JP2008097205A - Authentication system and authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To acquire and authenticate data recorded in an IC card at a client side from a server side. <P>SOLUTION: A user terminal 10 is provided with an IC card reader 107 for reading user ID from an IC card and a storage device 103 for storing an ID reading program 11 for reading the user ID from the IC card by controlling the IC card reader 107. A portal server which provides a service transmits authentication screen data including a command to start an ID reading program 11 to a user terminal 10, and the user terminal 10 acquires the user ID from the IC card reader 107 by starting the ID reading program 11 in response to a command included in authentication screen data, and transmits the acquired user ID to the portal server. The portal server authenticates a user based on the user ID to be transmitted from the user terminal 10. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an authentication system and an authentication method.

In recent years, in order to improve security in a computer system, an IC (Integrated Circuit) card having tamper resistance has been used for user authentication. For example, Patent Document 1 proposes a mechanism for preventing an unauthorized access to a host computer by storing an access code for the host computer in an IC card and reducing a user's key input.
Japanese Patent Laid-Open No. 7-200481

  However, in the system described in Patent Document 1, it is not considered to access a client-side IC card from a server-side host computer, and a user acquires data recorded on the IC card on the server side. Cannot be authenticated.

  The present invention has been made in view of such a background, and provides an authentication system and an authentication method capable of performing authentication by acquiring data recorded on a client-side IC card from a server side. With the goal.

  The invention according to claim 1 of the present invention for solving the above-mentioned problems is a user authentication system, and includes a client device operated by the user and a server device for performing user authentication. The client device is configured such that an IC card reader that reads the user ID from an IC card that stores a user ID that identifies the user, and controls the IC card reader to obtain the user ID from the IC card. A storage device for storing an ID reading program for reading, wherein the server device transmits authentication screen data, which is screen data including a command for starting the ID reading program, to the client device. The client device includes an authentication screen data receiving unit that receives the authentication screen data, and the authentication screen data. In response to the command, the ID reading program is started, the user ID read from the IC card reader is acquired by the ID reading program, and the acquired user ID is transmitted to the server device. A user ID transmission unit that performs authentication of the user based on the received user ID and a user ID reception unit that receives the user ID from the client device. A person authentication unit.

  According to the authentication system of the present invention, since the ID reading program is activated in the client device based on the authentication screen data transmitted from the server device, access from the server device to the IC card in the client device can be controlled. . That is, the server device can acquire the user ID recorded on the IC card by using the IC card reader included in the client device 10, and can authenticate the user based on the acquired user ID. .

  The invention according to claim 2 of the present invention is the authentication system according to claim 1, wherein the storage device provided in the client device includes a plug-in program that realizes the user ID transmission unit. The command stored in the authentication screen data includes information for specifying the plug-in program, and the client device displays a screen corresponding to the authentication screen data. And a screen display unit for starting the plug-in program specified by the command.

Moreover, invention of Claim 3 among this invention is an authentication system of Claim 1, Comprising: The said server apparatus is an authentication screen which inputs the user's authentication information while displaying the said user ID An authentication screen data transmitting unit for transmitting authentication screen data for displaying the authentication screen data to the client device, wherein the client device displays the authentication screen based on the authentication screen data, and the authentication screen An authentication information input unit that accepts input of the authentication information via an authentication information transmission unit that transmits the authentication information to the server device, and the user authentication unit includes the user ID and the client The user is authenticated based on the authentication information received from the apparatus.
In this case, the user can be authenticated based on both the user ID recorded on the IC card and the password known only to the user himself / herself. Therefore, for example, even if an attempt is made to authenticate by impersonating a user using another person's IC card, the authentication cannot be performed unless the password is known. be able to.

  Moreover, invention of Claim 4 among this invention is an authentication system of Claim 3, Comprising: The said server apparatus is a use which has the authority to perform the authentication based on the said user ID of another user. A special authority person storage unit for storing the user ID for identifying a user, and the user ID received by the user ID reception unit is registered in the special authority person storage unit, the authentication screen data The transmission unit transmits the authentication screen data for displaying the authentication screen for inputting both the user ID and the authentication information to the client device, and the user authentication unit has received the client device from the client device. The user is authenticated based on the user ID and the authentication information input on the authentication screen.

Moreover, invention of Claim 5 among this invention is an authentication system of Claim 1, Comprising: The said server apparatus is memorize | stored in the said IC card temporarily lent to the user. A lending information database that stores the user ID of 1 and the second user ID stored in the IC card owned by the user in association with each other, and the user ID receiving unit received A loan determination unit that determines whether the IC card is temporarily lent to a user depending on whether a user ID satisfies a predetermined condition, and the IC card temporarily rents the user If the second user ID corresponding to the user ID received from the client device is read from the lending information database and the read second usage is determined. A user ID acquisition unit for the ID and the user ID, and a further comprising a.
In this case, even if the user forgets the IC card, the user can be authenticated using the temporarily lent IC card.

