.

  In addition, since the operation cannot be performed easily, it is possible to keep the server running even if there is no content to be provided, and the port used by the server will remain open at all times, reducing the security strength. It will also lead to things.

  In addition, by starting up a separate server, starting up a server other than the server providing information at the standard port requires more computer resources. On a large-scale server machine, running multiple servers may not be a problem, but the overhead of resources for running multiple server software is not acceptable, especially in small-scale devices called embedded devices. .

  In view of the above problems, in the present invention, a content publishing unit that is connected to a network such as the Internet and publishes content such as an HTML page, an image, and a program in response to a publishing request sent via the network; In a content publishing apparatus having content management means for managing contents such as registering contents to be disclosed in a form that can be disclosed, changing the contents of the registered contents, and deleting the registered contents, at the time of content registration / change A public port designating unit for designating the communication port of the network to which the content is to be disclosed, for the content, and the communication port corresponding only when the content for which the communication port is designated by the public port designating unit exists Has a communication port management means that can be used. Configure.

  Further, the content management means is configured to have a publication period designating means for designating a period during which the contents should be published when the contents are managed.

  Further, when the port is managed by the port management means, it is configured to have a port opening possible time zone specifying means for specifying a time zone during which the port can be opened.

  According to the present invention, when publishing content using a plurality of ports, it is possible to configure such that the port to be opened is opened only when the content to be published using the port is registered. This has the effect of minimizing the period during which the port is attacked.

  Further, since the port can be opened by registering the contents, there is an effect of preventing an increase in management cost due to starting up a plurality of servers. At the same time, having only one server has the effect that computer resources of the server machine that runs the server can be proposed.

  A first embodiment of the present invention will be described.

  The system configuration of the system is the same as that of the conventional example shown in FIG.

  FIG. 1 is a conceptual diagram showing an access from an HTTP server and a client machine 7030 executed on the server machine 7010 in this embodiment. Access from a user by opening two ports 80 and 8080 of TCP / IP. The configuration in the case of permitting is shown. In the figure, 1010 is an HTTP server that provides content using the HTTP protocol, and 1020 is content provided by the HTTP server 1010. The content 1020 is managed separately from the content provided by the 80th port and the content provided by the 8080 port.

  FIG. 2 is a diagram showing a hardware configuration of the server machine 7010. As shown in FIG. In the figure, 2010 is a control unit that controls the entire server machine 7010, 2020 is a storage unit that stores the content to be provided and programs executed on the server machine 7010, and 2030 is a server machine 7010 connected to an external machine for communication. A network unit 2040 for performing the operation is a bus that controls the data / control flow by connecting the units.

  FIG. 3 is a diagram showing a software configuration of the HTTP server 1010. As shown in FIG. In the figure, 3010 is a content management unit that manages content 1020, 3020 is a network management unit that manages ports that allow access from outside using network unit 2030, and 3030 is content 1020 via network unit 2030. A content publishing processing unit provided based on a publishing request sent from the outside.

  The content management unit 3010 includes a content ID for identifying the content, a port number for providing the content, an external path when the content is accessed from the outside, and a storage unit in which the content is stored when the content is stored in the storage unit 2020 The content is managed by a database including an internal path indicating a location in 2020, a description that is a sentence that describes the content, and a table that has a user ID of the content registrant as a field.

  Hereinafter, processing performed in the HTTP server 1010 will be described with reference to the drawings.

In order for the content supply machine 7020 to request processing from the content management unit 3010, it is necessary to access the content management page provided by the standard port of the HTTP server 1010 using a web browser running on the content supply machine 7020. is there. This content management page is published by the content publication processing unit 3030.
When this management page is accessed, a user confirmation page shown in FIG. 4 is displayed. In the figure, a user ID and password are requested, and it is confirmed that the entered user ID and password are correct, user authentication is performed, and an authorized user is accessing. When the user is recognized as a regular user, the content management page shown in FIG. 5 is displayed. In the figure, 5010 is a content list for displaying a list of registered contents, 5015 is a radio button for selecting content to be processed, 5020 is a new button for instructing to newly create content, and 5025 is Delete button for instructing to delete the selected content, 5030 is an edit button for instructing to edit the selected content, and 5035 is for identifying the content to be operated ID display field for displaying an ID, 5040 for a description field for inputting a description of the content, 5045 for a port number field for specifying a port number for providing the content, and 5046 for specifying a path part of a URL for publishing the content Path field, 5050 is a content field for specifying the location where the content is stored. Field, 5055 is a description field 5040, port number field 5045, public path field 5046, and cancel button for instructing to delete the setting contents of the content file field 5050, 5060 is a HTTP command POST command. This is a send button for instructing to send the contents of a page.

