JP2008015934A - Service system and service system control method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To attain site access control of high trustworthiness, in a service provider device. <P>SOLUTION: A network provider device associates user information on a user of a user device with line information on a line connected with the user device and stores them. When it has received a user information acquisition request by redirect communication through the user device from the service provider device, it acquires the line information on the line connected with the user device and the user information associated with the line information, and transmits the user information by redirect communication to the service provider device through the user device. The service provider device transmits a user information acquisition request requesting for acquisition of the user information of the user device to the network provider device, and when it has received user information of the user device from the network service provider device, controls site access using the user information. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a service system and a service system control method.

  Service providers (SP: Service Provider) have provided various application services (e-mail, music content, video content, shopping, auctions, etc.) to users with the spread of the Internet and higher line speeds. is doing. In order for the service provider to provide such various application services to the user, it is premised that the network operator first performs user registration of the user. Here, the network operator is, for example, an operator that provides an access service using a fixed network such as xDSL (x Digital Subscriber Line) or an optical fiber, an operator that provides an access service using a wireless local area network (LAN), or the like. An ISP (Internet Services Provider) that provides an access service to the Internet.

  Specifically describing the user registration performed by the network operator, the network operator can provide user information (eg, user name, address, It is usual to obtain a credit card number, etc., verify the identity of the user by identification card, register the user, and pay out the user account and password. When the user registration is completed in this manner, the network operator enables the user to use a network such as the Internet by performing user authentication of the account and password transmitted from the user.

  Next, in order for the service provider to provide users with various application services, user registration by the network operator as described above has been completed, and the user can use the network such as the Internet. The service provider must perform user registration (or user authentication) for the user. Specifically describing user registration performed by the service provider, the service provider transmits user information (for example, the user's name, address, credit card number, etc.) online from the user. The user registration is performed based on the acquired user information.

  For example, in Patent Document 1, an authentication server having a role as a third party certification organization different from a service provider performs user registration (or user authentication) and provides the result to the service provider. Thus, a method in which a service provider provides various application services to users is disclosed.

JP 2004-355073 A

  By the way, as described below, the above-described conventional technology has a problem that it is impossible to realize highly reliable site access control (for example, user registration, user authentication, etc.) in the service provider apparatus. . In other words, as for user registration in a service provider, which is one of the site access controls, the service provider can use a driver's license, etc. The service provider device is highly reliable because user registration is not performed after the user's identity is confirmed based on the user information presented offline by the user together with the identification card. User registration cannot be realized.

  Therefore, the present invention has been made to solve the above-described problems of the prior art, and a service system and a service system control method capable of realizing highly reliable site access control in a service provider apparatus The purpose is to provide.

  In order to solve the above-described problems and achieve the object, the invention according to claim 1 is a network operator device that controls network connection by a user device, and a service operator device that controls site access by the user device. Are connected to each other via a network, wherein the network operator device connects user information related to a user of the user device that is permitted to connect to the network to a line to which the user device connects. User information storage means for storing the user information in association with the line information, and a user information acquisition request for requesting acquisition of user information of the user device by redirect communication from the service provider device via the user device Line information acquisition that acquires line information related to the line to which the user device is connected. And user information associated with the line information obtained by the line information obtaining means is obtained from the user information storage means, and the user information is obtained by the redirection communication via the user device. The user information transmitting means for transmitting to the provider device, and the service provider device, when receiving a request for site access from the user device, by the redirect communication via the user device, the user device User information acquisition request transmitting means for transmitting a user information acquisition request for requesting acquisition of user information to the network operator device, and redirection communication from the network operator device via the user device. When the user information of the user device is received, the site access is controlled using the user information. And access control means that, characterized by comprising a.

  In the invention according to claim 2, in the above invention, in addition to the user information, the user information transmitting means includes provisional identification information for uniquely identifying transmission of the user information in the service provider. The service identification information that uniquely identifies the service provider device and the temporary identification information are stored in the user information storage unit in association with the user information, and the access control unit includes: When the temporary identification information is received in addition to the user information from the network operator device, the temporary identification is associated with the user identification information that uniquely identifies the user requesting the site access. Information is stored in a predetermined storage means, and the network operator device uses the service provider device by redirect communication from the service operator device via the user device. A post-registration line information acquisition means for acquiring line information relating to a line to which the user apparatus is connected when a temporary identification information acquisition request for requesting acquisition of temporary identification information corresponding to the user information of the apparatus is received; The provisional identification information associated with the line information acquired by the post-registration line information acquisition means is acquired from the user information storage means, and the temporary identification information is obtained by the redirect communication via the user device. Temporary identification information transmitting means for transmitting to the provider device, and the service provider device, when receiving a request for site access after user registration from the user device, by redirect communication via the user device , A provisional identification information acquisition request for requesting acquisition of temporary identification information corresponding to the user information of the user device is sent to the network operator Temporary identification information acquisition request transmission means for transmitting to the device, and when receiving temporary identification information corresponding to the user information of the user device by redirect communication via the user device from the network operator device, It further comprises post-registration access control means for acquiring user identification information corresponding to temporary identification information from the predetermined storage means and controlling the site access.

  Further, in the invention according to claim 3, in the above invention, the user information transmitting means transmits the line information to the service provider apparatus in addition to the user information, and the access control means includes: When the line information is received in addition to the user information from the network operator device, the site access is controlled using the user information and the line information.

  According to a fourth aspect of the present invention, in the above invention, in addition to the user information, the user information transmitting means sends expiration date information indicating an expiration date of the user information to the service provider device. And when the access control means receives the expiration date information in addition to the user information from the network operator device, the access control means fulfills the expiration date indicated in the expiration date information. The site access is controlled using user information.

  Further, in the invention according to claim 5, in the above invention, the user information transmitting means transmits an electronic signature signed by the network operator device to the service operator device in addition to the user information. The access control means, when receiving the electronic signature in addition to the user information from the network operator device, using the user information on the condition that the electronic signature is valid, It is characterized by controlling access.

  Further, in the invention according to claim 6, when the user information transmission unit receives an electronic signature signed by the service provider device in addition to the user information acquisition request from the service provider device, The user information is transmitted to the service provider device on the condition that the electronic signature is valid, and the user information acquisition request transmitting means transmits the electronic signature in addition to the user information acquisition request. It transmits to the said network provider apparatus, It is characterized by the above-mentioned.

  The invention according to claim 7 is a service in which a network operator device that controls network connection by a user device and a service operator device that controls site access by the user device are connected via a network. A service system control method for controlling a system, wherein the network operator device includes user information related to a user of a user device permitted to connect to the network, line information related to a line to which the user device is connected, and When a user information storage step for storing the user information is received, and a user information acquisition request for requesting acquisition of user information of the user device is received from the service provider device by redirect communication via the user device. Line information acquisition to acquire line information about the line to which the user device is connected The user information associated with the line information acquired by the line information acquisition step is acquired from the user information storage step, and the user information is transmitted to the service by redirect communication via the user device. The user information transmission step for transmitting to the provider device, and when the service provider device accepts a site access request from the user device, the user device is transmitted by redirect communication via the user device. User information acquisition request transmission step for transmitting a user information acquisition request for requesting acquisition of user information to the network operator device, and redirect communication from the network operator device via the user device. When the user information of the user device is received, the site access is controlled using the user information. Characterized in that including the access control step.

  According to the invention of claim 1 or 7, a service in which a network operator device that controls network connection by a user device and a service operator device that controls site access by the user device are connected via a network. The network operator apparatus stores user information related to a user of a user apparatus that is permitted to connect to the network in association with line information related to a line to which the user apparatus is connected, and the service provider apparatus When a user information acquisition request that requests acquisition of user information of a user device is received by redirect communication via the user device, line information about the line to which the user device is connected is acquired and acquired. The user information associated with the linked line information is acquired and redirected via the user device. The user information is transmitted to the service provider device, and when the service provider device accepts a site access request from the user device, the user information of the user device is transmitted by redirect communication via the user device. When user information acquisition request for acquisition is transmitted to the network operator device and the user information of the user device is received from the network operator device by redirect communication via the user device, the user information is used. Since the site access is controlled, the user information stored in the network operator's device is presented offline by the user together with an identification card such as a driver's license, and is used after the user's identity is confirmed. Since this is the user information when the user registration is performed, the user information entered by the user is supported online. Compared to conventional approaches that are sent to bis organization device, in the service provider apparatus, it is possible to realize a highly credible site access control.

  That is, for example, in a service provider device, user registration is performed using highly reliable user information received from the network provider device, or site access from a user device operated by the user who registered the user is performed. Or allow site access from user devices in one time without user registration (provided whether to provide various application services using highly reliable user information received from network operator devices) Can be judged).

  In addition, site access (for example, user registration) can be completed with a single click by the user of the user device, and information such as a user account and password for the service provider device can be obtained. It is no longer necessary to be managed by the user. Furthermore, if the user registration information between the user and the service provider is managed by the network provider device, the user registration information may be stored by the service provider device. Therefore, it is possible to perform site access control with high reliability and convenience.

  According to the invention of claim 2, the network operator apparatus transmits temporary identification information for uniquely identifying transmission of the user information to the service provider apparatus in addition to the user information, and the service provider Service identification information and temporary identification information for uniquely identifying a device are stored in association with user information, and the service provider device receives temporary identification information in addition to user information from the network provider device. Stores temporary identification information in a predetermined storage means in association with user identification information for uniquely identifying a user requesting site access, and the network operator device is connected to the user device from the service operator device. When the user device receives a temporary identification information acquisition request for requesting acquisition of temporary identification information corresponding to the user information of the user device by redirect communication via Line information related to the line being acquired, temporary identification information associated with the acquired line information is acquired, temporary identification information is transmitted to the service provider apparatus by redirect communication via the user apparatus, When a company device receives a request for site access after user registration from a user device, it obtains temporary identification information corresponding to the user information of the user device by redirect communication via the user device. When the temporary identification information acquisition request to be requested is transmitted to the network operator device and the temporary identification information corresponding to the user information of the user device is received from the network operator device by the redirect communication via the user device, User identification information corresponding to the identification information is acquired from a predetermined storage means to control site access, so the same user Since the associated temporary identification information (for example, pseudonym ID, anonymous ID, etc.) is shared between the network operator device and the service operator device, the temporary identification information is shared between the network operator device and the service operator. Compared to a method that is not shared with devices, it is possible to safely and efficiently implement highly reliable site access control in a service provider device.

  That is, since the temporary identification information is shared between the network provider device and the service provider device, it is possible to avoid the possibility of being subject to so-called name identification by other service providers. Compared with a method in which a user account using a part of the service account is shared, it is possible to safely implement highly reliable site access control in the service provider device.

  In addition, as a result of the provisional identification information being shared between the network operator device and the service operator device, the service operator device receives a request for site access after user registration from the user device, Since site access control can be performed with secure temporary identification information without user registration again, it is possible to safely and efficiently implement highly reliable site access control in the service provider apparatus.

  According to the invention of claim 3, the network operator apparatus transmits line information to the service provider apparatus in addition to the user information, and the service provider apparatus changes the user information from the network provider apparatus to the user information. In addition, when the line information is received, the site access is controlled using the user information and the line information. Therefore, compared to the method of controlling the site access using only the user information, in the service provider device, Highly reliable site access control can be realized.

  That is, it is possible to specify the location where the user device is connected, the line speed, etc. using the line information related to the line to which the user device is connected. For example, the site access is not permitted depending on the location where the user device is connected, Do not allow site access according to the line speed to which the user device is connected, select the service to be provided depending on the location to which the user device is connected, or provide it according to the line speed to which the user device is connected It is possible to highly implement highly reliable site access control in the service provider device such as selecting a service to be performed. Specifically, when the connection location to the network specified by the line information is a place other than “home”, the provision of the auction service is not permitted, or the connection information is specified by the line information. When the line speed is high, it is possible to provide a high-resolution video content service.

  According to the invention of claim 4, the network operator device transmits the expiration date information indicating the expiration date of the user information to the service operator device in addition to the user information. When the expiration date information is received in addition to the user information from the network operator device, the site access is controlled using the user information on the condition that the expiration date indicated in the expiration date information is satisfied. Compared to a technique in which expiration date information is not transmitted when transmitting information to the service provider apparatus, it is possible to safely implement highly reliable site access control in the service provider apparatus.