Moreover, invention of Claim 6 among this invention is an authentication system of Claim 1, Comprising: The said user ID transmission part transmits the said user ID only to the said predetermined | prescribed server apparatus, and To do.
In this case, even if the ID reading program is executed illegally in the client device without being based on the authentication screen data, the user ID read from the IC card is transmitted only to a predetermined server device. Therefore, for example, since a general-purpose program is illegally used, data recorded on an IC card is not transmitted to another computer, so that the risk of user ID leakage is reduced. Can do.

The invention according to claim 7 of the present invention is the authentication system according to claim 1, wherein the client device transmits an authentication request instructing to perform user authentication to the server device. An authentication request transmission unit that stores the user ID in association with an address assigned to the client device, and the client device that is the transmission source of the authentication request. An address acquisition unit that acquires the address, and the user authentication unit corresponds to the address when the user ID corresponding to the acquired address is registered in the address management table. The user is authenticated based on the user ID.
In this case, since the server device can authenticate the user according to the address of the client device, the load related to the process of reading the user ID from the IC card can be reduced.

  Other problems and solutions to be disclosed by the present application will be made clear by the embodiments of the invention and the drawings.

  According to the present invention, it is possible to perform authentication by acquiring data recorded in the IC card on the client side from the server side.

  Hereinafter, an authentication system according to an embodiment of the present invention will be described. In the authentication system of this embodiment, it is assumed that a user is authenticated using an IC card prior to provision of an information processing service via the Web.

  The IC card stores identification information (hereinafter referred to as a card ID) of the IC card. Normally, the card ID stored in the IC card is used to identify the user carrying the IC card. (Hereinafter referred to as user ID). In the present embodiment, it is assumed that a lending IC card (hereinafter referred to as a lending card) is prepared, and if the user forgets to carry the IC card, a lending card is provided to the user. Lending is temporarily performed, and the user is authenticated using a loan card.

  The user ID is an alphanumeric character string starting from 0-8. On the other hand, when a user forgets to carry an IC card, a card ID that starts with an alphanumeric character other than 0 to 8 is recorded in the IC card that is temporarily lent to the user. Therefore, whether or not the IC card is temporarily lent can be determined based on whether or not the first digit of the card ID recorded on the IC card is 0 to 8.

== System configuration ==
FIG. 1 is a diagram showing an overall configuration of an authentication system according to the present embodiment. The authentication system according to the present embodiment includes a user terminal 10, a portal server 20, an LDAP server 30, and an administrator terminal 40. The user terminal 10, the portal server 20, the LDAP server 30, and the administrator terminal 40 are each connected to a communication network 50 and can communicate with each other. The communication network 50 is, for example, an Ethernet (registered trademark), an ATM (Asynchronous Transfer Mode) network, or a LAN (Local Area Network).

  The portal server 20 (corresponding to the server device of the present invention) is a computer such as a personal computer or a workstation that provides an information processing service to a user. The portal server 20 provides an information processing service in the form of a so-called Web application that responds to an HTTP (HyperText Transfer Protocol) request. In the present embodiment, it is assumed that the information processing service provided by the portal server 20 provides a portal site that generates screen data for collectively displaying various types of information. The portal server 20 authenticates the user before providing the information processing service. The authentication performed by the portal server 20 is a general one using a user name (user ID) and a password, for example.

  The user terminal 10 (corresponding to the client device of the present invention) is a computer such as a personal computer, a workstation, a mobile phone, or a PDA (Personal Digital Assistant) operated by the user. The user terminal 10 has a Web browser function for accessing the portal server 20 by the HTTP protocol, and the user accesses the information processing service provided by the portal server 20 by operating the Web browser of the user terminal 10. To do.

  The LDAP server 30 is a computer such as a personal computer or a workstation that manages directory information about users. The LDAP server 30 provides directory information according to LDAP (Lightweight Directory Access Protocol). An example of directory information managed by the LDAP server 30 is shown in FIG. As shown in the figure, the directory information managed by the LDAP server 30 includes the user's password, the user's first and last name and its reading pseudonym (Kana 1, Kana 2), and the user, using the card ID as a key. An affiliation code and affiliation name indicating the department, etc., an affiliation code and position name indicating the title of the user, a temporary use classification, a portal ID, an online ID, and the like are included. The temporary use category is an item indicating a user category, and “employee”, “secondary transfer”, and “temporary use” are set. When the user forgets the IC card and the loan card is temporarily loaned, “temporary use” is set in the temporary use classification. The portal ID is a user ID that identifies a user carrying the IC card. Normally, the card ID and the portal ID match, but the card ID and the portal ID are different for a loan card. The online ID is an ID used when accessing another host computer as one of information processing services provided by the portal server 20.

  The administrator terminal 40 is a personal computer, a workstation, a mobile phone, a PDA, or the like operated by an administrator who manages directory information managed by the LDAP server 30.