In the content list 5010 of this content management page, a list of contents registered by the accessing user and a list of processes permitted to the accessing user are displayed. An example of Java (registered trademark) Server Pages description for generating the content management page shown in FIG. 5 is shown below (Java (registered trademark) Server Pages is a trademark of Sun Microsystems, Inc.).
<% @ page contentType = "text / html; charset = shift-jis"%>
<html>
<head>
<title> Content management </ title>
<script language = 'Java Script'>
<!-
function newContent () {
document.reg.command.value = "new";
document.reg.submit ();
}
function deleteContent () {
document.reg.command.value = "delete";
document.reg.submit ();
}
function editContent () {
document.reg.command.value = "edit";
document.reg.submit ();
}
function clearContent () {
document.reg.desc.value = "";
document.reg.port.value = "";
document.reg.contents.value = "";
}
//->
</ script>
</ head>
<body>

<jsp: useBean id = "contentsdb" scope = "session" class = "smp.ContentsDB"/>

<form name = "reg" method = "POST" action = "register">
<p align = "center"> Registered content list </ p>
<table border = "1" cellspacing = "0" width = "50%" align = "center" cellpadding = "5">
<tr>
<td>
<%! Content [] contents;%>
<%! int i;%>
<% contents = contentsdb.getContents ();%>
<% if (contents! = null) {%>
<% for (i = 0; i <contents.length; i ++) (%>
<input type = "radio" value = "<% = i%>" name = "con <% = i%>">
<% = contents [i] .getDecription%>
<input type = "hidden" value = "<% = contents [i] .getId ()%>" name = "conid <% = i%>"><br>
<%}%>
<%} else {%>
<P> There is no registered content </ P>
<%}%>
</ td>
</ tr>
</ table>
<p align = "center">
<input type = "button" value = "new" name = "new" onclick = "newContent ()">
<input type = "button" value = "delete" name = "delete" onclick = "deleteContent ()">
<input type = "button" value = "edit" name = "edit" onclick = "editContent ()">
</ p>
<input type = "hidden" name = "command">
<table border = "0" cellspacing = "0" width = "50%" align = "center">
<tr>
<td width = "25%"> Content ID </ td>
<td width = "75%">
<%! Sting id = null;%>
<% id = contentsdb.getSelectedId ();%>
<% if (id! = null) {%>
<% = id%>
<input type = "hidden" name = "id" value = "<% = id%>">
<%}%>
</ td>
</ tr>
<tr>
<td width = "25%"> Description </ td>
<td width = "75%"><input type = "text" name = "desc" size = "40"></td>
</ tr>
<tr>
<td width = "25%"> Port number </ td>
<td width = "75%"><input type = "text" name = "port" size = "40"></td>
</ tr>
<tr>
<td width = "25%"> Public path </ td>
<td width = "75%"><input type = "text" name = "path" size = "40"></td>
</ tr>
<tr>
<td width = "25%"> Content </ td>
<td width = "75%"><input type = "file" name = "contents" size = "40"></td>
</ tr>
</ table>
<p align = "right">
<input type = "submit" value = "send" name = "send">
<input type = "reset" value = "clear" name = "clear" onclick = "clearContent ()">
</ p>
</ form>
</ body>
</ html>
First, processing in which the content supply machine 7020 registers content in the server machine 7010 will be described.

  When the new button 5020 on the content management page is clicked on the HTML browser running on the content supply machine 7020, the string "new" is set in the command field, which is a hidden field in the page, and the action of the form on the content management page Access the specified page register with the HTTP POST command.

  Register stores a Servlet program, and this Servlet program performs actual content processing.

