JP2008077614A - Session management program and session management method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To enable a Web service session to cooperate with a general session. <P>SOLUTION: When a Web server device 20 transmits a temporary token associated with a Web service session ID to a Web client device 10 under Web service session through SOAP communication, and the Web client device 10 transmits the temporary token to the Web server device 20 through HTTP communication, the Web server device 20 determines whether the received temporary token is valid or not. When the temporary token is valid, the Web server device 20 issues a general session ID to the client device 10, transmits it as cookie information, and stores the general session ID in association with the Web service session ID associated with the temporary token. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a session management program and a session management method for managing a web service session and a normal session.

  As is well known, a web service, in a broad sense, refers to all services provided on the Internet, but in a narrow sense, a web server or web client uses applications and software components distributed on the Internet. A service to make it available. Note that the term web service is used in a narrow sense in practice.

  In recent years, by building web services based on resources such as business databases, payment systems, rental servers, rental bulletin boards, CGI (Common Gateway Interface) programs, and web page data distributed on the Internet, It is becoming mainstream (Non-Patent Document 1).

  As a result of the development competition of technologies related to web services, many web services are created based on XML data created based on the XML (eXtensible Markup Language) schema or based on WSDL (Web Services Description Language). The WSDL data is exchanged according to XML-related communication rules such as SOAP [Simple Object Access Protocol] (trademark of Microsoft Corporation and Userland Software Corporation) and XMLLP [XML Protocol]. These are de facto standard specifications.

  However, conceptually, web servers and web clients apply web-related standard technologies (TCP / IP [Transmission Control Protocol / Internet Protocol], HTTP [HyperText Transfer Protocol], HTML [HyperText Markup Language], etc.). Any technology that makes available distributed resources can be a web service specification.

Tomio Amano, “Business model of web services to search from examples”, [online], May 14, 2002, XML Consortium, [Search September 5, 2006], Internet <URL: http: // www. xmlconsortium.org/websv/kaisetsu/A5/main.html>

  By the way, there is a conventional session management technique using a cookie function. In this technique, a web server issues a session ID [Identification] to a web client and transmits it as cookie information, while the web client performs a session for each access during a session to the same web server. The ID is notified to the web server as cookie information. This allows the web server to manage which web client is in session.

  On the other hand, recently, in order to prevent damage caused by impersonation etc. for web services, it is considered that access restriction by session management is necessary. Therefore, session management technology for web services is gradually being developed. In the technology being developed, when a web client operator accesses one of the web servers, a web service for session management prepared in advance in the web server performs an authentication process. ing. In the authentication process, the session management web service requests password information from the web client, and issues the session ID to the web client when the same password information can be detected from a database prepared in advance. . During a session for the same web server, the web client notifies the web server of the session ID each time a web service is called. This allows the web server to manage which web clients are in the middle of a web service session.

  As described above, it is becoming possible to impose access restrictions by session management not only in normal HTTP communication but also in XML-related communication.

  At present, access from the same web browser must be managed as a separate session according to the communication path, but the user performs normal web access and web service access through the same web browser. In doing so, it is considered desirable for the normal session to be conducted in conjunction with the web service session.

  The present invention has been made in view of such circumstances, and a problem thereof is to enable a web service session and a normal session to be linked.

  A session management program devised to solve the above problems is a session management program for managing a web service session and a normal session with a web client, and the computer is connected to any web client. First receiving means for receiving an access request through XML-related communication, and when the first receiving means receives an access request, a session ID of a web service session is issued, and the web service session ID is sent to the web client through XML-related communication. The first session ID issuing means for sending, and receiving a web service call request from any web client together with the web service session ID issued by the first session ID issuing means through XML-related communication The web service session management means that permits the web service call, and the web service that the web service session management means permits the call is a web service that notifies the location information of the web application as a processing result, A temporary token issuing means for issuing a temporary token and transmitting the processing result of the web service together with the temporary token to the web client through XML-related communication; the temporary token issued by the temporary token issuing means; and the web service session management Storage means for associating and storing the web service session ID received by the means in the storage device; from any web client, the temporary token issued by the temporary token issuing means and the location information indicated by the location information When an access request to the application is received through HTTP communication, a search unit that searches the storage device using the temporary token as a key, and a temporary token that is the same as the temporary token received from the web client by the search unit is stored in the storage A second session ID issuing means for issuing a normal session ID and transmitting the normal session ID as cookie information to the web client via HTTP communication when it can be detected from the device; and the search means in the storage device The temporary token ID identical to the temporary token ID received by the second session ID issuing means is made to function as an updating means for overwriting and updating with the normal session ID issued by the second session ID issuing means.