  In this embodiment, it is assumed that the administrator includes an LDAP setting change manager that manages directory information managed by the LDAP server 30 and a card storage manager that manages IC cards. If the user forgets to carry the IC card, the user reports to the card storage manager and receives a loan card from the card storage manager. The LDAP setting change manager registers the user who lent the loan card in the LDAP server 30 as will be described later.

== Administrator terminal 40 ==
FIG. 3 is a diagram illustrating a hardware configuration of the administrator terminal 40. As shown in the figure, the administrator terminal 40 includes a CPU 401, a memory 402, a storage device 403, a communication interface 404, an input device 405, a display device 406, and an IC card reader 407.
The storage device 403 stores programs and data, for example, a hard disk drive, a CD-ROM drive, a flash memory, or the like. The CPU 401 implements various functions by reading the program stored in the storage device 403 into the memory 402 and executing it. The communication interface 404 is an interface for connecting to the communication network 50. The communication interface 404 is, for example, an adapter for connecting to Ethernet (registered trademark) or a modem for connecting to a telephone line network. The input device 405 is, for example, a keyboard or a mouse that receives data input from the LDAP setting change manager. The display device 406 is, for example, a display that displays information to the LDAP setting change manager. The IC card reader 407 is a device that reads data recorded on a contact type or non-contact type IC card.

FIG. 4 is a diagram illustrating a software configuration of the administrator terminal 40. As shown in the figure, the administrator terminal 40 includes a lending user input unit 411, a card ID acquisition unit 412, and an entry update unit 413.
The lending user input unit 411 receives an input of the user ID of the user who lent the lending card (hereinafter referred to as a lending user) via the input device 405 from the LDAP setting change manager.
The card ID acquisition unit 412 acquires the card ID stored in the IC card via the IC card reader 407.
The entry update unit 413 updates the portal ID of the directory information corresponding to the card ID acquired by the card ID acquisition unit 412 to the user ID received by the lending user input unit 411. The entry update unit 413 updates the directory information managed by the LDAP server 30 by transmitting an update command (changetype: modify replace: portal ID) defined in LDAP to the LDAP server 30.
The lending user input unit 411, the card ID acquisition unit 412, and the entry update unit 413 are realized by the CPU 401 included in the administrator terminal 40 executing a program stored in the storage device 403.

  In the present embodiment, as described above, when the user forgets to carry the IC card, the card storage manager lends the loan card to the user according to the notification from the user. The LDAP setting change manager uses the portal ID of the directory information corresponding to the card ID recorded on the loan card before the card storage manager lends the loan card to the user. Update to ID. FIG. 5 is a diagram showing a flow of processing for updating the directory information corresponding to the loan card.

If the IC card cannot be accessed via the IC card reader 407 (S441: NO), the card ID acquisition unit 412 displays an error to that effect (S447) and ends the process.
When the IC card can be accessed (S441: YES), the card ID acquisition unit 412 acquires the card ID from the IC card (S442), and if the first digit of the card ID is 0 to 8 (S443: NO), An error is displayed (S447), and the process ends.

  When the card ID of the IC card starts with an alphanumeric character other than 0 to 8 (S443: YES), the loan user input unit 411 uses the input device 105 such as a keyboard or a mouse as a loan card loan destination. An input of a user ID for identifying a person is accepted (S444).

  The entry update unit 413 uses the card ID acquired by the card ID acquisition unit 412 as a key, and issues an update command that instructs to update the portal ID of the directory information to the user ID accepted by the lending user input unit 411. The directory information is updated by transmitting to the LDAP server 30 (S445).

  As described above, when the loan card is temporarily lent to the user, the user ID of the user is set in the portal ID corresponding to the card ID of the loan card. As will be described later, since the portal ID corresponding to the card ID of the loan card is used for user authentication, even if the user forgets to carry the IC card, authentication is performed using the user ID of the user himself / herself. It can be performed. In the portal site, so-called personalization is performed to change the information to be displayed according to the user ID, but the user can always receive the service of the portal server 20 by using his own user ID. Further, personalization by the portal server 20 can be appropriately performed.

== User terminal 10 ==
FIG. 6 is a diagram illustrating a hardware configuration of the user terminal 10. As shown in the figure, the user terminal 10 includes a CPU 101, a memory 102, a storage device 103, a communication interface 104, an input device 105, a display device 106, and an IC card reader 107.

  The IC card reader 107 is a device that reads data stored in a contact type or non-contact type IC card. The storage device 103 stores programs such as the ID reading program 11 and the ID reading driver 12 and various data used when the programs are executed. As the storage device 103, for example, a hard disk drive, a CD-ROM drive, a flash memory, or the like can be used.

  The ID reading driver 12 is a device driver program for reading data from various programs executed on the user terminal 10 via the IC card reader 107. The ID reading program 11 is a program for reading the card ID stored in the IC card using the ID reading driver 12. The ID reading program 11 is a plug-in program called from a Web browser operating on the user terminal 10, such as ActiveX control (registered trademark) or a Java (registered trademark) applet.