  If the value of the hidden field is read and the character string is "new", a new content ID is generated, the content ID is set in the ID display field 5035, and the content ID is set in the id that is the hidden field. A content management page in which values are not set in the description field 5040, the port number field 5045, the public path field 5046, and the content file field 5050 is returned as a result of the POST command.

  The content management page returned as a result of the POST command is displayed on the content supply machine 7020, and the operator inputs necessary data in the description field 5040, the port number field 5045, the public path field 5046, and the content file field 5050. Clicking the send button 5060 will access register with the POST command, just as when creating a new one.

  In the register, the value is not set in the hidden field command and the value is set in the hidden field id, and the content management unit 3010 manages using the content ID set in the hidden field id as a key. Search the database, and check whether the content ID set by the HTTP request is registered in the database. If it is registered, a change process described later is performed. If not registered, the content information specified in the content field 5050 is stored in the storage unit 2020, and the internal path information of the storage location is acquired. This internal path information, content ID, description information set in the description field 5040, external path information set in the public path field 5046, port number information set in the port number field 5045, accessing Register a record consisting of the registrant's user ID in the database. At the same time, the network management unit 3020 is requested to open the designated port.

  The network management unit 3020 requested to open the port adds 1 to the port request counter for the specified port number when the specified port is open. If it is not open, open the port and set 1 to the port request counter for the port number.

  Next, processing in which the content supply machine 7020 changes registration information of content already registered in the server machine 7010 will be described.

  When the edit button 5030 of the content management page is clicked with an HTML browser that operates on the content supply machine 7020, the character string "edit" is set in the command field that is a hidden field in the page, and the action of the form of the content management page Access the specified page register with the HTTP POST command.

  The register reads the value of the hidden field command, and if it is a character string “edit”, the content ID field corresponding to the selected radio button 5015 is detected. This is done by extracting the number part from the name of the selected radio button, "con #" (# is a number), and looking for the content ID field "conid #" that contains the same number in the name. For example, when a radio button named “con10” is selected, a content ID field named “conid10” is detected as a target. The database is searched by the content ID stored in the detected content ID field, and a record corresponding to the specified content ID is acquired. If a record cannot be obtained, the same process as when creating a new record is performed. If the record can be acquired, the content ID from the acquired record is set to the ID display field 5035 and the hidden field id, the description information to the description field 5040, the port number information to the port number field 5045, and the external path information to The content management page set in the public path field 5046 is returned as a result of the POST command.

  If the content management page returned as a result of the POST command is displayed on the content supply machine 7020 and the operator needs to change the description field 5040, port number field 5045, public path field 5046, and content file field 5050, data And click the send button 5060 to access register with the POST command.

  The register searches the database managed by the content management unit 3010 using the content ID set in the hidden field id as a key, searches the content ID set by the HTTP request, and acquires the corresponding record. If the record cannot be acquired, the new process described above is performed. When the record can be acquired and the content field has a value, the content information specified by the content field 5050 is newly stored in the storage unit 2020, and the internal path information of the storage location is acquired. The content stored in the internal path recorded in the acquired record is deleted. This internal path information, content ID, description information set in the description field 5040, external path information set in the public path field 5046, port number information set in the port number field 5045, registrant user Update records consisting of IDs to the database. If the port number is different from the information in the previous record, the network management unit 3020 is requested to close the previous port number and open a new port number.

  The network management unit 3020 requested to close the port subtracts 1 from the port request counter for the specified port number when the specified port is open. As a result, when the port request counter reaches 0, the port is closed.

  The process for opening the port is as described above.

  Next, a description will be given of processing in which the content supply machine 7020 deletes content already registered in the server machine 7010.

  When the delete button 5025 of the content management page is clicked on the HTML browser operating on the content supply machine 7020, the character string "delete" is set in the command field, which is a hidden field in the page, and the content management page form action Access the specified page register with the HTTP POST command.