  In this way, a single token is associated with one web client by transmitting the temporary token associated with the web service session ID to the web client via XML-related communication and returning the temporary token via HTTP communication. By associating the web service session ID issued and the normal session ID, the web service session and the normal session can be managed as a common session.

  In addition, a session management method devised to solve the above problem is a session management method for managing a web service session and a normal session with a web client, wherein the computer A first acceptance procedure for accepting an access request from a client through XML-related communication. When an access request is accepted in the first acceptance procedure, a session ID of a web service session is issued, and the web service session ID is transmitted to the web through XML-related communication. A first session ID issuance procedure to be transmitted to the client, a web service call request is issued from any web client together with the web service session ID issued in the first session ID issuance procedure through XML-related communication. The web service session management procedure that allows the web service call to be accepted, and the web service that is permitted to be called in the web service session management procedure is a web service that notifies the location information of the web application as a processing result A temporary token issuing procedure for issuing a temporary token and transmitting a processing result of the web service together with the temporary token to the web client through XML-related communication, the temporary token issued in the temporary token issuing procedure, and the web service A storage procedure for associating the web service session ID received in the session management procedure with the storage device and storing it in the storage device, a temporary token issued in the temporary token issuing procedure from any web client In both cases, when an access request to the web application indicated by the location information is accepted through HTTP communication, a search procedure for searching the storage device using the temporary token as a key, the same as the temporary token received from the web client in the search procedure A second session ID issuance procedure for issuing a normal session ID and transmitting the normal session ID as cookie information to the web client through HTTP communication when the temporary token is detected from the storage device; and The storage device is characterized by executing an update procedure for overwriting and updating a temporary token ID identical to the temporary token ID received in the search procedure with a normal session ID issued in the second session ID issuing procedure. .

  Therefore, an apparatus for realizing this session management method functions in the same manner as a computer that operates the above-described session management program of the present invention.

  As described above, according to the present invention, the web service session and the normal session can be linked.

  Hereinafter, one embodiment for carrying out the present invention will be described with reference to the accompanying drawings.

  FIG. 1 is a configuration diagram of a computer network system according to the present embodiment.

  The computer network system according to this embodiment includes one or more web client devices 10 and a web server device 20. The devices 10 and 20 are connected to each other through a network so that they can communicate with each other.

  FIG. 2 is a configuration diagram of the web client device 10.

  The web client device 10 is a general personal computer to which a function as a web client is added. Accordingly, the web client device 10 includes a display device 10a such as a liquid crystal display, an input device 10b such as a keyboard and a mouse, and a main body to which these devices 10a and 10b are connected. The main body includes a storage 10c, a CPU 10d, a DRAM 10e, and a communication adapter 10f. Among these, the storage 10c is a storage device that stores various programs and data. The CPU 10d is an arithmetic processing unit that performs processing according to a program in the storage 10c. The DRAM 10e is a volatile storage device in which programs are cached and work areas are expanded when the CPU 10d performs processing. The communication adapter 10f is a communication device for exchanging data with other computers on the network N.

  In addition, an HTTP client 11, a SOAP client 12, and a web browser 13 are installed in the storage 10c of the web client device 10. FIG. 2 shows a state where these programs 11 to 13 are expanded in the DRAM 10e.

  The HTTP client 11 is a program for exchanging HTTP messages with an HTTP server on another computer in accordance with HTTP [HyperText Transfer Protocol].

  The SOAP client 12 is a program for exchanging a SOAP message (SOAP envelope) with a SOAP server on another computer in accordance with SOAP [Simple Object Access Protocol]. Note that since SOAP exists in an upper layer of HTTP in the communication protocol system, the SOAP message is actually exchanged with an HTTP header attached.