  The CPU 101 provides various functions by reading the program stored in the storage device 103 into the memory 102 and executing it. The communication interface 104 is an interface for connecting to the communication network 50, and is, for example, an adapter for connecting to Ethernet (registered trademark) or a modem for connecting to a public telephone line network. The input device 105 accepts an operation from a user, for example, a keyboard or a mouse. The display device 106 is a display that displays information to the user.

  FIG. 7 is a diagram illustrating a software configuration of the user terminal 10. As shown in the figure, the user terminal 10 includes an authentication request transmission unit 111, a card ID acquisition screen reception unit 112, a card ID acquisition unit 113, a card ID transmission unit 114, an authentication screen data reception unit 115, an authentication information input unit. 116, an authentication information transmission unit 117 is provided.

  The authentication request transmission unit 111 transmits a command (hereinafter referred to as an authentication request) for instructing user authentication to the portal server 20. In the present embodiment, the authentication request transmission unit 111 transmits an HTTP request for a predetermined URL (Uniform Resource Locator) on the portal server 20 to the portal server 20 as an authentication request in accordance with a user operation.

  The card ID acquisition screen receiving unit 112 receives screen data (hereinafter referred to as card ID acquisition screen data) including a command for starting the ID reading program 11 transmitted from the portal server 20 in response to the authentication request. In this embodiment, it is assumed that the card ID acquisition screen data is described in HTML (HyperText Markup Language), and the commands included in the card ID acquisition screen data are, for example, ActiveX (registered trademark) control or Java (registration). A <OBJECT> tag, an <EMBED> tag, and the like for starting a plug-in program such as a trademark applet. The user terminal 10 starts the ID reading program 11 when displaying a screen based on the card ID acquisition screen data on the Web browser.

  The card ID acquisition unit 113 acquires a card ID from the IC card via the IC card reader 107. The card ID transmission unit 114 (corresponding to the user ID transmission unit of the present invention) uses the portal ID of the card ID acquired by the card ID acquisition unit 113 by, for example, a GET request or a POST request specified in HTTP. Send to. Note that the card ID acquisition unit 113 and the card ID transmission unit 114 are realized by executing the ID reading program 11.

  The authentication screen data receiving unit 115 displays screen data (hereinafter referred to as authentication screen data) for displaying a screen (hereinafter referred to as authentication screen) that accepts input of information for authenticating the user (hereinafter referred to as authentication information). Is received from the portal server 20. In the present embodiment, the authentication information is a password. In this embodiment, as will be described later, the authentication screen includes an input field for the user ID of the user specified from the IC card and an input field for a password. At the time of authentication, the user ID input field cannot be edited.

The authentication information input unit 116 receives an input of a password from the user. The authentication information input unit 116 accepts input of both a user ID and a password when the user ID input field is editable on the authentication screen.
The authentication information transmission unit 117 transmits the user ID and password to the portal server 20.

  The above-described authentication request transmission unit 111, card ID acquisition screen reception unit 112, authentication screen data reception unit 115, authentication information input unit 116, and authentication information transmission unit 117 are stored in the storage device 103 by the CPU 101 included in the user terminal 10. This is realized by executing a stored program (not shown).

== Portal server 20 ==
FIG. 8 is a diagram illustrating a hardware configuration of the portal server 20. As shown in the figure, the portal server 20 includes a CPU 201, a memory 202, a storage device 203, a communication interface 204, an input device 205, and a display device 206.

  The storage device 203 is, for example, a hard disk drive, a CD-ROM drive, or a flash memory that stores data and programs. The CPU 201 implements various functions by reading a program stored in the storage device 203 into the memory 202 and executing it. The communication interface 204 is an interface for connecting to the communication network 50, and is, for example, an adapter for connecting to Ethernet (registered trademark) or a modem for connecting to a public telephone line network. The input device 205 accepts an operation from a user, for example, a keyboard or a mouse. The display device 206 is a display that displays information to the user.

  FIG. 9 is a diagram illustrating a software configuration of the portal server 20. As shown in the figure, the portal server 20 includes an authentication request reception unit 211, an IP address authentication unit 212, a card ID acquisition screen transmission unit 213, a card ID reception unit 214, a directory information acquisition unit 215, an authentication screen creation unit 216, An authentication screen data transmission unit 217, an authentication information reception unit 218, an authentication processing unit 219, a screen data transmission unit 220, an address management table 251 and an administrator management table 252 are provided.

  The address management table 251 is information including an address for identifying a terminal on the network of the user terminal 10 on the communication network 50 and a user ID of a user who is using the user terminal 10 (hereinafter referred to as “user ID”). , Referred to as address management information). In this embodiment, the address of the user terminal 10 is an IP address.