  In register, the value of the hidden field command is read, and if the character string is “delete”, the content ID field corresponding to the selected radio button 5015 is detected. This is done by extracting the number part from the name of the selected radio button, "con #" (# is a number), and looking for the content ID field "conid #" that contains the same number in the name. For example, when a radio button named “con10” is selected, a content ID field named “conid10” is detected as a target. A record corresponding to the content ID stored in the detected content ID field is acquired. If a record cannot be obtained, a page indicating that the specified record does not exist is returned. If the record can be acquired, the content stored in the internal path recorded in the acquired record is deleted. The network management unit 3020 is requested to close the port number recorded in the acquired record.

  The process for closing the port is as described above.

  Next, processing in which the content publication processing unit 3030 responds to a publication request from the client machine 7030 in the server machine 7010 will be described.

  The content publication processing unit 3030 designates information to be published from the client machine 7030 by a URL. The content publication processing unit 3030 extracts the port number and the external path information from the specified URL. The extracted port number and external path information are specified, and an inquiry is made as to whether a record having the port number and external path information specified in the content management unit 3010 is registered in the database managed by the content management unit 3010.

If not registered, the database is searched again using the path generated by removing the segment of the external path from the back as an external path to check whether it is registered.
If the registered database record is not found, a code indicating that the page was not found is returned as a response to the page request.

  When a registered record is found, an internal path storing target information is generated from the registered external path and internal path when the record is found, and the external path specified as the URL. For example, when the external path of the specified URL is "/ a / b / c", a record with "/ a" as the external path and "/ var / contents / 80/100211" as the internal path is detected Search for a file whose path is "/ var / contents / 80/100211 / b / c". If the file is found, its contents are returned as a response to the request. When the file is not found, a code indicating that the page was not found is returned as a response.

  In this embodiment, the registered content becomes effective as soon as it is registered, and can be accessed until the registration is canceled. When the access period is specified, such as when the user machine is requested to be published at a certain time every day, and when an access request is made from the user machine, it is detected whether the requested time is within the disclosure period. It is also possible to configure the content management unit 3010 to permit only access.

  Also, for each port, set a time zone during which the port can be opened, and the network management unit 3020 is set so that the port is not opened even if there is content to be published using that port outside that time zone. It is also possible to configure.

  Furthermore, in this embodiment, a user who has passed user authentication is configured to be able to specify all valid ports, but manages public ports that can be specified for each user, and port numbers that are not permitted. It is also possible to configure the content management unit 3010 so as to reject registration when a registration request is made by designating.

It is a conceptual diagram which shows the concept of an Example. It is a block diagram which shows the hardware constitutions of the server machine of an Example. It is a block diagram which shows the software structure of the server of an Example. It is a user authentication page at the time of content registration of an Example. It is a content registration page of an Example. It is a block diagram of the whole system. It is a conceptual diagram which shows the concept of a prior art example.

Explanation of symbols

1020 Content 2040 Bus 7010 Server machine 7020 Content supply machine 7040 Network

Claims (7)

Connected to a network such as the Internet and registered in a form that can publish content to be published and a content publishing means that publishes content such as HTML pages, images, and programs in response to publishing requests sent via the network. In a content publishing apparatus having content management means for managing content such as changing the content of registered content and deleting registered content,
A public port designating unit for designating the communication port of the network to which the content should be published at the time of content registration / change, and only when the content for which the communication port is designated by the public port designating unit exists A content publishing apparatus comprising communication port management means for enabling use of a corresponding communication port.   The content publishing apparatus according to claim 1, further comprising a publishing period designating unit that designates a period during which content is to be disclosed when the content managing unit manages the content.   2. The content publishing apparatus according to claim 1, further comprising a port opening possible time zone designating unit for designating a time zone during which a port can be opened when the port management unit manages the port. Connect to a network such as the Internet, publish content that publishes content such as HTML pages, images, and programs in response to publishing requests sent over the network, register the content to be published, In a content publishing system that manages content such as changing the contents of registered content and deleting registered content,
When a content is registered / changed, the network communication port to which the content is to be disclosed is specified for the content, and the corresponding communication port can be used only when the content specified to use the communication port exists. A content publishing system characterized by this.   5. The content publishing system according to claim 4, wherein a publishing period for designating a period for publishing the contents when managing the contents can be designated.   5. The content publishing system according to claim 4, wherein a time period during which the port can be opened can be specified when managing the port.   A storage medium storing a program for realizing the system according to claim 4.

Images