  In response to an instruction from the operator, the web browser 13 acquires various data from the web server device 20 on the network N, and stores the data in its data format (for example, HTML [HyperText Markup Language], XML [eXtensible Markup Language]. ], DIB [Device Independent Bitmap], PNG [Portable Network Graphics]), and application software for displaying content in which characters and images are appropriately arranged based on the analysis result. The web browser 13 uses the communication functions of the HTTP client 11 and the SOAP client 12 when acquiring various data from the web server device 20. Note that the web browser 13 of the present embodiment has a cookie function. The cookie function is a function that stores cookie information received from a web server and always sends back the cookie information when accessing the web server.

  FIG. 3 is a configuration diagram of the web server device 20.

  The web server device 20 is a general-purpose computer to which a function as a web server is added. Accordingly, the web server device 20 includes at least a storage 20a, a CPU 20b, a DRAM 20c, and a communication adapter 20d.

  In addition, a web resource 21, an HTTP server 22, a web application 23, a SOAP server 24, a URL notification service 25, a security token service 26, and a session management application 27 are installed in the storage 20a of the web server device 20. . FIG. 3 shows a state in which the programs 22 to 27 excluding the web resource 21 are expanded in the DRAM 20c.

  The web resource 21 is data such as HTML data and image data provided to other computers through a network. Each web resource 21 is assigned a unique URL [Uniform Resource Locator], and the web resource 21 is delivered to the web client device 20 in response to a request. In the present embodiment, for convenience of explanation, it is assumed that the web resource 21 includes image data of an explanation presentation image.

  The HTTP server 22 is a program for exchanging HTTP messages with the HTTP client 11 on another computer. More specifically, when receiving an HTTP request message from the HTTP client 11, the HTTP server 22 acquires the web resource 21 at the URL specified in the HTTP request message from the storage 20a, and includes the acquired data. The HTTP response message is transmitted to the requesting HTTP client 11. Alternatively, if the HTTP server 22 includes a start command for the web application 23 in the URL or the like, or if the web resource 21 includes a script program to be executed by the web application 23, the HTTP server 22 displays the web application 23. It starts up, acquires the processing result, and transmits an HTTP response message including the acquired data to the HTTP client 11 as the request source.

  The web application 23 is a program such as CGI [Common Gateway Interface] or JSP [Java Server Pages]. The CPU 20b executes processing in accordance with the web application 23 or in accordance with a script described in the web resource 21 using the function of the web application 23, and incorporates the processing result in the web resource 21 to execute HTTP. Delivered to the server 22. Examples of functions realized by the web application 23 include an electronic bulletin board, a blog, a counter, access analysis, a shopping cart, member management, and inventory management. In the present embodiment, for convenience of explanation, it is assumed that the web application 23 includes application software for displaying the image based on the image data of the explanation presentation image.

  The SOAP server 24 is a program for exchanging SOAP messages with the SOAP client 12 on another computer. More specifically, when the SOAP server 22 receives a SOAP request message from the SOAP client 12, the SOAP server 22 obtains information such as a method name and its argument for calling an RPC [Remote Procedure Call] from the body of the SOAP request message. Read and call a web service (application or software component) indicated by the URL in the method, and wait until a return value is obtained. When the SOAP server 24 obtains a return value from the web service, it returns a SOAP response message to the requesting SOAP client 12.

  The URL notification service 25 is a web service that notifies the URL of the web resource 21 when the web resource 21 in the web server device 20 is requested through SOAP communication.