FIG. 10 is a diagram illustrating a configuration example of the address management information stored in the address management table 251. As shown in the figure, the address management information includes a user ID and an administrator flag using the IP address of the user terminal 10 as a key. The administrator flag is information indicating whether the user who uses the user terminal 10 is an administrator. As will be described later, when the user is an administrator, the user ID of another user can be input to access the portal server 20 as another user. Thereby, for example, it is possible to cope with a case where the administrator changes the user ID when accessing the portal server 20 in the normal business and the user ID when accessing the portal server 20 in the management business. I am doing so.
The address management table 251 does not have to register address management information for all user terminals 10.

  The administrator management table 252 stores a user ID that identifies an administrator. In the present embodiment, it is assumed that the administrator has the authority to perform authentication based on the user IDs of other users. FIG. 11 shows a configuration example of the administrator management table 252. As shown in the figure, a user ID is registered in the administrator management table 252. Whether or not the user is an administrator can be determined based on whether or not the user ID is registered in the administrator management table 252.

The authentication request receiving unit 211 receives an authentication request transmitted from the user terminal 10.
The IP address authentication unit 212 determines whether or not address management information corresponding to the IP address of the user terminal 10 that is the transmission source of the authentication request is registered in the address management table 251. When the address management information corresponding to the IP address of the user terminal 10 is registered, the user is authenticated using the user ID included in the address management information, as will be described later.

The card ID acquisition screen transmission unit 213 generates card ID acquisition screen data in response to the authentication request, and transmits the generated card ID acquisition screen data to the user terminal 10.
The card ID receiving unit 214 (corresponding to the user ID receiving unit of the present invention) receives the card ID from the user terminal 10 according to the card ID acquisition screen data. In the user terminal 10, as described above, the ID reading program 11 is activated in accordance with the command included in the IC card acquisition screen data, and the card ID is read from the IC card via the IC card reader 107.

  The directory information acquisition unit 215 acquires directory information corresponding to the card ID received from the user terminal 10 from the LDAP server 30. In addition, the directory information acquisition unit 215 includes the acquired directory information when the card ID is a loan card (in this embodiment, when the first digit of the card ID is an alphanumeric character other than 0 to 8). Directory information corresponding to the portal ID to be acquired is acquired.

The authentication screen creation unit 216 creates authentication screen data for displaying an authentication screen including a user ID input field and a password input field. The authentication screen creation unit 216 sets the card ID of the directory information acquired in advance by the directory information acquisition unit 215 in the user ID input field of the authentication screen. When the user is an administrator, that is, when the user ID is registered in the administrator management table 252, the authentication screen creation unit 216 makes the user ID input field editable, and For other users, the authentication screen data is created so that the user ID input field cannot be edited.
The authentication screen data transmission unit 217 transmits the authentication screen data created by the authentication screen creation unit 216 to the user terminal 10.

  The authentication information receiving unit 218 receives authentication information transmitted from the user terminal 10. In the present embodiment, the authentication information receiving unit 218 receives a user ID and a password from the user terminal 10.

  The authentication processing unit 219 authenticates the user using the authentication information received by the authentication information receiving unit 218. In the present embodiment, the authentication processing unit 219 performs authentication using the user ID and password received by the authentication information receiving unit 218. Specifically, the authentication processing unit 219 acquires the password entry of the directory information corresponding to the user ID from the LDAP server 30, and the content of the acquired password entry matches the password received from the user terminal 10. The user can be authenticated depending on whether or not.

  When the authentication is successful, the screen data transmission unit 220 transmits screen data for realizing a portal site corresponding to the user to the user terminal 10. If the authentication fails, the screen data transmission unit 220 transmits screen data for displaying an error message indicating the fact to the user terminal 10.

== Processing ==
Next, a mechanism for performing user authentication in the authentication system according to the present embodiment will be described. FIG. 12 is a diagram showing a flow of processing for authenticating a user. In the authentication system of the present embodiment, first, a card ID is acquired from an IC card (S501), directory information corresponding to the user is acquired from the LDAP server 30 based on the acquired card ID (S502), and the acquired directory information is acquired. Based on the above, a user authentication process is performed (S503). Details will be described below.

FIG. 13 is a diagram showing a flow of processing for obtaining a card ID from an IC card.
When the user operates the Web browser running on the user terminal 10 to access the portal server 20, an authentication request is transmitted from the user terminal 10 to the portal server 20 as an HTTP request to a predetermined URL ( S521).

  When the portal server 20 receives the authentication request from the user terminal 10, the portal server 20 acquires the IP address of the user terminal 10 that is the transmission source of the authentication request. The IP address authentication unit 212 searches the address management table 251 for address management information corresponding to the acquired IP address (S522). If the address management information corresponding to the IP address of the authentication request source is registered in the address management table 251 (S523: YES), the user ID of the address management information is set as the card ID (S524), and the process is terminated. .