  That is, when the user information is transmitted to the service provider device, the method in which the expiration date information is not transmitted is used. For example, in redirect communication via the user device, the user device illegally uses the user information or other control information. There is a possibility that the user device that has obtained the information and illegally obtained the information may illegally access the site, but transmits the expiration date information (for example, the expiration date is set in the order of several seconds or several tens of seconds). Thus, since these fears can be avoided, highly reliable site access control can be safely realized in the service provider apparatus.

  According to the invention of claim 5, the network operator device transmits, in addition to the user information, an electronic signature signed by the network operator device to the service operator device. When the electronic signature is received from the user device in addition to the user information, the site access is controlled using the user information on condition that the electronic signature is valid. Therefore, the user information is transferred to the service provider device. Compared to a technique in which an electronic signature is not transmitted when transmitting, it is possible to safely implement highly reliable site access control in a service provider apparatus.

  That is, in the method of not transmitting an electronic signature when transmitting user information to a service provider device, for example, whether the transmitted user information is user information transmitted from the correct network operator device or not. Although it cannot be determined, an electronic signature is transmitted, and on the condition that the electronic signature is valid (that is, it is determined that the user information is transmitted from the correct network operator device, and the user information is altered) Control of site access (after avoiding the possibility of denying the fact transmitted by the network operator device), it becomes possible to safely implement highly reliable site access control. .

  According to the invention of claim 6, when the network operator apparatus receives the electronic signature signed by the service provider apparatus in addition to the user information acquisition request from the service provider apparatus, the electronic signature is valid. The user information is transmitted to the service provider device on the condition that the service provider device is, and the service provider device transmits the electronic signature to the network provider device in addition to the user information acquisition request. Compared with a technique in which an electronic signature is not transmitted when a request is transmitted to a network operator device, it is possible to safely implement highly reliable site access control in the service operator device.

  That is, in the method of not transmitting the electronic signature when transmitting the user information acquisition request to the network operator apparatus, for example, the user information acquisition request transmitted from the correct service provider apparatus is transmitted. It is not possible to determine whether or not the electronic signature is transmitted, and on the condition that the electronic signature is valid (that is, it is determined that the user information acquisition request is transmitted from the correct service provider device, Since it is judged that the user information acquisition request has not been tampered with and avoids the possibility of denying the fact that the service provider device has transmitted) High site access control can be realized safely.

  Embodiments of a service system according to the present invention will be described below in detail with reference to the accompanying drawings. The main terms used in the following embodiments, the outline and features of the service system according to the first embodiment, the configuration and processing procedure of the service system according to the first embodiment, and the effects of the first embodiment will be described in order. Another embodiment will be described.

[Explanation of terms]
First, main terms used in the following examples will be described. A “user device” is a device configured by a personal computer, a mobile phone, or the like and operated by a user. Specifically, the “user device” is connected to a network such as the Internet and receives information on various application services (for example, e-mail, music content, video content, shopping, auction, etc.) published on the network. By receiving from other computers on the network and outputting to a monitor or speaker, etc., or sending information input by the user to other computers on the network, various application services can be provided to the user. provide.

  By the way, in order for this “user device” to send and receive information on various application services on the network to and from other computers, the “network operator device” controls the network connection and the “service operator” It is necessary that the site access be controlled by the “device”.

  More specifically, the “network operator device” is a device configured by a general-purpose computer or the like and operated by the network operator. A network operator is an operator that provides a line for connecting to a network such as the Internet for a “user device” operated by a registered user. For example, a network operator is an operator that provides an access service using a fixed network such as xDSL (x Digital Subscriber Line) or optical fiber, an operator that provides an access service using a wireless local area network (LAN), or other Internet access. It is a provider (ISP: Internet Services Provider) etc. that provides an access service, and a “user device” is first registered as a user in a “network operator device” operated by a network operator, and then the network By controlling the connection (by allowing connection to a line for connecting to a network such as the Internet), it becomes possible to connect to a network such as the Internet. There are a large number of network operators on the network, and there are a large number of “network operator devices”. However, the “user device” has a network connection controlled by an arbitrary “network operator device”. To connect to a network such as the Internet.

  In this way, the “user device” that can be connected to the network such as the Internet by controlling the network connection by the “network provider device” next receives the provision of various application services. User registration (or user authentication) must be performed on the “service provider device”. The “service provider device” is a device configured by a general-purpose computer or the like and operated by a service provider. A service provider is a provider that provides various application services to a “user device” operated by a user who has registered (or authenticated) a user. For example, a service provider is a provider that provides various application services (for example, e-mail, music content, video content, shopping, auctions, etc.) on a network. By registering a user (or user authentication) in a “service provider device” operated by a service provider and controlling site access, it is possible to receive various application services. As with “Network operator equipment”, there are many service providers on the network, and there are many “Service provider equipment”. However, “User equipment” is an arbitrary “Service business equipment”. The site access is controlled by the “user device” to receive provision of an arbitrary application service.

  Here, “site access” is, for example, used in a “service provider device” when a “user device” operated by a user who is not registered as a user is connected to a “service provider device”. User registration, providing application services to the "user device" by using user authentication when a "user device" operated by the registered user connects, When a “user device” operated by a user who is not registered is connected, application authentication is provided to the “user device” by performing user authentication in one time without performing user registration. This is a general term. The content of control for controlling “site access” varies depending on the type of application service provided by the “service provider device” and the usage situation.

  In this way, a system in which the “network provider device” controls the network connection by the “user device” and the “service provider device” controls the site access by the “user device” is called a “service system”. In the “service system”, there are various threats such as impersonation and misuse of credit card numbers. For this reason, in the “service system”, how to achieve highly reliable site access control is particularly important.

[Outline and Features of Service System According to Embodiment 1]
Next, the outline and features of the service system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining the outline and features of the service system according to the first embodiment. In the following embodiment, network connection by one “user device” is controlled by one “network operator device”, and site access by one “user device” is controlled by one “service provider”. The configuration controlled by the “device” will be described, but the present invention is not limited to this, and one or a plurality of “network provider devices” control network connection by one or a plurality of “user devices”. The present invention can be similarly applied to a configuration in which one or a plurality of “service provider devices” controls site access by one or a plurality of “user devices”.

  As described above, the service system according to the first embodiment connects the network operator device that controls the network connection by the user device and the service operator device that controls the site access by the user device via the network. The main feature is to realize highly reliable site access control in the service provider device.

  Briefly describing this main feature, it is assumed that the network operator device in the first embodiment has previously registered the user of the user device and has permitted the network connection of the user device. That is, as shown in FIG. 1, the network operator device receives user information (for example, a contractor name, an address, a credit card number, etc.) regarding the user of the user device that is permitted to connect to the network. Is stored in the user management database unit (user management DB) in association with the line information (for example, line identifier, line accommodation position, line type, line speed, etc.) related to the line to which is connected. For example, in FIG. 1, user information relating to the user account AAA (“AAA user information”) is stored in the user management DB in association with the line information (“AAA line information”). .

  On the other hand, it is assumed that the service provider device according to the first embodiment does not register the user of the user device. That is, the user device cannot receive the application service provided by the service provider device. In the first embodiment, the application service provided by the service provider device is a type of application service that can be provided by performing permanent user registration (paying a permanent user account). The present invention is not limited to this, and the present invention can be similarly applied to a type of application service that can be provided by performing temporary user registration (paying a temporary user account). .

  In addition, between the network operator device and the service operator device in the first embodiment, the network operator device transmits user information and line information managed by the user management DB to the service operator device (and It is assumed that an agreement has been made in advance for specific transmission items). Furthermore, it is assumed that a trust relationship is established in advance between the network operator device and the service operator device. That is, the network operator apparatus manages public key information (such as an electronic certificate of the service provider apparatus) for verifying that the electronic signature signed by the service provider apparatus is valid, and the service provider apparatus It is assumed that public key information (such as an electronic certificate of a network operator device) for verifying that an electronic signature signed by the network operator device is valid is managed. In the first embodiment, a technique for managing each other's public key information in the network operator device and the service operator device will be described. However, the present invention is not limited to this, and a trusted third party. Any method for verifying that an electronic signature is valid, such as a method for verifying that an electronic signature is valid using public key information issued by an institution, may be used.

  Under such a configuration, the network operator apparatus according to the first embodiment first receives a network connection request from the user apparatus (see (1) in FIG. 1). Specifically, the network operator device receives line authentication information (for example, a user account, a password, etc.) as a network connection request from the user device. For example, in FIG. 1, a user account AAA and a password are received. An electronic signature or the like may be received from the user device as the line authentication information.

  Next, the network operator device performs an authentication process in the network operator device (see (2) in FIG. 1). Specifically, the network operator device collates the line authentication information received from the user device with the line authentication information (eg, user account, password, etc.) managed in the user management DB, and the user device Authenticate. For example, in FIG. 1, the user account AAA managed in the user management DB is compared with a password (not shown) to authenticate the user device.

  Then, the network operator device transmits a network connection response to the user device (see (3) in FIG. 1). Specifically, the network operator device provides the user device with an access path to a line (access network) for connecting to a network such as the Internet by PPPoE (Point to Point Protocol over Ethernet (registered trademark)). The IP address is issued and sent to the user device. The network operator device stores the IP address assigned to the user device in the user management DB.

  As a result, the user device is connected to a network such as the Internet, and then the service provider device receives an SP site access request from the user device (see (4) in FIG. 1). Specifically, the service provider device receives, from the user device, an SP site URL (Uniform Resource Locator) or the like of an application service provided by the service provider device as an SP site access request.

  Then, the service provider device transmits an SP site access response to the user device (see (5) in FIG. 1). Specifically, the service provider device acquires a Web page and transmits the Web page as an SP site access response. Here, since the service provider apparatus according to the first embodiment does not register the user of the user apparatus, the Web page transmitted to the user apparatus is a Web page that prompts the user registration request. is there.

  Next, the service provider device receives a user registration request from the user device (see (6) in FIG. 1). Specifically, the user device receives the user registration request by one-clicking on a web page icon (such as “user registration”) that prompts the user registration request in the user device.

  Then, the service provider device creates a user account in the service provider device (see (7) in FIG. 1). For example, in FIG. 1, the service provider device creates a user account BBB. The user account BBB is a permanent user account.

  Subsequently, the service provider apparatus transmits a user information acquisition request for requesting acquisition of user information of the user apparatus to the network provider apparatus ((8) in FIG. 1). See). Specifically, the service provider device transmits a user information acquisition request to the network provider device by redirect communication via the user device.

  Then, the network operator apparatus according to the first embodiment acquires line information regarding the line to which the user apparatus is connected (see (9) in FIG. 1). Specifically, the network operator device is used when receiving a user information acquisition request for requesting acquisition of user information of the user device from the service operator device by redirect communication via the user device. The line information is acquired by specifying the line to which the user device is connected.

  Next, the network operator apparatus transmits user information and line information associated with the line information to the service provider apparatus (see (10) and (11) in FIG. 1). Specifically, the network operator apparatus acquires user information and line information associated with the line information acquired by specifying the line from the user management DB, and redirects communication via the user apparatus. Thus, the user information and the line information are transmitted to the service provider apparatus. For example, in FIG. 1, the network operator device transmits user information (“AAA user information”) and line information (“AAA line information”) together with the user account AAA to the service provider device. .

  In the first embodiment, the method of transmitting the line information acquired from the user management DB to the service provider apparatus has been described, but the present invention is not limited to this, and the line to which the user apparatus is connected The present invention can be similarly applied to a method of transmitting line information acquired by specifying to a service provider apparatus. In the first embodiment, the network provider apparatus transmits the user account AAA as an identifier for identifying user information. However, the present invention is not limited to this, and the network business If the user apparatus and the service provider apparatus maintain a correspondence between the user account AAA and the user account BBB and transmit some identifier for identifying user information, a specific identifier Any selection method may be used.

  Subsequently, the service provider device uses the user information to control site access (see (12) and (13) in FIG. 1). Specifically, the service provider device controls the site access using the user information when the user information of the user device is received from the network provider device by redirect communication via the user device. For example, in FIG. 1, the service provider apparatus replaces the user account BBB with the user account AAA, and the user account AAA line information (“AAA line information”) and user information (“AAA user”). Information ") is managed, and a Web page for starting provision of the application service is transmitted as a user registration response to the user device. In the first embodiment, the method of replacing the user account BBB with the user account AAA has been described. However, the present invention is not limited to this, and the user account AAA and the user account in the service provider apparatus. Any method may be used as long as it maintains the association with the BBB.

