JP2012155365A - Information processing apparatus, and processing method and program thereof - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a mechanism capable of reducing failure in authentication due to a read error of a storage medium (for example, an IC card) by making an authentication request using information included in an authentication cache corresponding to the read storage medium when the authentication cache is available in an information processing apparatus in the case of the read error of the storage medium.SOLUTION: The information processing apparatus which can be logged in by reading the storage medium storing the authentication cache in which first identification information and second identification information stored by success in authentication correspond to each other performs read control over the first identification information stored in the storage medium and read control over the second identification information stored in the storage medium, acquires the second identification information according to the first identification information which can be read and the authentication cache if the second identification information cannot be read, and makes the authentication request using the acquired second identification information.

Description

  The present invention relates to a technique for performing authentication by reading a storage medium such as an IC card.

  Conventionally, a system for performing user authentication when using a multifunction machine has been proposed.

  In such an authentication system, the user is authenticated by the following procedure. First, authentication information for user identification is registered in advance in the authentication server. Next, using the authentication information entered by the user, the IC card or magnetic card carried by the user, or biometric information such as fingerprints, voiceprints, palmprints, irises, veins, etc., it communicates with the authentication server to verify the identity. .

  If the identity verification is successful, the use of the multifunction device is permitted, and if it fails, the use of the multifunction device is not permitted. This makes it possible to restrict the use of the multifunction machine by a third party who is not registered.

  However, in such an authentication system, there is a problem that it takes time for authentication and makes the user wait until the multifunction device is used, which is inconvenient. Examples of authentication that take time include authentication algorithms such as biometric information when the network is congested, when there are many registered users, or when it is necessary to perform pre-authentication to search for authentication information There are various cases such as when the authentication data is complicated and the authentication data is enormous.

  In order to solve this problem, Patent Document 1 proposes a method of providing a multifunction machine with a cache of authentication information. The above patent is a technique applied to a configuration in which a user authentication system and a secure printing system are combined. A user authentication system is a system that performs user authentication when using a multifunction device. A secure print system temporarily stores a print job received from a user in a storage area of the multifunction device without immediately outputting it from the multifunction device. Technology.

  In Patent Document 1, first, a user inputs a print job from a client PC to the multifunction peripheral. The multifunction device accepts the print job and saves it in a storage area inside the multifunction device. At this time, the multifunction peripheral acquires user information included in the print job. Subsequently, communication with the authentication server is performed, and authentication information associated with the acquired user information is acquired. The multifunction device caches the acquired authentication information.

  In this way, once the user submits a print job to the multifunction device, a cache of authentication information is created in the multifunction device. Therefore, when the user performs authentication when using the multifunction device, the multifunction device can authenticate with the cache information without communicating with the authentication server. With such a mechanism, high-speed authentication is realized.

JP 2008-242851 A

  In addition to speeding up the authentication described above, the cache information is authenticated using the cache information to prevent an authentication error and the MFP from being unavailable when the network is down and cannot communicate with the authentication server. However, a method of using a multifunction device is considered.

  However, there are cases where authentication data is not registered in the authentication server other than simply being unable to communicate with the authentication server. Further, as an authentication method for multifunction peripherals, in recent years, authentication is often performed by holding an IC card over a card reader. In this case, an authentication error also occurs due to an IC card reading error, and the MFP cannot be used.

  This is due to the reading of the IC card. Since an IC card always has a serial number, generally, a card reader reads an area in which the serial number of the IC card is stored.

  However, since the IC card has an area where data can be arbitrarily stored in addition to the manufacturing number, some companies store a user ID (employee number) and company code in addition to the manufacturing number. It is desired to authenticate using a user ID (employee number) or company code.

  In that case, the card reader first reads the area where the serial number is stored, and then reads the arbitrary area where the user ID (employee number) or company code is stored. If the user holds the IC card over the card reader and immediately removes the IC card from the card reader, there is a problem that an authentication error occurs because only the serial number can be read.

  In spite of the fact that the user thinks that the IC card is held up, an authentication error may occur, resulting in poor usability.

  Accordingly, an object of the present invention is to use information contained in an authentication cache when there is an authentication cache corresponding to the read storage medium in the information processing apparatus at the time of reading error of the storage medium (for example, an IC card). It is to provide a mechanism that can reduce authentication failure due to a read error by making an authentication request.

  In order to achieve the object of the present invention, an information processing apparatus according to the present invention includes a storage medium for storing an authentication cache in which first identification information and second identification information stored by successful authentication are associated with each other. An information processing apparatus capable of logging in by reading, a first reading control means for controlling reading of the first identification information stored in the storage medium, and a second reading stored in the storage medium A second reading control means for controlling the reading of the identification information, and the first identification read by the first reading control means when the second identification information cannot be read by the second reading control means. An authentication cache acquisition unit that acquires second identification information according to information and the authentication cache, and an authentication requester that makes an authentication request using the second identification information acquired by the authentication cache acquisition unit Characterized in that it comprises and.