  On the other hand, when the address management information corresponding to the IP address of the transmission source of the authentication request is not registered (S523: NO), the card ID acquisition screen transmission unit 213 reads the card ID from the IC card. Acquisition screen data is created (S525). An example of the card ID acquisition screen data 16 is shown in FIG. In the example shown in the figure, the card ID acquisition screen data 16 shows a message 161 instructing that the IC card reader 107 can access the IC card, and starting the ID reading program 11 in the user terminal 10. A command 162 is included. In the example of FIG. 14, the command 162 is an OBJECT tag for starting the ActiveX control from the Web browser. The card ID acquisition screen transmission unit 213 transmits the created card ID acquisition screen data to the user terminal 10 (S526).

In the user terminal 10, the card ID acquisition screen receiving unit 112 receives the card ID acquisition screen data, and displays the card ID acquisition screen 162 based on the received card ID acquisition screen data (S527). An example of the card ID acquisition screen 17 displayed by the card ID acquisition screen receiving unit 112 is shown in FIG. In the example shown in the figure, the message 161 included in the card ID acquisition screen data 16 shown in FIG. 14 is displayed in the display field 171 of the card ID acquisition screen 17. The card ID acquisition screen receiving unit 112 displays the card ID acquisition screen 17 and starts the ID reading program 11 according to the command 162 included in the card ID acquisition screen data (S528). The card ID acquisition unit 113 realized by executing the ID reading program 11 reads the card ID from the IC card via the IC card reader 107 (S529), and the card ID transmission unit 114 receives the read card ID. It transmits to the portal server 20 (S530).
In the portal server 20, the card ID receiving unit 214 receives the card ID transmitted from the user terminal 10 (S531).

  As described above, in the authentication system of the present embodiment, by starting a plug-in program such as ActiveX (registered trademark) control, the IC card reader 107 is controlled from the portal server 20 to acquire the card ID from the IC card. Is possible. In general, it is difficult to control a device connected to the user terminal 10 that is a client from the portal server 20 side, but according to the authentication system of the present embodiment, a tag for starting a plug-in program Authentication of a user using an IC card can be easily realized even in the form of a Web application using the card ID acquisition screen data including.

Next, FIG. 16 shows a flow of processing for acquiring directory information based on the card ID.
The directory information acquisition unit 215 acquires directory information corresponding to the card ID acquired by the processing of FIG. 15 from the LDAP server 30 (S541).
The directory information acquisition unit 215 determines whether the IC card is a loan card based on whether the first digit of the card ID is 0 to 8 (S542). If the first digit of the card ID is 0 to 8, that is, if it is not a loan card (S542: YES), the directory information acquisition unit 215 sets the card ID as the user ID (S543) and ends the process.

  On the other hand, if the first digit of the card ID is an alphanumeric character other than 0 to 8, that is, if it is a loan card (S542: NO), the directory information acquisition unit 215 is included in the directory information. Using the portal ID as the user ID (S544), directory information whose card ID matches the portal ID is acquired from the LDAP server 30 (S545).

  As described above, when a loan card is lent to a user, the user ID of the user who has been lent is set in the portal ID of the directory information corresponding to the card ID of the loan card. Therefore, in the case of a loan card, directory information corresponding to the portal ID is acquired, and in the case of a normal IC card, directory information corresponding to the card ID recorded on the IC card is acquired. As described above, in the authentication system according to the present embodiment, the portal server 20 can acquire appropriate directory information even when the user forgets to carry the IC card.

  Further, in the authentication system of the present embodiment, even when the user forgets to carry the IC card, the portal ID corresponding to the card ID of the loan card is determined as the user ID. Therefore, the user ID used for authentication can appropriately identify the user.

As described above, when the user ID is determined and the directory information is acquired, the user authentication process is performed next. FIG. 17 is a diagram showing a flow of user authentication processing.
In the portal server 20, the authentication screen creation unit 216 creates authentication screen data 18 including an INPUT tag for the user ID input field and an INPUT tag for the password input field (S561). The authentication screen creation unit 216 determines whether the user ID is registered in the administrator management table 252 (S562). If the user ID is not registered in the administrator management table 252 (S562: NO) ) In order to disable editing of the user ID input field included in the authentication screen data 18, the DISABLED attribute is set in the INPUT tag for the user ID input field (S563). An example of the authentication screen data 18 created as described above is shown in FIG. In the example shown in the figure, the authentication screen data 18 includes a tag 181 for a user ID input field and a tag 182 for a password input field. The tag 181 has a “DISABLED” attribute. Is set. When the authentication screen data 18 is created as described above, the authentication screen data transmission unit 217 transmits the authentication screen data 18 to the user terminal 10 (S564).

  In the user terminal 10, the authentication screen data receiving unit 115 receives the authentication screen data 18 from the portal server 20, and displays the authentication screen 19 based on the received authentication screen data 18 on the display device 106 (S565). An example of the authentication screen 19 based on the authentication screen data 18 of the example of FIG. 18 described above is shown in FIG. As shown in the figure, the authentication screen 19 includes a user ID input field 191 and a password input field 192. However, in the authentication screen 19 based on the authentication screen data 18 in the example of FIG. 18, since the “DISABLED” attribute is set in the tag 181, the input field 191 is in an uneditable state. The authentication information input unit 116 accepts the password input in the input field 191 (S566). When the user is an administrator, as described above, the input field 191 can be edited. In this case, the authentication information input unit 116 accepts both the user ID input in the input field 191 and the password input in the input field 192.