  In this way, the service system according to the first embodiment can realize highly reliable site access control in the service provider apparatus.

  By the way, in the service system according to the first embodiment, in addition to the main features described above, the network operator device provides the expiration date information indicating the expiration date of the user information in addition to the user information and the line information. There is also a feature in transmitting to the device, and when the service provider device receives the expiration date information in addition to the user information and the line information from the network operator device, the expiration date indicated in the expiration date information It is also characterized by controlling site access using user information on condition that the above is satisfied.

[Configuration of Service System According to Embodiment 1]
Next, the configuration of the service system according to the first embodiment will be described with reference to FIGS. FIG. 2 is a block diagram illustrating a configuration of the service system according to the first embodiment. FIGS. 3 to 6 are diagrams for explaining a user management database unit in the network operator device. FIG. 8 to FIG. 10 are diagrams for explaining a user management database unit in a service provider device, and FIG. 11 is a network provider management database. FIG. 12 to FIG. 14 are diagrams for explaining Web pages transmitted from the service provider device to the user device.

  As illustrated in FIG. 2, the service system according to the first embodiment includes a network operator device 100 that controls network connection by the user device 300 and a service operator device 200 that controls site access by the user device 300. Composed. Below, the network provider apparatus 100 and the service provider apparatus 200 are demonstrated in order.

[Network operator apparatus 100]
The network operator device 100 according to the first embodiment is configured by a general-purpose computer or the like, and as particularly closely related to the present invention, as shown in FIG. 2, a communication control I / F unit 110, a storage unit, 120 and a control unit 130.

  The communication control I / F unit 110 transmits / receives data to / from the service provider device 200 and the user device 300. Specifically, the communication control I / F unit 110 receives the network connection request transmitted from the user device 300, transmits a network connection request response to the user device 300, and receives the network connection request from the service provider device 200. The transmitted user information acquisition request is received, and a user information acquisition response is transmitted to the service provider apparatus 200. For example, the communication control I / F unit 110 includes a general interface and library for IP (Internet Protocol) communication, and has a function of transmitting and receiving a control message related to connection.

  The storage unit 120 stores data used for various controls in the control unit 130, and particularly as closely related to the present invention, as shown in FIG. 2, a user management database unit 121, service provider management, and the like. A database unit 122. The user management database unit 121 corresponds to “user information storage unit” recited in the claims.

  The user management database unit 121 stores user information related to the user of the user device 300 that is permitted to connect to the network. Specifically, the user management database unit 121 stores user information related to the user of the user device 300 that is permitted to connect to the network in association with line information related to the line to which the user device 300 is connected, The stored user information and line information are used for processing by an authentication processing unit 131, a line information acquisition unit 132, and a user information transmission unit 133, which will be described later. In the first embodiment, the user management database unit 121 stores user accounts and IP addresses in association with each other, and stores user accounts and user information in association with each other as described below. The user account and the line information are stored in association with each other, the user account and the SP ID are stored in association with each other, and an RDBMS (Relational DataBase Management System) program or the like is operated to use the user device 300. However, the present invention is not limited to this, and any database construction method can be used as long as the user information is stored in association with the line information. But you can.

  For example, as shown in FIG. 3, the user management database unit 121 according to the first embodiment includes a user account (see “NW user account” column) and an IP address (see “IP address” column). Are stored in association with each other. Here, the IP address stored in association with the user account refers to the user device 300 when the network operator device 100 transmits a network connection response to the user device 300 in the authentication processing unit 131 described later. In response to this, an access path to a line (access network) for connecting to a network such as the Internet is set by PPPoE (Point to Point Protocol over Ethernet (registered trademark)) and paid out to the user device 300. IP address. The user management database unit 121 stores the IP address issued by the authentication processing unit 131.

  As shown in the first line of FIG. 3, for example, the user management database unit 121 stores user accounts “tarou” and “192.168.x.x” in association with each other. In the embodiment, for convenience of explanation, the IP address is represented by combining a specific number and alphabet such as “192.168.xx”. However, there is no special meaning to the combination or selection of specific numbers and alphabets.

  Further, for example, as shown in FIG. 4, the user management database unit 121 according to the first embodiment includes a user account (see the column “NW user account”) and user information (“contractor name”, “Address (Billing address)”, “Credit card number” and “Payment / non-payment of communication charges” columns are stored in association with each other. Here, the user information stored in association with the user account is obtained by registering the user information presented offline by the network operator apparatus 100 as a user. In other words, the network operator device 100 according to the first embodiment is premised on performing user registration in advance for the user of the user device 300. This user registration is performed using an identification card such as a driver's license. At the same time, the user information presented offline by the user is highly reliable information registered by the network operator after confirming the identity of the user by the identification card. The user management database unit 121 stores in advance user information input to the network operator device 100 by an operator who operates the network operator device 100 or the like.

  As shown in the first line of FIG. 4, for example, the user management database unit 121 includes a user account “tarou”, a contractor name “patent Taro”, an address “Tokyo,. The card number “1111-1111-1111-1111” is stored in association with the presence / absence of payment of the communication fee “present”. In the embodiment, the case where the contractor name, the address, the credit card number, and the presence / absence of payment of the communication fee are stored as the user information has been described, but the present invention is not limited to this, Any information may be used as long as it includes user information necessary for the network operator device and the service operator device, such as when information such as age is further stored, or when the payment of communication charges is not stored.

  Further, for example, as shown in FIG. 5, the user management database unit 121 according to the first embodiment includes a user account (see the column “NW user account”) and line information (“line identifier”, “line identifier”, “ “Line accommodation position”, “line type”, “line speed”, and “line authentication information (password, etc.)”) are stored in association with each other. Here, the line information stored in association with the user account is information obtained by the network operator apparatus 100 registering the user information and the line information collected by the network operator. . That is, the network operator apparatus 100 according to the first embodiment is premised on performing user registration in advance for the user of the user apparatus 300, but at the time of this user registration (or before and after user registration). In addition, the line information of the user device 300 operated by the registered user is also registered. Since the line information is information collected by the network operator that operates the network operator device 100, the line information is highly reliable information. The user management database unit 121 stores in advance line information input to the network operator device 100 by an operator who operates the network operator device 100 or the like.

  As shown in the first line of FIG. 5, for example, the user management database unit 121 includes a user account “tarou”, a line identifier “123”, a line accommodation position “# A500”, and a line type “ “Light”, line speed “100 Mbps / 100 Mbps”, and line authentication information “******” are stored in association with each other. In the embodiment, the case where the line identifier, the line accommodation position, the line type, the line speed, and the line authentication information are stored as the line information has been described, but the present invention is not limited to this, Any case may be used as long as it includes the line information necessary for the network provider apparatus and the service provider, such as when the accommodation position of the line is not stored. Also, in the embodiment, notation is combined with specific numbers and symbols for convenience of explanation, such as line identifiers and line accommodation positions, but in actuality, it is information prescribed in the network operator device, Numbers and symbols have no special meaning.

  Further, for example, as shown in FIG. 6, the user management database unit 121 according to the first embodiment includes a user account (see “NW user account” column) and an SP ID (“SP ID” column). Reference) is stored in association with each other. Here, the SP ID is an identifier for identifying the service provider apparatus 200 in the network provider apparatus 100. As shown in the first line of FIG. 6, for example, the user management database unit 121 stores a user account “tarou” and SP IDs “1” and “3” in association with each other. Here, the user management database unit 121 stores the user account “tarou” and a plurality of SP IDs in association with each other with respect to a plurality of service provider apparatuses 200 for one user account. , It shows that it is possible to maintain account correspondence. Therefore, when the user management database unit 121 stores one SP ID in association with one user account, or stores three or more SP IDs in association with one user account. In this case, the present invention can be similarly applied.

  As illustrated in the fourth line of FIG. 6, for example, the user management database unit 121 stores the user account “ichiro” and the SP ID “2” in association with each other. In this case, it is shown that the service control apparatus 200 whose site access is controlled by the user apparatus 300 operated by the user account “ichiro” is the service provider apparatus 200 identified by the SP ID “2”. Yes.

  The service provider management database unit 122 stores information regarding the service provider device 200. Specifically, as shown in FIG. 7, the service provider management database unit 122 uses an SP ID and public key information (such as an electronic certificate of the service provider apparatus 200) as information about the service provider apparatus 200. The SP ID and public key information stored in association with each other are used for processing by the line information acquisition unit 132 described later. Here, in the first embodiment, the public key information means that a trust relationship is established in advance between the network operator device 100 and the service operator device 200. This is public key information for verifying that the electronic signature signed by the service provider apparatus 200 is valid.

  In the first embodiment, the case where the service provider management database unit 122 stores the public key information has been described. However, the present invention is not limited to this, for example, issued by a trusted third party organization. In the method of verifying that the electronic signature is valid using the public key information, the service provider management database unit 122 does not need to store the public key information. In the first embodiment, the service provider management database unit 122 stores the SP ID and the public key information in association with each other by operating the RDBMS program. However, the present invention is not limited to this. As long as an identifier for uniquely identifying the service provider apparatus 200 is stored, any database construction method may be used.

  The control unit 130 performs various controls in the network operator apparatus 100, and particularly those closely related to the present invention include an authentication processing unit 131, a line information acquisition unit 132, and a user as shown in FIG. An information transmission unit 133. The line information acquisition unit 132 corresponds to the “line information acquisition unit” described in the claims, and the user information transmission unit 133 corresponds to the “user information transmission unit” described in the claims. To do.

  The authentication processing unit 131 performs authentication processing of the user device 300 and controls network connection by the user device 300. Specifically, the authentication processing unit 131 receives a network connection request from the user device 300 together with the line authentication information, and receives the line authentication information received and the line authentication information stored in the user management database unit 121 (for example, use The user apparatus 300 is authenticated by checking the user account, password, and the like, and a network connection response is transmitted to the user apparatus 300 according to the authentication result.

  Further, when the authentication processing unit 131 transmits a network connection response to the user apparatus 300, the authentication processing unit 131 sets an access path to a line for connecting to the network such as the Internet for the user apparatus 300 using PPPoE or the like. The IP address is issued to the user device 300, and the issued IP address is transmitted to the user device 300 and stored in the user management database unit 121. For example, the authentication processing unit 131 pays out the IP address “192.168.x.x” to the user device 300 when transmitting a network connection response to the user account “tarou” of the user device 300.

  The line information acquisition unit 132 acquires line information regarding the line to which the user device 300 is connected. Specifically, when the line information acquisition unit 132 receives a user information acquisition request for requesting acquisition of user information of the user device 300 by redirect communication from the service provider device 200 via the user device 300. In addition, line information related to the line to which the user apparatus 300 is connected is acquired, and the acquired line information is transmitted to the user information transmission unit 133.

  For example, the line information acquisition unit 132 acquires line information associated with the line information acquired by specifying the line to which the user device 300 is connected from the user management database unit 121. That is, when the line information acquisition unit 132 specifies the line to which the user device 300 is connected, and the identifier of the line to which the user device 300 is connected is “123”, the user management database As the line information, for example, the line identifier “123”, the line accommodation position “# A500”, the line type “light”, the line speed “100 Mbps / 100 Mbps”, and the like are acquired from the unit 121. In the first embodiment, the method of transmitting the line information acquired from the user management database unit 121 to the service provider apparatus 200 has been described, but the present invention is not limited to this, and the user apparatus 300 The present invention can be similarly applied to a method of transmitting line information acquired by specifying a line to be connected to the service provider apparatus 200.

  The user information transmission unit 133 transmits user information and line information to the service provider apparatus 200. Specifically, the user information transmission unit 133 acquires user information and line information acquired by the line information acquisition unit 132 and associated with the line information transmitted from the line information acquisition unit 132, in the user management database. Obtained from the unit 121 and transmitted to the service provider apparatus 200 by redirect communication via the user apparatus 300.

  For example, the user information transmission unit 133 is acquired by the line information acquisition unit 132, and among the line information transmitted from the line information acquisition unit 132, for example, the identifier of the line to which the user device 300 is connected is “123”. If it is determined that there is user information of the user account “tarou” associated with the line identifier “123”, for example, the contractor name “Patent Taro”, the address “Tokyo,... ”, Credit card number“ 1111-1111-1111-1111 ”, presence / absence of payment of communication charge“ present ”, and the like are transmitted to service provider apparatus 200. Further, the user information transmission unit 133, for example, as line information of the user account “tarou” associated with the line identifier “123”, for example, a line identifier “123”, a line accommodation position “# A500”, The line type “light”, the line speed “100 Mbps / 100 Mbps”, and the like are acquired and transmitted to the service provider apparatus 200.