  The security token service 26 is a web service for determining whether or not the operator of the web client device 10 is a person having a legitimate authority as a web service user. When the security token service 26 receives a web service call request from the web browser 13 on another computer through SOAP communication, the security token service 26 requests the operator of the web browser 13 for authentication information for authentication through SOAP communication. . The function of accepting this web service call request corresponds to the aforementioned first accepting means, and the execution of this function corresponds to the aforementioned first accepting procedure. When the security token service 26 receives the password information from the web browser 13 through SOAP communication, the security token service 26 searches a user database (not shown) using the password information as a key. When the password information matching the key is detected from a user database (not shown), the security token service 26 issues a web service session ID [Identification] and notifies the web browser 13 of this as a security context token. This web service session ID issuing function corresponds to the first session ID issuing means described above, and execution of this function corresponds to the first session ID issuing procedure described above. While the SOAP request message to which the web service session ID is added is sent from the web browser 13, the security token service 26 determines that the web browser 13 is in the middle of the web service session, and other web services Allow calls. This determination function corresponds to the web service session management means described above, and execution of this function corresponds to a web service session management procedure. The processing performed by the security token service 26 complies with the Web Service Secure Conversation [WS-Secure Conversation] standard and the Web Service Trust [WS-trust] standard that are being developed by IBM and Microsoft. It may be a thing.

  The session management application 27 is application software for managing a session of the web client device 10 that has accessed the web server device 20. Details of processing executed by the CPU 20b in accordance with the session management application 27 will be described later.

  Next, the flow of processing in each of the devices 10 and 20 when the operator of the web client device 10 accesses the web server device 20 will be described.

  4 and 5 are diagrams showing a flow of processing executed by the web client device 10 and the web server device 20 when a session is established.

  First, the operator of the web client device 10 activates the web browser 13 and accesses it by specifying the URL of the URL notification service 25. Then, as described above, the security token service 26 of the web server device 20 acquires the password information from the operator of the web browser 13 and performs an authentication process (steps S101 and S201).

  Then, after the web service session ID is issued and notified to the web client device 10 and the web service session is established, data for displaying a web page including a list of web resources 21 is received from the URL notification service 25. It is sent to the web browser 13 through SOAP communication (step S202). On the other hand, after the web service session is established, the web browser 13 waits for data to be sent (step S102; NO). When the web browser 13 receives the data (step S102; YES), the web browser 13 displays a list of web resources 21 on the display device 10a based on the received data (step S103), and waits until one is selected. (Step S104; NO).

  When the operator of the web client device 10 selects, for example, image data of an explanation presentation image from the list of web resources 21 (step S104; YES), the web browser 13 selects the selected web resource 21. The indicated information is notified to the URL notification service 25 through SOAP communication (step S105). On the other hand, after transmitting data for displaying a web page including a list of web resources 21, the URL notification service 25 waits for information indicating any of the web resources 21 (step S 203). NO). Then, when the information indicating the selected web resource 21 is notified (step S203; YES), the URL notification service 25 issues a temporary token (step S204). The temporary token is information used for bridging the web service session with the web service session ID and the normal session with the normal session ID. An example of the contents of this temporary token is “79 95 2f 7b 77 e5 28 6c 93 80 84 6d 14 56 fd 9f”. When such a temporary token is issued, the session management application 27 stores the temporary token, the web service session ID, and the issue time in association with each other in the work table (step S205). Then, the URL notification service 25 acquires the URL of the web application 23 for converting the selected web resource 21 into a data format that can be interpreted by the web browser 13, and adds a temporary token to the acquired URL (step S206). ), And transmits it to the web browser 13 through SOAP communication (step S207). Note that these steps S203, S204, S206, and S207 correspond to the aforementioned temporary token issuing procedure, and the CPU 10b that executes these steps corresponds to the aforementioned temporary token issuing means. Step S205 corresponds to the storage procedure described above, and the CPU 10b executing this step corresponds to the storage means described above.

  Here, the process of adding a temporary token to the URL will be specifically described. First, the temporary token exemplified above is base64-encoded and becomes “eZUve3flKGyTglRtFFb9nw ==”. This is further URL-encoded and becomes “eZUve3flKGyTglRtFFb9nw% 3D% 3D”. For example, if the URL is “http://example.com/ws.cgi”, the URL with the temporary token added is “http://example.com/ws.cgi?ott=eZUve3flKGyTglRtFFb9nw%3D% 3D ". Thus, in the present embodiment, the temporary token is added to the URL as a substitution value of the variable name “ott”.