  When the login button 193 is pressed on the authentication screen 19, the authentication information transmission unit 117 transmits the user ID set in the input field 191 and the password input in the input field 192 to the portal server 20. (S567).

  In the portal server 20, the authentication information receiving unit 218 receives the user ID and password transmitted from the user terminal 10, and receives the received user ID and the user ID determined by the process shown in FIG. Is different (S568: NO), the directory information acquisition unit 215 acquires directory information corresponding to the received user ID from the LDAP server 30 (S569).

  The authentication processing unit 219 determines whether the password received from the user terminal 10 matches the password of the directory information corresponding to the user ID (S570). If the received password matches the password of the directory information (S570: YES), the screen data transmission unit 220 transmits the screen data related to the portal site to the user terminal 10 (S571), and if it does not match (S570). : NO), screen data for displaying an error message indicating that is transmitted to the user terminal 10 (S572).

  As described above, for a user other than the administrator, an authentication screen in which the user ID input field cannot be edited is displayed on the user terminal 10, and the password from the user is the user terminal 10. To the portal server 20. As a result, the portal server 20 can authenticate the user using the user ID recorded on the IC card and the password input on the authentication screen. In the authentication system of this embodiment, in addition to the user ID recorded on the IC card, the password input is also accepted on the authentication screen. Therefore, even if another person's IC card is used, if the other person's password is not known, the portal server 20 cannot be authenticated as another person. Therefore, it is possible to prevent unauthorized authentication that uses another person's IC card to impersonate another person.

  On the other hand, for the administrator, an authentication screen in which the user ID input field can be edited is displayed on the user terminal 10. Therefore, for example, it is possible to prepare a plurality of user IDs to which different usage rights are given in the portal site, and the administrator can use these user IDs properly. Thereby, the administrator can investigate the usability according to the use authority in the portal site, for example.

  In this embodiment, the authentication using the IP address is performed prior to the authentication using the user ID and the password. However, the authentication using the IP address may be omitted.

  In the present embodiment, whether or not the user is an administrator is determined based on whether or not the user ID is registered in the administrator management table 252. However, the present invention is not limited to this. Whether or not the user is an administrator may be determined based on whether or not a predetermined condition for the user ID is satisfied, such as when the first digit of the ID is 0.

  In the present embodiment, the directory information of the user is managed by LDAP. However, the present invention is not limited to this, and the directory information may be managed by the RDBMS provided in the portal server 20.

  In this embodiment, the information processing service provided by the portal server 20 is in the form of a Web application. However, the present invention is not limited to this and can be applied to various client / server forms.

  In the present embodiment, for users other than the administrator, the “DISABLED” attribute is set in the INPUT tag on the authentication screen to make the user ID input field uneditable. You may make it display the text information which displays user ID on an authentication screen, without displaying a column.

  Although the present embodiment has been described above, the above embodiment is intended to facilitate understanding of the present invention and is not intended to limit the present invention. The present invention can be changed and improved without departing from the gist thereof, and the present invention includes equivalents thereof.

It is a figure which shows the whole structure of the authentication system which concerns on this embodiment. It is a figure which shows an example of the directory information which the LDAP server 30 manages. 2 is a diagram illustrating a hardware configuration of an administrator terminal 40. FIG. 3 is a diagram showing a software configuration of an administrator terminal 40. FIG. It is a figure which shows the flow of the process which updates the directory information corresponding to a loan card. 2 is a diagram illustrating a hardware configuration of a user terminal 10. FIG. 2 is a diagram illustrating a software configuration of a user terminal 10. FIG. 2 is a diagram illustrating a hardware configuration of a portal server 20. FIG. 2 is a diagram illustrating a software configuration of a portal server 20. FIG. 5 is a diagram illustrating a configuration example of address management information stored in an address management table 251. FIG. It is a figure which shows the structural example of the administrator management table 252. FIG. It is a figure which shows the flow of the process which authenticates a user. It is a figure which shows the flow of the process which acquires card ID from an IC card. It is a figure which shows an example of the card ID acquisition screen data. It is a figure which shows an example of the card ID acquisition screen. It is a figure which shows the flow of the process which acquires directory information based on card ID. It is a figure which shows the flow of a user's authentication process. It is a figure which shows an example of the authentication screen data. It is a figure which shows an example of the authentication screen 19 based on the authentication screen data.