  In addition to the user information and the line information, the user information transmission unit 133 according to the first embodiment transmits expiration date information indicating the expiration date of the user information to the service provider apparatus 200. For example, the user information transmission unit 133 transmits the expiration date information set in the order of several seconds or several tens of seconds as the expiration date information.

  Here, in the first embodiment, among the user information and the line information that the network operator device 100 manages in the user management database unit 121 between the network operator device 100 and the service operator device 200, a service is provided. Since it is assumed that a specific transmission item to be transmitted to the business entity apparatus 200 has been determined in advance, the user information transmission unit 133 transmits a predetermined transmission item to the service provider apparatus 200. And In the first embodiment, a specific transmission item to be transmitted to the service provider apparatus 200 is determined in advance between the network provider apparatus 100 and the service provider apparatus 200. The invention is not limited to this. For example, when the line information acquisition unit 132 receives a user information acquisition request transmitted from the service provider apparatus 200, the invention is transmitted to the service provider apparatus 200. The service provider apparatus 200 designates a transmission item to be transmitted, and the user information transmission unit 133 transmits the transmission item specified by the service provider apparatus 200 to the service provider apparatus 200. Regardless of the specific transmission items to be sent to There.

[Service provider device 200]
The service provider apparatus 200 according to the first embodiment is configured by a general-purpose computer or the like, and as particularly closely related to the present invention, as shown in FIG. 2, a communication control I / F unit 210, a storage unit, 220 and a control unit 230.

  The communication control I / F unit 210 transmits / receives data to / from the network operator device 100 and the user device 300. Specifically, the communication control I / F unit 210 receives an SP site access request transmitted from the user device 300, transmits an SP site access response to the user device 300, and the network operator device 100. A user information acquisition request is transmitted to the network operator device 100, and a user information acquisition response is received from the network operator device 100. For example, the communication control I / F unit 210 includes a general interface and library for IP communication, and has a function of transmitting and receiving a control message related to connection.

  The storage unit 220 stores data used for various controls in the control unit 230, and particularly as closely related to the present invention, as shown in FIG. 2, a user management database unit 221 and a network operator management And a database unit 222.

  The user management database unit 221 stores user information related to the user of the user device 300 that is permitted to use the application service provided by the service provider device 200. Specifically, the user management database unit 221 receives the user information and the line information regarding the user of the user device 300 permitted to use the application service from the network operator device 100 by the service operator device 200. Then, the received user information and line information are stored in association with each other, and the stored user information and line information are used for processing by a user registration / authentication unit 234 described later. In the first embodiment, the user management database unit 221 stores a user account and user information in association with each other, and stores a user account and line information in association with each other as described below. The user account and the NW ID in the network operator apparatus 100 are stored in association with each other, and the RDBMS program or the like is operated to store the user information regarding the user of the user apparatus 300 in association with the line information. However, the present invention is not limited to this, and any database construction method may be used as long as user information is stored in association with line information.

  For example, as shown in FIG. 8, the user management database unit 221 according to the first embodiment includes a user account (see the column “SP user account”), user information (“contractor name”, “address”). (Refer to the billing address) ”,“ Credit card number ”, and“ Communication fee payment presence / absence ”columns) in association with each other.

  Here, in the first embodiment, the user account is a temporary user account created by the user account creation unit 232 or a user account in the network operator device 100 received from the network operator device 100. It is. In other words, in the first embodiment, the service provider device 200 creates a temporary account of the user before receiving the user information from the network provider device 100, and receives the temporary information after receiving the user information. Is replaced with a user account in the network operator device 100, the user management database unit 221 stores a temporary user account or a user account in the network operator device 100. Note that the present invention is not limited to this, and may be any case where the user account created by the user account creation unit 232 and the user account in the network operator device 100 are stored in association with each other. The user information is information stored as necessary when the service provider apparatus 200 receives the user information from the network provider apparatus 100.

  As shown in the first line of FIG. 8, for example, the user management database unit 221 uses the user information related to the user account “tarou” as the user information related to the user of the user device 300. And stores the same information as the user management database unit 121 in the network operator apparatus 100 in association with each other. Depending on the specific transmission items negotiated between the network operator apparatus 100 and the service provider apparatus 200 in advance, the user management database unit 121 in the network provider apparatus 100 and the user in the service provider apparatus 200 The data items managed by the management database unit 221 are different.

  Further, as shown in the fourth line of FIG. 8, for example, the user management database unit 221 stores user information related to the user account “kazu”, which is the user management database shown in FIG. It shows user information received from a network operator device 100 different from the network operator device 100 provided with the section 121.

  Further, for example, as shown in FIG. 9, the user management database unit 221 according to the first embodiment includes a user account (see the column “SP user account”) and line information (“line identifier”, “line identifier”). “Line accommodation position”, “line type”, “line speed”, and “line authentication information (password, etc.)”) are stored in association with each other. Here, the line information is information stored as necessary when the service provider apparatus 200 receives the line information from the network provider apparatus 100.

  As shown in the first line of FIG. 9, for example, the user management database unit 221 receives line information related to the user account “tarou” from the network operator apparatus 100 as line information related to the user of the user apparatus 300. Then, the same information as the user management database unit 121 in the network operator apparatus 100 is stored in association with each other. Similar to the user information, the user management database unit 121 and the service business in the network operator device 100 depend on the specific transmission items negotiated between the network operator device 100 and the service operator device 200 in advance. Data items managed by the user management database unit 221 in the user device 200 are different.

  As shown in the fourth line of FIG. 9, for example, the user management database unit 221 stores line information related to the user account “kazu”, which is shown in FIG. 5 as with the user information. The line information received from the network operator apparatus 100 different from the network operator apparatus 100 provided with the user management database unit 121 is shown.

  Further, for example, as shown in FIG. 10, the user management database unit 221 according to the first embodiment includes a user account (see “SP user account” column) and an NW ID (“NW ID” column). Reference) is stored in association with each other. Here, the NW ID is an identifier for identifying the network operator device 100 in the service operator device 200.

  As shown in the first line of FIG. 10, for example, the user management database unit 221 stores the user account “tarou” and the NW ID “100” in association with each other. As shown in the fourth line of FIG. 10, the NW ID associated with the user account “kazu” is “400”, which is the user information and line information related to the user account “kazu”. 4 shows that the user information and the line information are received from a network operator device 100 different from the network operator device 100 provided with the user management database unit 121 shown in FIGS.

  Further, the user management database unit 221 in the service provider apparatus 200 stores a user account in the network provider apparatus 100 in association with each other as shown in FIG. In the first embodiment, this is caused by using a method of sharing the user account in the network operator device 100 as an identifier between the network operator device 100 and the service operator device 200. Is not limited to this, and when using a method of sharing a user account in the service provider apparatus 200 as an identifier, an identifier to be shared, such as storing the user account in the service provider apparatus 200 in association with each other The contents to be stored differ depending on the type.

  The network operator management database unit 222 stores information regarding the network operator device 100. Specifically, as shown in FIG. 11, the network operator management database unit 222 includes NW ID (see “NW ID” column) and public key information (network operator) as information about the network operator device 100. The NW ID and public key information stored in association with the electronic certificate of the apparatus 100 (see the column of “public key information (electronic certificate, etc.)”) are stored in association with user registration / authentication described later. This is used for processing by the unit 234. Here, in the first embodiment, the public key information means that a trust relationship is established in advance between the network operator device 100 and the service operator device 200. This is public key information for verifying that the electronic signature signed by the network operator device 100 is valid.

  In the first embodiment, the case where the network operator management database unit 222 stores the public key information has been described. However, the present invention is not limited to this, for example, issued by a trusted third-party organization. In the method of verifying that the electronic signature is valid using the public key information, the network operator management database unit 222 does not need to store the public key information. In the first embodiment, the network operator management database unit 222 stores the NW ID and the public key information in association with each other by operating the RDBMS program. However, the present invention is not limited to this. As long as an identifier for identifying the network operator device 100 is stored, any database construction method may be used.

  The control unit 230 performs various controls in the service provider apparatus 200, and particularly those closely related to the present invention include an SP site access response unit 231, a user account creation unit 232, as shown in FIG. The user information acquisition request transmission unit 233 and the user registration / authentication unit 234 are provided. The user information acquisition request transmission unit 233 corresponds to the “user information acquisition request transmission unit” described in the claims, and the user registration / authentication unit 234 includes the “access” described in the claims. Corresponds to "control means".

  The SP site access response unit 231 responds to the SP site access request transmitted from the user device 300. Specifically, the SP site access response unit 231 receives, as an SP site access request from the user device 300, the URL (Uniform Resource Locator) of the SP site where the application service provided by the service provider device 200 is disclosed. Is received, the Web page is acquired, and the Web page is transmitted to the user device 300 as an SP site access response.

  For example, when the user of the user device 300 is not registered as a user, the SP site access response unit 231 uses a user as shown in FIG. 12 as a Web page to be transmitted to the user device 300. A web page that prompts a registration request is transmitted. The web page shown in FIG. 12 will be described. For example, the SP site access response unit 231 displays a web page displaying two icons, a “user registration” icon and a “user registration (using NW function)” icon. Acquired and when the user of the user device 300 clicks the “user registration” icon, the user information input by the user is transmitted to the service provider device 200 online. Is started from the network operator apparatus 100, but is transmitted from the network operator apparatus 100 when the user user 300 clicks the “user registration (use NW function)” icon. A process for performing user registration using the user information and the line information is started.

  Further, the SP site access response unit 231 displays the user information and the line information transmitted from the network operator device 100 when the “user registration (use NW function)” icon is clicked by the user. The processing for performing user registration is started, but if necessary, for example, the contract terms of the application service provided by the service provider device 200 are displayed on the Web page, or the usage as shown in FIG. Confirmation on whether or not the operator information may be transmitted from the network operator device 100 to the service operator device 200 is displayed on the Web page.

  The user account creation unit 232 creates a user account for the user of the user device 300. Specifically, when the user account creation unit 232 receives a user registration request from the user device 300, the user account creation unit 232 creates a temporary user account and stores the created temporary user account in the user management database unit 221. Remember. Here, in the first embodiment, a method of sharing the user account in the network operator device 100 as an identifier between the network operator device 100 and the service operator device 200 is used. Therefore, the temporary user account created by the user account creation unit 232 is replaced with the user account in the network operator device 100 when user registration is performed by the user registration / authentication unit 234 described later. . In addition, a method of maintaining a correspondence between the user account in the network operator device 100 and the temporary user account created by the user account creation unit 232 without replacing the user account in the network operator device 100, etc. Either is acceptable.

  The user information acquisition request transmission unit 233 transmits a user information acquisition request for requesting acquisition of user information of the user device 300 to the network operator device 100. Specifically, when a site access request is received from the user device 300, a user information acquisition request is transmitted to the network operator device 100 by redirect communication via the user device 300.

  Here, in the first embodiment, among the user information and the line information that the network operator device 100 manages in the user management database unit 121 between the network operator device 100 and the service operator device 200, a service is provided. Since it is assumed that a specific transmission item to be transmitted to the business entity apparatus 200 has been determined in advance, the user information acquisition request transmission unit 233 requests the network business apparatus apparatus 100 for the transmission item determined in advance. Shall be sent. In the first embodiment, a specific transmission item to be transmitted to the service provider apparatus 200 is determined in advance between the network provider apparatus 100 and the service provider apparatus 200. The invention is not limited to this. For example, when the user information acquisition request transmission unit 233 transmits a user information acquisition request, a specific transmission item to be transmitted to the service provider apparatus 200 is specified. Arrangements and designation timings of specific transmission items to be transmitted to the service provider apparatus 200 may be any.

  The user registration / authentication unit 234 controls site access using user information and line information. Specifically, the user registration / authentication unit 234 receives the user information and the line information of the user device 300 from the network operator device 100 through the redirect communication via the user device 300, and the user information And control site access using line information. For example, the user registration / authentication unit 234 in the first embodiment replaces the temporary account created by the user account creation unit 232 with the user account in the received network operator device 100 and uses it as site access control. Manage user information (eg, contractor name, address, credit card number, etc.) and line information (eg, line identifier, line accommodation location, line speed, etc.) and register as a user in the user device As a response, a Web page (Web page as shown in FIG. 14) for starting provision of the application service is transmitted.