  After notifying the information indicating the selected web resource 21, the web browser 13 waits for data to be sent (step S106; NO). When the URL is notified together with the temporary token (step S106; YES), the web browser 13 accesses the URL through HTTP communication (step S107). At this time, a temporary token is still added to the URL notified to the web server device 20 by being included in the HTTP message. On the other hand, after the URL notification service 25 notifies the URL, the web server device 20 waits for a temporary token to be sent through access to the URL (step S208; NO). Then, when the temporary token is delivered from the HTTP server 22 to the session management application 27 due to access to the URL by the web browser 13 (step S208; YES), the session management application 27 responds to the temporary token. Then, URL decoding and base64 decoding are sequentially performed. Thereafter, the session management application 27 searches the work table using the temporary token restored by the decoding as a key (step S209). Steps S208 and S209 correspond to the search procedure described above, and the CPU 10b that executes these steps corresponds to the search means described above. When the same temporary token can be detected from the work table (step S210; YES), the session management application 27 determines whether or not a predetermined time has elapsed from the issuance time of the temporary token (step S211). If the predetermined time has not elapsed since the issue time (step S211; YES), the session management application 27 issues a normal session ID (step S212), and rewrites the temporary token in the work table with the normal session ID. The normal session ID is stored (step S213), and then the normal session ID is transmitted as cookie information through HTTP communication (step S214). Here, FIG. 6 is a diagram illustrating an example of a work table. As shown in FIG. 6, each record in the work table has fields of “web service session ID”, “normal session ID”, and “issue time”. A security context token is recorded in the “Web service session ID” field, cookie information is recorded in the “normal session ID” field, and the issue time of the temporary token is recorded in the “issue time” field. . Steps S210 to S212 and S214 correspond to the above-described second session ID issuing procedure, and the CPU 10b executing these steps corresponds to the above-described second session ID issuing means. Step S205 corresponds to the update procedure described above, and the CPU 20b executing this step corresponds to the update means described above.

  After requesting the processing result of the web application 23 at the URL notified with the temporary token, the web browser 13 waits for data to be sent (step S108; NO). When the normal session ID is sent as cookie information (step S108; YES), the web browser 13 stores the sent cookie information (step S109). Thus, the normal session is established by storing the normal session ID as cookie information. That is, thereafter, the web browser 13 always notifies the normal session ID as cookie information when accessing the web server device 20 through HTTP communication until the logout is necessary.

  On the other hand, the session management application 27 detects that the same temporary token as the temporary token sent from the web browser 13 cannot be detected from the work table (step S210; NO), or the temporary token that can be detected from the work table. When a predetermined time has elapsed from the issue time (step S211; NO), the web browser 13 is notified of connection refusal through HTTP communication (step S215). In this case, the web browser 13 displays content indicating connection refusal on the display device 10a.

  In this way, the web service session with the web service session ID and the normal session with the normal session ID are both established and associated with each other.

  FIG. 7 is a diagram showing a flow of processing executed when the web client device 10 requests session destruction.

  As shown in FIG. 7, when the operator of the web client device 10 performs a logout action such as closing the web browser 13 while the web service session and the normal session are established, the web browser 13 A web service session discard request together with the web service session ID is transmitted to the web server device 20 via SOAP communication, or a normal session discard request together with the normal session ID is transmitted to the web server device 20 via HTTP communication (step S121).

  When the web server device 20 receives any session discard request (step S221; YES), the session management application 27 records a record (session information) including the web service session ID or the normal session ID related to the session discard request. Then, it is deleted from the work table of FIG. 6 (step S222). As a result, the web service session ID and the normal session ID are not associated with each other, and the web service session and the normal session themselves are discarded.

  As described above, according to the present embodiment, a web service session and a normal session are managed as a common session by associating the web service session ID and the normal session ID through a temporary token exchange. Will be able to. That is, the operator of the web client device 10 can start the normal session smoothly and safely after logging in to the web service session.