Explanation of symbols

10 User terminal 11 ID reading program 12 ID reading driver 101 CPU
DESCRIPTION OF SYMBOLS 102 Memory 103 Storage apparatus 104 Communication interface 105 Input device 106 Display apparatus 107 IC card reader 111 Authentication request transmission part 112 Card ID acquisition screen reception part 113 Card ID acquisition part 114 Card ID transmission part 115 Authentication screen data reception part 116 Authentication information input Unit 117 Authentication information transmission unit 161 Message 162 Command 17 Card ID reading screen 18 Authentication screen data 181 Tag 182 Tag 19 Authentication screen 191 Input column 192 Input column 193 Login button 20 Portal server 201 CPU 202 Memory 203 Storage device 204 Communication interface 205 Input Device 206 Display device 211 Authentication request reception unit 212 IP address authentication unit 213 Card ID acquisition screen transmission unit 214 Card ID reception unit 215 Directory information Acquisition unit 216 Authentication screen creation unit 217 Authentication screen data transmission unit 218 Authentication information reception unit 219 Authentication processing unit 220 Screen data transmission unit 251 Address management table 252 Administrator management table 30 LDAP server 40 Administrator terminal 401 CPU 402 memory 403 storage device 404 Communication Interface 405 Input Device 406 Display Device 407 IC Card Reader 411 Lending User Input Unit 412 Card ID Acquisition Unit 413 Entry Update Unit 50 Communication Network

Claims (8)

A user authentication system,
A client device operated by the user;
And a server device that performs user authentication,
The client device is
An IC card reader that reads the user ID from an IC card that stores a user ID that identifies the user;
A storage device for storing an ID reading program for controlling the IC card reader to read the user ID from the IC card;
With
The server device includes an authentication screen data transmission unit that transmits authentication screen data, which is screen data including a command for starting the ID reading program, to the client device.
The client device is
An authentication screen data receiving unit for receiving the authentication screen data;
In response to the command included in the authentication screen data, the ID reading program is started, the user ID read from the IC card reader by the ID reading program is acquired, and the acquired user ID A user ID transmission unit that transmits a message to the server device,
The server device
A user ID receiving unit for receiving the user ID from the client device;
A user authentication unit for authenticating a user based on the received user ID;
An authentication system comprising: The authentication system according to claim 1,
The storage device included in the client device stores a plug-in program that realizes the user ID transmission unit,
The command included in the authentication screen data includes information for specifying the plug-in program,
The client device includes a screen display unit that displays a screen corresponding to the authentication screen data and activates the plug-in program specified by the command.
An authentication system characterized by The authentication system according to claim 1,
The server device
An authentication screen data transmitting unit for transmitting authentication screen data for displaying an authentication screen for displaying user ID and inputting user authentication information to the client device;
The client device is
An authentication screen display unit for displaying the authentication screen based on the authentication screen data;
An authentication information input unit that receives input of the authentication information via the authentication screen;
An authentication information transmitting unit for transmitting the authentication information to the server device;
With
The user authentication unit authenticates a user based on the user ID and the authentication information received from the client device;
An authentication system characterized by The authentication system according to claim 3,
The server device includes a special authority storage unit that stores the user ID for identifying a user having authority to perform authentication based on the user ID of another user,
When the user ID received by the user ID receiving unit is registered in the special authority storage unit,
The authentication screen data transmission unit transmits the authentication screen data for displaying the authentication screen for inputting both the user ID and the authentication information to the client device,
The user authentication unit authenticates a user based on the user ID and the authentication information input from the client device and received on the authentication screen;
An authentication system characterized by The authentication system according to claim 1,
The server device
The first user ID stored in the IC card temporarily lent to the user is associated with the second user ID stored in the IC card owned by the user. A loan information database to be stored,
A loan determination unit that determines whether the IC card is temporarily loaned to a user according to whether the user ID received by the user ID reception unit satisfies a predetermined condition;
If it is determined that the IC card is temporarily loaned to the user, the second user ID corresponding to the user ID received from the client device is read from the loan information database. A user ID acquisition unit that uses the read second user ID as the user ID;
An authentication system comprising: The authentication system according to claim 1,
The user ID transmission unit transmits the user ID only to a predetermined server device;
An authentication system characterized by The authentication system according to claim 1,
The client device includes an authentication request transmission unit that transmits an authentication request for instructing user authentication to the server device;
The server device
An address management table for storing the user ID in association with an address assigned to the client device;
An address acquisition unit that acquires the address of the client device that is a transmission source of the authentication request;
With
The user authentication unit authenticates a user based on the user ID corresponding to the address when the user ID corresponding to the acquired address is registered in the address management table. thing,
An authentication system characterized by A user authentication method in an authentication system including a client device operated by a user and a server device that performs user authentication,
The client device is
An IC card reader that reads the user ID from an IC card that stores a user ID that identifies the user;
A storage device for storing an ID reading program for controlling the IC card reader to read the user ID from the IC card;
With
The server device transmits authentication screen data, which is screen data including an instruction for starting the ID reading program, to the client device.
The client device receives the authentication screen data,
The client device starts the ID reading program in response to the command included in the authentication screen data, acquires the user ID read from the IC card reader by the ID reading program, and acquires the user ID The user ID sent to the server device,
The server device receives the user ID from the client device;
The server device authenticates a user based on the received user ID;
An authentication method characterized by.