  The user registration / authentication unit 234 according to the first embodiment satisfies the expiration date indicated in the expiration date information when the expiration date information is received from the network operator device 100 in addition to the user information and the line information. On the condition, site access is controlled using user information and line information. That is, for example, when the user registration / authentication unit 234 receives the expiration date information set in the order of several seconds or several tens of seconds as the expiration date information, the user registration / authentication unit 234 satisfies the expiration date indicated by several seconds or tens of seconds. On the condition, site access is controlled using user information and line information.

  In the first embodiment, when the user registration / authentication unit 234 receives the user information and the line information of the user device 300, the user registration and the line information are managed and used by the user device 300. Although the case where a Web page for starting provision of an application service is transmitted unconditionally as a user registration response has been described, the present invention is not limited to this. For example, the user registration / authentication unit 234 may When the user information and line information of the apparatus 300 are received, it is determined whether or not the application service can be provided based on the user information and the line information (for example, the application service is provided only to users over 20 years old) Application service only when connected from home, etc.) and user registration / authentication unit 234 Even when individually selecting application services to be provided according to user information and line information (for example, selecting and providing high-resolution video content when the line speed is high) The present invention can be similarly applied.

[Procedure for Processing by Service System According to First Embodiment]
Next, a processing procedure by the service system according to the first embodiment will be described with reference to FIG. FIG. 15 is a sequence diagram illustrating a processing procedure performed by the service system according to the first embodiment. Here, it is assumed that the network operator device 100 according to the first embodiment has previously registered the user of the user device 300 and permits the network connection of the user device 300. On the other hand, it is assumed that the service provider device 200 according to the first embodiment does not perform user registration for the user of the user device 300. That is, the user device 300 is in a state where it cannot receive the application service provided by the service provider device 200. In the following, a process in which the user device 300 connects to the network (see (1) in FIG. 15), a process in which the user device 300 accesses the SP site (see (2) in FIG. 15), The process in which the user device 300 performs user registration (see (3) in FIG. 15) will be described in order.

[(1) Network connection]
First, the authentication processing unit 131 in the network operator device 100 receives a network connection request from the user device 300 (step S1). Specifically, the authentication processing unit 131 in the network operator device 100 receives line authentication information (for example, a user account, a password, etc.) from the user device 300 as a network connection request.

  Next, the authentication processing unit 131 in the network operator device 100 performs authentication processing of the user device 300 (step S2). Specifically, the authentication processing unit 131 in the network operator device 100 receives the line authentication information received from the user device 300 and the line authentication information managed by the user management database unit 121 (for example, user account, password, etc.). ) And the user device 300 is authenticated.

  Then, the authentication processing unit 131 in the network operator device 100 transmits a network connection response to the user device 300 (step S3). Specifically, the authentication processing unit 131 in the network operator device 100 provides the user device 300 with an access path to a line (access network) for connecting to a network such as the Internet using PPPoE (Point to Point Protocol). over Ethernet (registered trademark)), and the IP address is issued and transmitted to the user apparatus 300. Also, the authentication processing unit 131 in the network operator device 100 stores the IP address assigned to the user device 300 in the user management database unit 121.

[(2) Access to SP site]
Subsequently, the user device 300 is connected to a network such as the Internet, and the SP site access response unit 231 in the service provider device 200 receives an SP site access request from the user device 300 (step S4). Specifically, the SP site access response unit 231 in the service provider device 200 receives an SP site URL (Uniform Resource Locator) or the like from the user device 300 as an SP site access request.

  Then, the SP site access response unit 231 in the service provider device 200 acquires a Web page (step S5). Specifically, the SP site access response unit 231 in the service provider device 200 acquires a Web page that prompts the user device 300 to make a user registration request.

  Then, the SP site access response unit 231 in the service provider device 200 transmits an SP site access response to the user device 300 (step S6). Specifically, the SP site access response unit 231 in the service provider device 200 transmits a Web page that prompts the user device 300 for a user registration request.

[(3) User registration]
Subsequently, the user account creation unit 232 in the service provider device 200 receives a user registration request from the user device 300 (step S7). Specifically, in the user device 300, the user registration request is received by one-clicking on an icon of a Web page that prompts the user registration request (such as “user registration”).

  Then, the user account creation unit 232 in the service provider device 200 creates a temporary user account (step S8).

  Next, the user information acquisition request transmission unit 233 in the service provider apparatus 200 sends a user information acquisition request for requesting acquisition of the user information of the user apparatus 300 to the network provider apparatus 100. To the user device 100 (step S9). Specifically, the user information acquisition request transmission unit 233 in the service provider apparatus 200 sends the user information acquisition request to the SP ID, the response destination URL, and the electronic signature by redirect communication via the user apparatus 300. At the same time, it is transmitted to the network operator apparatus 100.

  Then, the line information acquisition unit 132 in the network operator apparatus 100 identifies the line to which the user apparatus 300 is connected (Step S10), and acquires line information (Step S11).

  Next, the user information transmission unit 133 in the network operator device 100 acquires the user information and the line information associated with the line information acquired by specifying the line from the user management database unit 121 ( In step S12), user information and line information are transmitted to the service provider apparatus 200 by redirect communication via the user apparatus 300 (step S13). Specifically, the user information transmission unit 133 in the network operator device 100 sends the user information acquisition response to the network operator ID, the user account in the network operator device 100, the line information, the user information, the expiration date. , And the electronic signature are transmitted to the service provider apparatus 200.

  Then, the user registration / authentication unit 234 in the service provider device 200 controls site access using the user information and the line information (step S14). Specifically, the user registration / authentication unit 234 in the service provider apparatus 200 replaces the temporary account with the user account in the network provider 100 and manages the user information and the line information of the user account.

  Subsequently, the user registration / authentication unit 234 in the service provider device 200 transmits a user registration response to the user device 300 (step S15). Specifically, the user registration / authentication unit 234 in the service provider device 200 transmits a Web page for starting the provision of the application service to the user device 300 as a user registration response.

  As described above, the service system according to the first embodiment can realize highly reliable site access control in the service provider apparatus 200.

  In the first embodiment, the service provider device 200 receives a site access request (user registration request) from the user device 300 (step S7), and creates a user account in the service provider device 200. From (step S8), the service provider apparatus 200 has transmitted the user information acquisition request to the network provider apparatus 100 (step S9). However, the present invention is not limited to this, for example, The service provider apparatus 200 receives user information from the network provider apparatus 100 (step S13) and then creates a user account in the service provider apparatus 200. Any timing may be used.

[Effect of Example 1]
As described above, according to the first embodiment, the network operator device that controls the network connection by the user device and the service operator device that controls the site access by the user device are connected via the network. The network operator apparatus stores user information related to a user of a user apparatus that is permitted to connect to a network in association with line information related to a line to which the user apparatus is connected. When a user information acquisition request for requesting acquisition of user information of the user device is received from the user device by redirect communication via the user device, line information related to the line to which the user device is connected is acquired. Redirect communication that acquires user information associated with the acquired line information and passes through the user device Therefore, the user information is transmitted to the service provider device, and when the service provider device accepts a site access request from the user device, the user information of the user device is transmitted by redirect communication via the user device. When a user information acquisition request is sent to the network operator device and the user information of the user device is received from the network operator device by redirect communication via the user device, the user information is Since the site access is controlled by using the network, the user information stored in the network operator device is presented offline by the user together with the ID, such as a driver's license, and the identity of the user is confirmed. Since this is the user information at the time of user registration, the user information entered by the user is online. In as compared with the conventional technique that is sent to the service provider apparatus, the service provider apparatus, it is possible to realize a highly credible site access control.

  That is, for example, in a service provider device, user registration is performed using highly reliable user information received from the network provider device, or site access from a user device operated by the user who registered the user is performed. Or allow site access from user devices in one time without user registration (provided whether to provide various application services using highly reliable user information received from network operator devices) Can be judged).

  In addition, site access (for example, user registration) can be completed with a single click by the user of the user device, and information such as a user account and password for the service provider device can be obtained. It is no longer necessary to be managed by the user. Furthermore, if the user registration information between the user and the service provider is managed by the network provider device, the user registration information may be stored by the service provider device. Therefore, it is possible to perform site access control with high reliability and convenience.

  The service system according to the present invention makes it possible for the network operator operating the network operator device to expect user acquisition as the convenience of the user is improved. As a result of supporting user registration and user authentication between service providers and service providers (with provision of user information, line information, line authentication results, etc.) It becomes possible to expect. In addition, the service provider operating the service provider device uses the result of the line authentication provided by the network provider in combination with the user authentication (authorization) process performed by the service provider as necessary. Along with this, it is possible to improve the strength of user authentication (authorization), and to provide application services according to the line speed and location as the line information provided by the network operator is acquired. It becomes possible. In addition, the user can perform user registration and user authentication procedures with the service provider with a single click.

  Further, according to the first embodiment, the network operator device transmits line information to the service provider device in addition to the user information, and the service operator device adds the user information from the network operator device. When the line information is received, the site access is controlled using the user information and the line information. Therefore, the reliability of the service provider device is higher than the method of controlling the site access using only the user information. It is possible to realize highly sophisticated site access control.

  That is, it is possible to specify the location where the user device is connected, the line speed, etc. using the line information regarding the line to which the user device is connected. For example, depending on the location where the user device is connected, Do not allow site access according to the line speed to which the user device is connected, select the service to be provided depending on the location to which the user device is connected, or provide it according to the line speed to which the user device is connected It is possible to highly implement highly reliable site access control in the service provider device such as selecting a service to be performed. Specifically, when the connection location to the network specified by the line information is a place other than “home”, the provision of the auction service is not permitted, or the connection information is specified by the line information. When the line speed is high, it is possible to provide a high-resolution video content service.

  In addition, according to the first embodiment, the network operator device transmits the expiration date information indicating the expiration date of the user information to the service operator device in addition to the user information. When the expiration date information is received in addition to the user information from the user device, the site access is controlled using the user information on condition that the expiration date indicated in the expiration date information is satisfied. Compared to a technique in which the expiration date information is not transmitted when transmitting to the service provider apparatus, it is possible to safely implement highly reliable site access control in the service provider apparatus.

  That is, when the user information is transmitted to the service provider device, the method in which the expiration date information is not transmitted is used. For example, in redirect communication via the user device, the user device illegally uses the user information or other control information. There is a possibility that the user device that has obtained the information and illegally obtained the information may illegally access the site, but transmits the expiration date information (for example, the expiration date is set in the order of several seconds or several tens of seconds). Thus, since these fears can be avoided, highly reliable site access control can be safely realized in the service provider apparatus.

  In addition, according to the first embodiment, the network operator device transmits, in addition to the user information, an electronic signature signed by the network operator device to the service operator device. When receiving an electronic signature in addition to the user information, the site access is controlled using the user information on condition that the electronic signature is valid, so the user information is transmitted to the service provider device. In comparison with a method that does not transmit an electronic signature, highly reliable site access control can be safely realized in a service provider apparatus.

  That is, in the method of not transmitting an electronic signature when transmitting user information to a service provider device, for example, whether the transmitted user information is user information transmitted from a correct network operator device or not. Although it cannot be determined, an electronic signature is transmitted, and on condition that the electronic signature is valid (that is, it is determined that the user information has been transmitted from the correct network operator device, and the user information has been tampered with. Control of site access (after avoiding the possibility of denying the facts sent by network operator devices), it is possible to safely implement highly reliable site access control. .

  Further, according to the first embodiment, when the network operator apparatus receives an electronic signature signed by the service provider apparatus in addition to the user information acquisition request from the service provider apparatus, the electronic signature is valid. On the condition that the user information is transmitted to the service provider device, the service provider device transmits an electronic signature to the network provider device in addition to the user information acquisition request. Compared to a technique in which an electronic signature is not transmitted when transmitting to a network operator apparatus, it is possible to safely implement highly reliable site access control in the service provider apparatus.

  That is, in the method of not transmitting the electronic signature when transmitting the user information acquisition request to the network operator apparatus, for example, the user information acquisition request transmitted from the correct service provider apparatus is transmitted. It is not possible to determine whether or not the electronic signature is transmitted, and on the condition that the electronic signature is valid (that is, it is determined that the user information acquisition request is transmitted from the correct service provider device, Since it is judged that the user information acquisition request has not been tampered with and avoids the possibility of denying the fact that the service provider device has transmitted) High site access control can be realized safely.