Configuration diagram of the computer network system of the present embodiment Configuration diagram of web client device Configuration diagram of web server device Diagram showing the flow of processing executed when a session is established Diagram showing the flow of processing executed when a session is established Diagram showing an example of a work table Diagram showing the flow of processing executed when a session is discarded

Explanation of symbols

10 Web client device 10c Storage 10d CPU
10e DRAM
10f Communication adapter 11 HTTP client 12 SOAP client 13 Web browser 20 Web server device 20a Storage 20b CPU
20c DRAM
20d Communication adapter 21 Web resource 22 HTTP server 23 Web application 24 SOAP server 25 URL notification service 26 Security token service 27 Session management application

Claims (5)

A session management program for managing a web service session and a normal session with a web client,
Computer
First accepting means for accepting an access request from any web client through XML-related communication;
A first session ID issuing means for issuing a session ID of a web service session and transmitting the web service session ID to the web client through XML-related communication when the first accepting means accepts an access request;
Web service session management means for allowing a web service call to be accepted when a web service call request is received from any web client together with the web service session ID issued by the first session ID issuing means through XML-related communication. ,
When the web service permitted to be called by the web service session management means is a web service that notifies the location information of the web application as a processing result, a temporary token is issued, and the processing result of the web service together with the temporary token A temporary token issuing means for transmitting the message to the web client through XML-related communication,
Storage means for associating the temporary token issued by the temporary token issuing means with the web service session ID accepted by the web service session management means in a storage device;
When an access request to the web application indicated by the location information is received from any web client together with the temporary token issued by the temporary token issuing means via HTTP communication, the storage device is searched using the temporary token as a key. Search means,
When a temporary token identical to the temporary token received from the web client by the search means can be detected from the storage device, a normal session ID is issued, and the normal session ID is sent to the web client as cookie information. A second session ID issuing means for transmitting through communication; and
In the storage device, the temporary token ID that is the same as the temporary token ID received by the search means is caused to function as an update means for overwriting and updating with a normal session ID issued by the second session ID issuing means. Session management program. The storage means stores the temporary token issued by the temporary token issuing means, the time when the temporary token is issued, and the web service session ID received by the web service session management means in association with each other in the storage device. And
The second session ID issuing means is a case where a temporary token identical to the temporary token received from the web client by the search means can be detected from the storage device, and a predetermined time has elapsed from the time of issuing the temporary token. 2. The session management program according to claim 1, wherein when not, a normal session ID is issued and the normal session ID is transmitted as cookie information to the web client via HTTP communication. Said computer further
When a session discard request is received together with the web service session ID issued by the first session ID issuing means from any web client, all information associated with the web service session ID and the web service session ID The session management program according to claim 1, wherein the session management unit deletes the information from the storage device. Said computer further
When a session discard request is received together with the normal session ID issued by the second session ID issuing means from any web client, the normal session ID and information associated with the normal session ID are 3. The session management program according to claim 1, wherein the session management program functions as session discarding means for deletion from the storage device. A session management method for managing a web service session and a normal session with a web client, comprising:
Computer
A first acceptance procedure for accepting an access request from any web client through XML-related communication;
A first session ID issuance procedure for issuing a session ID of a web service session and transmitting the web service session ID to the web client through XML-related communication when an access request is accepted in the first acceptance procedure;
Web service session management procedure for allowing a web service call to be accepted when a web service call request is received through an XML-related communication together with the web service session ID issued in the first session ID issuing procedure from any web client ,
When the web service permitted to be called in the web service session management procedure is a web service that notifies the location information of the web application as a processing result, a temporary token is issued, and the processing result of the web service together with the temporary token Issuance of temporary token to the web client through XML related communication,
A storage procedure for storing the temporary token issued in the temporary token issuing procedure in association with the web service session ID received in the web service session management procedure in a storage device;
When an access request to the web application indicated by the location information is received from any web client together with the temporary token issued in the temporary token issuing procedure through HTTP communication, the storage device is searched using the temporary token as a key. Search procedure,
When a temporary token identical to the temporary token received from the web client in the search procedure can be detected from the storage device, a normal session ID is issued, and the normal session ID is transmitted to the web client as cookie information. A second session ID issuing procedure to be transmitted through communication; and
In the storage device, an update procedure for overwriting and updating a temporary token ID identical to the temporary token ID received in the search procedure with a normal session ID issued in the second session ID issuing procedure is executed. Session management method.