  By the way, although the method of sharing the user account in the network operator device as an identifier between the network operator device and the service operator device has been described as the first embodiment, the present invention is not limited to this. Instead, the present invention can be similarly applied to a method of sharing temporary identification information (not a user account itself) that uniquely identifies transmission of user information from the network operator device to the service operator device. it can. Therefore, in the following, as a second embodiment, a technique for sharing temporary identification information that uniquely identifies transmission of user information will be described with reference to FIGS. A method for controlling the site access using the temporary identification information in the service provider apparatus in the SP service usage phase when the temporary identification information is shared in the user registration phase will be described in a third embodiment.

[Outline and Features of Service System According to Second Embodiment]
As described above, the service system according to the second embodiment does not share the user account in the network operator as an identifier between the network operator device and the service operator device. This is different from the first embodiment in that temporary identification information for uniquely identifying transmission of user information to a provider device is shared. Therefore, in the following, first, differences between the outline and features of the service system according to the second embodiment and the outline and features of the service system according to the first embodiment will be described with reference to FIG. FIG. 16 is a diagram for explaining the outline and features of the service system according to the second embodiment.

  As in the first embodiment, the service system according to the second embodiment first receives a network connection request at the network operator device, performs an authentication process, transmits a network connection response, and then at the service operator device. The SP site access request is received, the SP site access response is transmitted, the user registration request is received, and a user account is created (see (1) to (7) in FIG. 16). When the network operator apparatus according to the second embodiment receives a user information acquisition request for requesting acquisition of user information of the user apparatus from the service provider apparatus by redirect communication via the user apparatus ( (See (8) of FIG. 16) As in the first embodiment, the line information is acquired by specifying the line to which the user apparatus is connected, and the user information and the line associated with the acquired line information are obtained. Information is acquired from the user management DB (see (9) and (10) in FIG. 16), but unlike Example 1, transmission of user information from the network operator device to the service operator device is uniquely identified. As temporary identification information, temporary identification information (kana ID) is paid out (see (11) in FIG. 16).

  Then, the network operator device in the second embodiment transmits user information and line information to the service operator device by redirect communication via the user device as in the first embodiment, but unlike the first embodiment, In addition to the user information and the line information, the temporary identification information (kana ID) is transmitted to the service provider apparatus, and the service identification information (SP ID) and temporary identification information (kana ID) that uniquely identifies the service provider apparatus ) Is stored in the user management DB in association with the user information (see (12) in FIG. 16).

  Then, when the service provider apparatus in the second embodiment receives the user information of the user apparatus from the network provider apparatus by redirect communication via the user apparatus, the user information and the line are the same as in the first embodiment. Information is managed, but unlike the first embodiment, user information and line information are managed in association with temporary identification information (kana ID) (see (13) in FIG. 16). Thereafter, the service provider apparatus transmits a Web page for starting the provision of the application service as a user registration response to the user apparatus as in the first embodiment (see (14) in FIG. 16).

  In this way, in the service system according to the second embodiment, temporary identification information (for example, pseudonym ID, anonymous ID, etc.) associated with the same user is between the network provider device and the service provider device. It is possible to realize highly reliable site access control safely and efficiently compared to the method in which temporary identification information is not shared between the network provider device and the service provider device. become.

[Configuration of Service System According to Second Embodiment]
Next, the configuration of the service system according to the second embodiment will be described with reference to FIGS. 17 and 18. The service system according to the second embodiment is configured in substantially the same manner as the service system according to the first embodiment, but the user management database unit 121, the user information transmission unit 133, and the service provider device 200 in the network provider device 100. The user management database unit 221 and the user registration / authentication unit 234 are different from those in the first embodiment. In the following, the user management database unit 121, the user information transmission unit 133, the user management database unit 221 and the user registration / authentication unit 234 in the service provider device 200 are described with reference to FIGS. 18 will be described. FIG. 17 is a diagram for explaining a user management database unit in the network operator device, and FIG. 18 is a diagram for explaining a user management database unit in the service operator device.

  The user information transmission unit 133 in the network operator apparatus 100 transmits the user information and the line information to the service provider apparatus 200 as in the first embodiment. However, unlike the first embodiment, the user information transmission section 133 transmits the user information and the line information. In addition, temporary identification information (a pseudonym ID) that uniquely identifies transmission of user information is transmitted to the service provider apparatus 200. Further, unlike the first embodiment, the user information transmission unit 133 associates service identification information (SP ID) and temporary identification information (kana ID) uniquely identifying the service provider device 200 with the user information. Stored in the user management database unit 121.

  As shown in FIG. 17, the user management database unit 121 in the network operator apparatus 100 includes the user account (see the column “NW user account”) and the service provider apparatus 200 as in the first embodiment. SP ID (see “SP ID” column), which is service identification information uniquely identified, is stored in association with each other, but unlike the first embodiment, pseudonym ID (“kana ID” column), which is temporary identification information. Are stored in association with each other. For example, as shown in the first line of FIG. 17, the user management database unit 121 stores a user account “tarou”, an SP ID “3”, and a pseudonym ID “xxxx” in association with each other. In the embodiment, for convenience of explanation, the kana ID is represented by four alphabetic characters. However, in actuality, the kana ID is an arbitrary kana ID defined in the network operator device or the service operator device, and a specific alphabet or a combination thereof. There is no special meaning.

  The user registration / authentication unit 234 in the service provider device 200 controls site access (for example, user registration) using user information and line information, as in the first embodiment. When temporary identification information (a pseudonym ID) is received from the network operator apparatus 100 in addition to the user information and the line information, the user identification information for uniquely identifying the user requesting the site access ( For example, temporary identification information (a pseudonym ID) is stored in the user management database unit 221 in association with user information, line information, and the like.

  As shown in FIG. 18, the user management database unit 221 in the service provider device 200 has an NW ID (see the column “NW ID”) that uniquely identifies the network provider device 100, as in the first embodiment. However, unlike the first embodiment, the user account and the NW ID in the network operator device 100 are not stored in association with each other, and the pseudonym ID (refer to the column of “pseudony ID”) and the NW are not stored. The ID is stored in association with it. Although not shown, the user management database unit 221 stores the user information and the line information related to the user of the user device 300 in association with each other by operating the RDBMS program or the like. The information (kana ID) is stored not only in association with the NW ID but also in association with user identification information (for example, user information, line information, etc.) that uniquely identifies the user.

[Processing Procedure by Service System According to Second Embodiment]
Next, a processing procedure by the service system according to the second embodiment will be described with reference to FIG. FIG. 19 is a sequence diagram illustrating a processing procedure performed by the service system according to the second embodiment. As shown in FIG. 19, the procedure of the process by the service system according to the second embodiment is almost the same as the procedure of the process by the service system according to the first embodiment (see FIG. 15). ) (Step S13), user information acquisition response (step S14), and management of user information and line information (step S15) are different from the processing procedure by the service system according to the first embodiment. Hereinafter, the above steps S13 to S15 will be mainly described.

  First, in step S13, unlike the first embodiment, the user information transmission unit 133 in the network operator device 100 pays out temporary identification information (a pseudonym ID) that uniquely identifies transmission of user information, and the service operator device. Service identification information (SP ID) and temporary identification information (kana ID) that uniquely identify 200 are stored in the user management database unit 121 in association with user information.

  Next, the user information transmission unit 133 in the network operator device 100 transmits a user information acquisition response as in the first embodiment (step S14), but unlike the first embodiment, the network operator device is uniquely identified. In addition to the NW carrier ID (NW ID), the line information, the user information, the expiration date, and the electronic signature to be identified, temporary identification information (a pseudonym ID) is transmitted to the service carrier device 200, and the network carrier device 100 Do not send user accounts at.

  Then, the user registration / authentication unit 234 in the service provider apparatus 200 controls the site access using the user information and the line information as in the first embodiment (step S15), but unlike the first embodiment, Instead of replacing the temporary user account with the user account in the network operator apparatus 100, the temporary user account is replaced with temporary identification information (kana ID), and the user information and the line information of the user of the user apparatus are managed. In the second embodiment, the method of replacing the temporary user account with the temporary identification information (kana ID) has been described. However, the present invention is not limited to this. For example, the temporary account and the temporary identification information ( Any method may be used as long as it shares pseudo-identification information (a pseudonym ID) between the network operator device 100 and the service operator device 200, such as holding the Kana ID) in association with each other.

  In this way, in the service system according to the second embodiment, temporary identification information (for example, pseudonym ID, anonymous ID, etc.) associated with the same user is between the network provider device and the service provider device. It is possible to realize highly reliable site access control safely and efficiently compared to the method in which temporary identification information is not shared between the network provider device and the service provider device. become.

  In the second embodiment, the service provider device 200 receives a site access request (user registration request) from the user device 300 (step S7), and creates a user account in the service provider device 200. From (step S8), the service provider apparatus 200 has transmitted the user information acquisition request to the network provider apparatus 100 (step S9). However, the present invention is not limited to this, for example, The service provider device 200 receives user information from the network provider device 100 (step S14), and then creates a user account in the service provider device 200. Any timing may be used.

[Effect of Example 2]
As described above, according to the second embodiment, in addition to the effects of the first embodiment, in addition to the user information, the network operator device also provides temporary identification information that uniquely identifies transmission of user information. Is transmitted to the service provider device, and service identification information and temporary identification information for uniquely identifying the service provider device are stored in association with the user information, and the service provider device is used from the network provider device. When the temporary identification information is received in addition to the user information, the temporary identification information is stored in a predetermined storage means in association with the user identification information for uniquely identifying the user requesting the site access, and the network The provider device receives temporary identification information that requests acquisition of temporary identification information corresponding to the user information of the user device through redirect communication from the service provider device via the user device. When a request is received, line information related to the line to which the user apparatus is connected is acquired, temporary identification information associated with the acquired line information is acquired, and temporary communication is performed by redirect communication via the user apparatus. When the identification information is transmitted to the service provider device, and the service provider device receives a request for site access after user registration from the user device, the service provider device performs redirection communication via the user device to A temporary identification information acquisition request for requesting acquisition of temporary identification information corresponding to the user information is transmitted to the network operator device, and the user information of the user device is transmitted from the network operator device to the user device by redirect communication via the user device. When the corresponding temporary identification information is received, the user identification information corresponding to the temporary identification information is acquired from a predetermined storage means and signed. Since access is controlled, temporary identification information (for example, pseudonym ID, anonymous ID, etc.) associated with the same user is shared between the network operator device and the service operator device. Compared to a method in which the identification information is not shared between the network operator device and the service operator device, it becomes possible to realize highly reliable site access control in the service operator device safely and efficiently. .

  That is, since the temporary identification information is shared between the network provider device and the service provider device, it is possible to avoid the possibility of being subject to so-called name identification by other service providers. Compared with a method in which a user account using a part of the service account is shared, it is possible to safely implement highly reliable site access control in the service provider device.

  In addition, as a result of the provisional identification information being shared between the network operator device and the service operator device, the service operator device receives a request for site access after user registration from the user device, Since site access control can be performed with secure temporary identification information without user registration again, it is possible to safely and efficiently implement highly reliable site access control in the service provider apparatus.

  By the way, as Example 2 so far, transmission of user information from the network operator device to the service operator device is uniquely identified between the network operator device and the service operator device in the user registration phase. The method of sharing temporary identification information (not the user account itself) has been described. Next, as the third embodiment, when temporary identification information is shared in the user registration phase, the service is used in the SP service usage phase. A method of controlling site access using temporary identification information in the business entity apparatus will be described with reference to FIGS. 20 and 21. FIG.

[Outline and Features of Service System According to Embodiment 3]
As described above, the service system according to the third embodiment is different from the second embodiment in that it is not a user registration phase but an SP service usage phase. Hereinafter, the outline and characteristics of the service system according to the third embodiment will be described with reference to FIG. In addition, the process similar to Example 2 (phase of user registration) is demonstrated easily. FIG. 20 is a diagram for explaining the outline and features of the service system according to the third embodiment.

  Here, it is assumed that the network operator device in the third embodiment has previously registered the user of the user device and permits the network connection of the user device. In addition, it is assumed that the service provider device according to the third embodiment performs user registration for the user of the user device. That is, the user device is in a state where it can receive the application service provided by the service provider device by performing user authentication or the like by the service provider device.

  The network operator apparatus according to the third embodiment first receives a network connection request from the user apparatus (see (1) in FIG. 20). Next, the network operator device performs an authentication process in the network operator device (see (2) in FIG. 20). Then, the network operator device transmits a network connection response to the user device (see (3) in FIG. 20).

  As a result, the user device connects to a network such as the Internet, and then the service provider device receives an SP site access request from the user device (see (4) in FIG. 20). Then, the service provider device transmits an SP site access response to the user device (see (5) in FIG. 20). Specifically, the service provider device acquires a Web page and transmits the Web page as an SP site access response. Here, since the service provider apparatus in the third embodiment has registered the user of the user apparatus, the Web page transmitted to the user apparatus is a Web page that prompts the user to use the SP service. is there.

  Then, the service provider device receives the SP service use request from the user device (see (6) in FIG. 20). Specifically, the SP service use request is received by clicking on an icon of a Web page that prompts the user to use the SP service.

  Subsequently, the service provider device transmits a provisional identification information (a pseudonym ID) acquisition request to the network provider device (see (7) in FIG. 20). Specifically, the service provider device makes a provisional identification information acquisition request for requesting acquisition of temporary identification information (a pseudonym ID) corresponding to the user information of the user device by redirect communication via the user device. Sent to network operator device.

  Then, the network operator apparatus acquires line information regarding the line to which the user apparatus is connected (see (8) in FIG. 20). Specifically, the network operator device requests provisional identification requesting acquisition of temporary identification information (a pseudonym ID) corresponding to the user information of the user device from the service operator device by redirect communication via the user device. When the information acquisition request is received, the line information is acquired by specifying the line to which the user apparatus is connected.

  Next, the network operator device transmits temporary identification information associated with the line information to the service operator device (see (9) and (10) in FIG. 20). Specifically, the network operator device acquires temporary identification information associated with the line information acquired by specifying the line from the user management DB, and performs temporary communication by redirect communication via the user device. The identification information is transmitted to the service provider device. For example, in FIG. 20, the network operator device acquires the pseudonym ID (XXX) from the user management DB and transmits it to the service operator device.

  Subsequently, the service provider device acquires user identification information corresponding to the temporary identification information (kana ID) from the user management DB, and controls site access (see (11) and (12) in FIG. 20). reference). Specifically, when the service provider device receives temporary identification information (a pseudonym ID) corresponding to the user information of the user device from the network provider device by redirect communication via the user device, User identification information (for example, user information, line information, etc.) corresponding to the identification information (kana ID) is acquired from the user management DB, and user identification information (for example, user information, line information, etc.) is obtained. User authentication is used, and a service-provided Web page is transmitted to the user device as an SP service use response.

  In this way, in the service system according to the third embodiment, temporary identification information (for example, pseudonym ID, anonymous ID, etc.) associated with the same user is between the network provider device and the service provider device. Therefore, it is safer and more efficient to perform reliable site access control in the service provider device than in the method in which the temporary identification information is not shared between the network provider device and the service provider device. Can be realized.

[Configuration of Service System According to Embodiment 3]
Next, the configuration of the service system according to the third embodiment will be described. The service system according to the third embodiment is configured in substantially the same manner as the service system according to the second embodiment, but the functions necessary in the aspect of using the SP service are the line information acquisition unit 132 and the use in the network operator device 100. It is different from the second embodiment in that it is added to the user information transmission unit 133, the user information acquisition request transmission unit 233 in the service provider apparatus 200, and the user registration / authentication unit 234. Hereinafter, the line information acquisition unit 132, the user information transmission unit 133, the user information acquisition request transmission unit 233, and the user registration / authentication unit 234 in the service provider device 200 will be described.

  The line information acquisition unit 132 corresponds to the “line information acquisition unit” and the “post-registration line information acquisition unit” described in the claims, and the user information transmission unit 133 is described in the claims. Corresponding to “user information transmission means” and “temporary identification information transmission means”, the user information acquisition request transmission unit 233 corresponds to “user information acquisition request transmission means” and “temporary identification information acquisition request transmission means”. The user registration / authentication unit 234 corresponds to “access control means” and “post-registration access control means” recited in the claims.

  The line information acquisition unit 132 in the network provider apparatus 100 acquires line information related to the line to which the user apparatus 300 is connected, as in the second embodiment, but unlike the second embodiment, from the service provider apparatus 200, The user device 300 is also connected when a temporary identification information acquisition request for requesting acquisition of temporary identification information corresponding to the user information of the user device 300 is received by redirect communication via the user device 300. Get line information about the line.

  Similar to the second embodiment, the user information transmission unit 133 transmits temporary identification information (a pseudonym ID) uniquely identifying transmission of user information to the service provider apparatus 200 in addition to the user information and the line information. At the same time, service identification information and temporary identification information (temporary ID) for uniquely identifying the service provider apparatus 200 are stored in the user management database unit 121 in association with the user information. When the information acquisition unit 132 receives a temporary identification information acquisition request and acquires line information related to the line to which the user apparatus 300 is connected, temporary identification information associated with the line information (a pseudonym ID). Is obtained from the user management database unit 121, and the temporary identification information (pseudonym ID) is obtained by the redirect communication via the user device 300. To send to 0.

  The user information acquisition request transmission unit 233 in the service provider apparatus 200 transmits a user information acquisition request for requesting acquisition of user information of the user apparatus 300 to the network provider apparatus 100 as in the second embodiment. Unlike the second embodiment, when a request for site access after user registration is received from the user device 300, the user information of the user device 300 is handled by redirect communication via the user device 300. A temporary identification information acquisition request for requesting acquisition of temporary identification information (a pseudonym ID) is transmitted to the network operator apparatus 100.

  The user registration / authentication unit 234 controls site access using user information and line information as in the second embodiment. Unlike the second embodiment, the user registration / authentication unit 234 passes from the network operator device 100 via the user device 300. When the temporary identification information (kana ID) corresponding to the user information of the user device 300 is received by the redirect communication, the user identification information (for example, user information, kana ID) corresponding to the temporary identification information (kana ID) is received. Line information, etc.) is acquired from the user management database unit 221 to control site access.

[Processing Procedure by Service System According to Third Embodiment]
Next, a processing procedure by the service system according to the third embodiment will be described with reference to FIG. FIG. 21 is a sequence diagram illustrating a processing procedure performed by the service system according to the third embodiment. Here, it is assumed that the network operator device 100 according to the third embodiment has previously registered the user of the user device 300 and permits the network connection of the user device 300. In addition, it is assumed that the service provider device 200 according to the third embodiment performs user registration for the user of the user device 300. That is, the user device 300 is in a state where it can receive the application service provided by the service provider device 200 by performing user authentication or the like by the service provider device 200. In the following, a process in which the user device 300 connects to the network (see (1) in FIG. 21), a process in which the user device 300 accesses the SP site (see (2) in FIG. 21), Processing in which the user device 300 uses the SP service (see (3) in FIG. 21) will be described in order.

[(1) Network connection]
First, the authentication processing unit 131 in the network operator apparatus 100 receives a network connection request from the user apparatus 300 as in the second embodiment (step S1). Next, the authentication processing unit 131 in the network operator device 100 performs the authentication processing of the user device 300 as in the second embodiment (step S2). Then, the authentication processing unit 131 in the network operator device 100 transmits a network connection response to the user device 300 as in the second embodiment (step S3).

[(2) Access to SP site]
Subsequently, the user apparatus 300 is connected to a network such as the Internet as in the second embodiment, and the SP site access response unit 231 in the service provider apparatus 200 receives an SP site access request from the user apparatus 300. (Step S4). Then, the SP site access response unit 231 in the service provider device 200 acquires a Web page as in the second embodiment (step S5). However, unlike the second embodiment, the SP service access to the user device 300 is used. Get a web page to prompt.

  Then, the SP site access response unit 231 in the service provider device 200 transmits an SP site access response to the user device 300 as in the second embodiment (step S6). A Web page that prompts the user device 300 to use the SP service is transmitted.

[(3) SP service use]
Subsequently, the SP site access response unit 231 in the service provider device 200 receives the SP service use request from the user device 300 (step S7). Specifically, the user device 300 receives the SP service use request when the icon of the Web page that prompts the SP service use request is clicked once.

  Next, the user information acquisition request transmission unit 233 in the service provider device 200 requests the network provider device 100 to acquire temporary identification information (a pseudonym ID) corresponding to the user information of the user device 300. The temporary identification information acquisition request to be transmitted is transmitted to the network operator apparatus 100 (step S8). Specifically, the user information acquisition request transmission unit 233 in the service provider device 200 is a service that uniquely identifies the service provider device 200 by making a provisional identification information acquisition request by redirect communication via the user device 300. The identification information (SP ID), the response destination URL (Uniform Resource Locator), and the electronic signature are transmitted to the network operator apparatus 100.

  Then, the line information acquisition unit 132 in the network operator apparatus 100 identifies the line to which the user apparatus 300 is connected (step S9), and acquires line information (step S10). Specifically, the line information acquisition unit 132 in the network operator device 100 performs provisional identification information (a pseudonym) corresponding to the user information of the user device 300 by redirect communication from the service operator device 200 via the user device 300. When a temporary identification information acquisition request requesting acquisition of (ID) is received, line information regarding the line to which the user apparatus 300 is connected is acquired.

  Next, the user information transmission unit 133 in the network operator device 100 acquires temporary identification information (a pseudonym ID) associated with the line information acquired by specifying the line from the user management database unit 121. (Step S11), provisional identification information (a pseudonym ID) is transmitted to the service provider apparatus 200 by redirect communication via the user apparatus 300 (Step S12). Specifically, the user information transmission unit 133 in the network operator device 100 sends a temporary identification information acquisition response to the network operator ID (NW ID), temporary identification information (a pseudonym ID) that uniquely identifies the network operator device. ) And the electronic signature are transmitted to the service provider apparatus 200.

  Then, the user registration / authentication unit 234 in the service provider apparatus 200 acquires user identification information corresponding to the temporary identification information (pseudonym ID) from the user management database unit 221 and controls site access (step). S13 and S14). Specifically, the user registration / authentication unit 234 in the service provider device 200 provides temporary identification information corresponding to the user information of the user device 300 through redirect communication from the network provider device 100 via the user device 300. When (kana ID) is received, user identification information (for example, user information, line information, etc.) corresponding to the kana ID is acquired from the user management database unit 221 and the user information and line information are used. User authentication.

  Subsequently, the user registration / authentication unit 234 in the service provider device 200 transmits an SP service use response to the user device 300 (step S15). Specifically, the user registration / authentication unit 234 in the service provider apparatus 200 transmits a Web page for starting the provision of the application service to the user apparatus 300 as an SP service use response.

  In this way, in the service system according to the third embodiment, temporary identification information (for example, pseudonym ID, anonymous ID, etc.) associated with the same user is between the network provider device and the service provider device. Therefore, it is safer and more efficient to perform reliable site access control in the service provider device than in the method in which the temporary identification information is not shared between the network provider device and the service provider device. Can be realized.

[Effect of Example 3]
As described above, according to the third embodiment, in the same manner as the above-described second embodiment, in addition to the user information, the network operator device provides temporary identification information that uniquely identifies transmission of user information. In addition to transmitting to the service provider device, service identification information and provisional identification information for uniquely identifying the service provider device are stored in association with the user information, and the service provider device is transmitted from the network provider device to the user. When temporary identification information is received in addition to the information, the temporary identification information is stored in a predetermined storage means in association with the user identification information that uniquely identifies the user who is requesting site access. The user device receives temporary identification information that requests acquisition of temporary identification information corresponding to the user information of the user device by redirect communication from the service provider device via the user device. When a request is received, line information related to the line to which the user apparatus is connected is acquired, temporary identification information associated with the acquired line information is acquired, and temporary communication is performed by redirect communication via the user apparatus. When the identification information is transmitted to the service provider device, and the service provider device receives a request for site access after user registration from the user device, the service provider device performs redirection communication via the user device to A temporary identification information acquisition request for requesting acquisition of temporary identification information corresponding to the user information is transmitted to the network operator device, and the user information of the user device is transmitted from the network operator device to the user device by redirect communication via the user device. When the corresponding temporary identification information is received, the user identification information corresponding to the temporary identification information is acquired from a predetermined storage means and signed. Since access is controlled, temporary identification information (for example, pseudonym ID, anonymous ID, etc.) associated with the same user is shared between the network operator device and the service operator device. Compared to a method in which the identification information is not shared between the network operator device and the service operator device, it becomes possible to realize highly reliable site access control in the service operator device safely and efficiently. .

  That is, since the temporary identification information is shared between the network provider device and the service provider device, it is possible to avoid the possibility of being subject to so-called name identification by other service providers. Compared with a method in which a user account using a part of the service account is shared, it is possible to safely implement highly reliable site access control in the service provider device.

  In addition, as a result of the provisional identification information being shared between the network operator device and the service operator device, the service operator device receives a request for site access after user registration from the user device, Since site access control can be performed with secure temporary identification information without user registration again, it is possible to safely and efficiently implement highly reliable site access control in the service provider apparatus.

  By the way, although the service system in Example 1- Example 3 was demonstrated so far, this invention may be implemented with a various different form other than an above-described Example. Therefore, different embodiments will be described below as service systems in the fourth embodiment.

[User Registration]
In the above-described first to third embodiments, the application service provided by the service provider apparatus 200 is a type of application service that can be provided by performing permanent user registration (a permanent user account is issued, However, the present invention is not limited to this. For example, a type of application service that can be provided by performing one-time user authentication (without issuing a user account and connecting) This is also available for application services that can be provided by registering users with an expiration date (providing user accounts with expiration dates and providing application services with expiration dates). The invention can be applied in the same way That. For example, in the case of an application service of a type that can be provided by performing one-time user authentication, the user information and the line information are utilized when the application service is provided and when the application service to be provided is selected. However, it is not always necessary to manage user information and line information in the service provider apparatus.

[Acquire User Information]
In the above-described first to third embodiments, the user information transmission unit 133 in the network operator device 100 transmits the line information to the service operator device 200 in addition to the user information. The method for controlling the site access using the user information and the line information when the user registration / authentication unit 234 receives the line information in addition to the user information from the service provider apparatus 200 has been described. The invention is not limited to this, and the user information transmitting unit 133 in the network operator apparatus 100 transmits only the user information to the service provider apparatus 200, and the user registration / authentication unit in the service provider apparatus 200 is provided. 234 receives the user information only from the service provider device 200, the site access is performed using the user information. And the user information transmission unit 133 in the network operator apparatus 100 transmits line information to the service provider apparatus 200 in addition to the user information, and user registration / authentication in the service provider apparatus 200 is performed. When the unit 234 receives line information in addition to user information from the service provider apparatus 200, the present invention can be similarly applied to a method of controlling site access using only user information. it can.

  In the above-described first to third embodiments, the user information transmission unit 133 in the network operator device 100 provides the expiration date information indicating the expiration date of the user information in addition to the user information. When the user registration / authentication unit 234 in the service provider device 200 receives the expiration date information in addition to the user information from the network provider device 100, the expiration date indicated in the expiration date information is transmitted to the device 200. However, the present invention is not limited to this, and the user information transmission unit 133 in the network operator device 100 is effective. Only the user information is transmitted to the service provider apparatus 200 without transmitting the time limit information, and the user registration in the service provider apparatus 200 is performed. Authentication unit 234, regardless of the expiry date, to a technique for controlling the site accessed using the user information, it is possible to apply the present invention likewise.

  In the above-described first to third embodiments, the user information transmission unit 133 in the network operator device 100 adds to the service operator device 200 an electronic signature signed by the network operator in addition to the user information. And when the user registration / authentication unit 234 in the service provider apparatus 200 receives an electronic signature in addition to the user information from the network provider apparatus 100, it is used on condition that the electronic signature is valid. Although the method for controlling the site access using the user information has been described, the present invention is not limited to this, and the user information transmitting unit 133 in the network operator device 100 does not transmit the electronic signature, but the user information. Only to the service provider apparatus 200, and the user registration / authentication unit 234 in the service provider apparatus 200 outputs an electronic signature. Razz, also a technique for controlling the site accessed using the user information, it is possible to apply the present invention likewise.

  In the above-described first to third embodiments, the user information transmission unit 133 in the network operator apparatus 100 performs an electronic signature signed by the service provider in addition to the user information acquisition request from the service provider apparatus 200. When the signature is received, the user information is transmitted to the service provider device 200 on the condition that the electronic signature is valid, and the user information acquisition request unit 233 in the service provider device 200 acquires the user information. In addition to the request, the method of transmitting the electronic signature to the network operator apparatus 100 has been described. However, the present invention is not limited to this, and the user information transmission unit 133 in the network operator apparatus 100 can generate the electronic signature. Regardless, the user information is transmitted to the service provider apparatus 200, and the user information acquisition request unit 2 in the service provider apparatus 200 is transmitted. 3 is also a technique for transmitting only without sending an electronic signature user information acquisition request to the network operator system 100, it is possible to apply the present invention likewise.

[Line information]
In the first to third embodiments described above, the method using the line identifier, the line accommodation position, the line type, the line speed, and the line authentication information as the line information has been described. It is not limited, and it is related to the line such as a method using a logical number (telephone number, IP address, etc.) given to the line as a line information, a method using a line installation location (address, latitude / longitude, etc.) Any method using information may be used.

[System configuration, etc.]
In the above-described first to third embodiments, the service provider apparatus 200 holds the user management database unit 221 and manages user information, line information, and the like related to the user of the user apparatus 300. Although the case has been described, the present invention is not limited to this, and the service provider apparatus 200 does not manage user information, line information, and the like related to the user of the user apparatus 300, and the network provider apparatus 100 The present invention can be similarly applied to the case where only the management is performed.

  In addition, among the processes described in the above-described embodiments, all or part of the processes described as being automatically performed (for example, transmission of an electronic signature) is manually performed (for example, transmission of an electronic signature is performed). A confirmation screen as to whether or not to do so can be output to a monitor or the like, and after the operator inputs confirmation consent, an electronic signature can be transmitted). In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure (for example, FIG. 2), and all or a part thereof can function in arbitrary units according to various loads and usage conditions. (For example, the user management database unit 121 and the service provider management database unit 122 are constructed with a single database). Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  The service system control method (FIGS. 15, 19, and 21) described in the above embodiments can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. . This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the service system and the service system control method according to the present invention include a network operator device that controls network connection by a user device, and a service operator device that controls site access by the user device. It is useful to be connected via a network, and is particularly suitable for realizing highly reliable site access control in a service provider apparatus.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram for explaining an overview and features of a service system according to a first embodiment. 1 is a block diagram illustrating a configuration of a service system according to Embodiment 1. FIG. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a figure for demonstrating a service provider management database part. It is a figure for demonstrating the user management database part in a service provider apparatus. It is a figure for demonstrating the user management database part in a service provider apparatus. It is a figure for demonstrating the user management database part in a service provider apparatus. It is a figure for demonstrating a network provider management database part. It is a figure for demonstrating the web page which a service provider apparatus transmits to a user apparatus. It is a figure for demonstrating the web page which a service provider apparatus transmits to a user apparatus. It is a figure for demonstrating the web page which a service provider apparatus transmits to a user apparatus. It is a sequence diagram which shows the procedure of the process by the service system which concerns on Example 1. FIG. It is a figure for demonstrating the outline | summary and the characteristic of the service system which concerns on Example 2. FIG. It is a figure for demonstrating the user management database part in a network provider apparatus. It is a figure for demonstrating the user management database part in a service provider apparatus. FIG. 10 is a sequence diagram illustrating a processing procedure performed by a service system according to a second embodiment. It is a figure for demonstrating the outline | summary and the characteristic of the service system which concerns on Example 3. FIG. FIG. 10 is a sequence diagram illustrating a processing procedure performed by a service system according to a third embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Network provider apparatus 110 Communication control I / F part 120 Storage part 121 User management database part 122 Service provider management database part 130 Control part 131 Authentication processing part 132 Line information acquisition part 133 User information transmission part 200 Service provider Device 210 Communication control I / F unit 220 Storage unit 221 User management database unit 222 Network operator management database unit 230 Control unit 231 SP site access response unit 232 User account creation unit 233 User information acquisition request transmission unit 234 User Registration / authentication unit 300 User device

Claims (7)

A service system in which a network operator device that controls network connection by a user device and a service operator device that controls site access by the user device are connected via a network,
The network operator device is:
User information storage means for storing user information relating to a user of the user device permitted to connect to the network in association with line information relating to a line to which the user device is connected;
The line to which the user device is connected when a user information acquisition request for requesting acquisition of user information of the user device is received from the service provider device by redirect communication via the user device Line information acquisition means for acquiring line information about,
User information associated with the line information acquired by the line information acquisition unit is acquired from the user information storage unit, and the user information is acquired by the redirect communication via the user device. User information transmitting means for transmitting to,
The service provider device is:
When a site access request is received from the user device, the network operator device issues a user information acquisition request for requesting acquisition of user information of the user device by redirect communication via the user device. A user information acquisition request transmitting means for transmitting to
An access control means for controlling the site access using the user information when the user information of the user device is received from the network operator device by redirect communication via the user device;
A service system characterized by comprising: In addition to the user information, the user information transmitting means transmits temporary identification information for uniquely identifying transmission of the user information to the service provider device, and uniquely identifies the service provider device. Service identification information and temporary identification information to be stored in the user information storage means in association with the user information,
When the access control means receives the temporary identification information in addition to the user information from the network operator device, the access control means uses the user identification information for uniquely identifying the user requesting the site access. Correspondingly storing the temporary identification information in a predetermined storage means,
The network operator device is:
When a temporary identification information acquisition request for requesting acquisition of temporary identification information corresponding to user information of the user device is received from the service provider device by redirect communication via the user device, the user device A post-registration line information acquisition means for acquiring line information about the line to which the
The temporary identification information associated with the line information acquired by the post-registration line information acquisition unit is acquired from the user information storage unit, and the temporary identification information is obtained by the redirect communication via the user device. Temporary identification information transmitting means for transmitting to the person device;
The service provider device is:
When a request for site access after user registration is received from the user device, a request for acquisition of temporary identification information corresponding to the user information of the user device is made by redirect communication via the user device. Temporary identification information acquisition request transmission means for transmitting a temporary identification information acquisition request to the network operator device;
When temporary identification information corresponding to the user information of the user device is received from the network operator device by redirect communication via the user device, the user identification information corresponding to the temporary identification information is set to the predetermined information. A post-registration access control means for controlling the site access obtained from the storage means,
The service system according to claim 1, further comprising: The user information transmitting means transmits the line information to the service provider device in addition to the user information,
The access control means, when receiving the line information in addition to the user information from the network operator device, controls the site access using the user information and the line information. Item 4. The service system according to Item 1. In addition to the user information, the user information transmitting means transmits expiration date information indicating an expiration date of the user information to the service provider device,
When the access control means receives the expiration date information in addition to the user information from the network operator device, the access control means sets the user information on the condition that the expiration date indicated in the expiration date information is satisfied. The service system according to claim 1, wherein the site access is controlled by using the service system. The user information transmission means transmits, in addition to the user information, an electronic signature signed by the network operator device to the service operator device,
The access control means, when receiving the electronic signature in addition to the user information from the network operator device, uses the user information to access the site on the condition that the electronic signature is valid. The service system according to claim 1, wherein the service system is controlled. The user information transmission means, on receiving the electronic signature signed by the service provider device in addition to the user information acquisition request from the service provider device, on condition that the electronic signature is valid And transmitting the user information to the service provider device,
The service system according to claim 1, wherein the user information acquisition request transmission unit transmits the electronic signature to the network operator device in addition to the user information acquisition request. A service system control method for controlling a service system in which a network operator device that controls network connection by a user device and a service operator device that controls site access by the user device are connected via a network. And
The network operator device is:
A user information storage step of storing user information related to a user of a user device permitted to be connected to the network in association with line information related to a line to which the user device is connected;
The line to which the user device is connected when a user information acquisition request for requesting acquisition of user information of the user device is received from the service provider device by redirect communication via the user device Line information acquisition process for acquiring line information about
User information associated with the line information acquired in the line information acquisition step is acquired from the user information storage step, and the user information is obtained by the redirect communication via the user device. A user information transmission process to be transmitted to
The service provider device is:
When a site access request is received from the user device, the network operator device issues a user information acquisition request for requesting acquisition of user information of the user device by redirect communication via the user device. A user information acquisition request transmission step to be transmitted to,
An access control step of controlling the site access using the user information when the user information of the user device is received from the network operator device by redirect communication via the user device;
A service system control method comprising:

Images