  Further, the authentication requesting unit makes an authentication request using the read second identification information when the second reading control unit reads the second identification information.

  Further, when authentication is successful by an authentication request using the second identification information read by the second reading control means, an authentication cache that associates the first identification information with the second card is stored. And an authentication cache storage means.

  In addition, the information processing apparatus further includes display means for displaying that the authentication cache acquisition means cannot acquire the second identification information, and indicates that the authentication has failed due to a reading error.

  The display means may read the second identification information by the second reading control means, and if the authentication request is made using the read second identification information and the result is an authentication failure, the storage medium It is characterized by displaying that the authentication has failed due to the absence of.

  The information processing apparatus further includes login control means for controlling login to the information processing apparatus in accordance with a result of the authentication request by the authentication request means.

  The authentication requesting unit requests authentication of the first identification information and the second identification information, and the login control unit includes the first identification information and the second identification information requested to be authenticated. When authentication succeeds according to the combination, the information processing apparatus is logged in.

  According to the present invention, when there is an authentication cache corresponding to the read storage medium in the information processing apparatus at the time of reading error of the storage medium (for example, an IC card), an authentication request is made using information contained in the authentication cache. By performing the above, it is possible to reduce the authentication failure due to the reading error.

It is a system configuration figure showing an example of the composition of an authentication system. It is a block diagram which shows the hardware constitutions of information processing apparatus. 2 is a block diagram illustrating an example of a hardware configuration of a multifunction peripheral. FIG. 3 is a functional block diagram illustrating an example of functions of a multifunction peripheral. FIG. It is a flowchart which shows an authentication process. It is a flowchart which shows the maintenance process of cache data. It is a figure which shows an example of an authentication table. It is a figure which shows an example of a cache table. It is a schematic diagram which shows the data in an IC card. It is a flowchart which shows the authentication process of another form.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a system configuration diagram illustrating an example of a configuration of an authentication system to which the client terminal 100, the authentication server 200, and the multifunction device 300 (information processing apparatus such as a printer) according to the present invention can be applied.

  As shown in FIG. 1, the authentication system according to the present embodiment is connected to one or a plurality of client terminals 100 (for example, for each user), a plurality of multifunction devices 300, and an authentication server 200 via a local area network (LAN) 600. Thus, information is transmitted and received.

  The client terminal 100 is installed with form software that acquires a form and text data necessary for form generation from a server (not shown) and overlays to generate a form. The form software transmits the generated form together with a form print execution command and user information to the multi function peripheral 300 using communication such as SOAP. A configuration through a print management apparatus such as a print server may be used.

  The multifunction device 300 stores print data received from the client terminal 100 or the like in an internal memory, and executes printing based on a user output instruction in the multifunction device 300. Further, the multifunction device 300 reads the IC card with a card reader, makes an authentication request to the authentication server according to the read information, and permits login when the authentication is successful. Login means making a multifunction device available to the user. If an authentication error occurs, an authentication error is notified and login is not permitted.

  Although detailed processing of the multifunction device 300 will be described later, the multifunction device 300 stores an authentication cache in which the first identification information and the second identification information that are stored when the authentication is successful are associated with each other. Is an information processing apparatus capable of logging in by reading.

  The authentication server 200 stores an IC card authentication table, and performs authentication processing using the IC card authentication table in response to an authentication request made by holding the IC card over the card reader of the multifunction machine 300. .

  Hereinafter, the hardware configuration of the information processing apparatus applicable to the client terminal 100 and the authentication server 200 illustrated in FIG. 1 will be described with reference to FIG.

  FIG. 2 is a block diagram illustrating a hardware configuration of an information processing apparatus applicable to the client terminal 100 and the authentication server 200 illustrated in FIG.

  In FIG. 2, reference numeral 201 denotes a CPU that comprehensively controls devices and controllers connected to the system bus 204. Further, the ROM 202 or the external memory 211 is necessary to realize a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS), which is a control program of the CPU 201, or a function executed by each server or each PC. Various programs to be described later are stored.

  A RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program or the like necessary for execution of processing from the ROM 202 or the external memory 211 into the RAM 203 and executing the loaded program.

  An input controller 205 controls input from a keyboard (KB) 209 or a pointing device such as a mouse (not shown). A video controller 206 controls display on a display device such as a CRT display (CRT) 210. In FIG. 2, although described as CRT 210, the display device is not limited to the CRT, but may be another display device such as a liquid crystal display. These are used by the administrator as needed.

  A memory controller 207 is connected to the hard disk (HD), flexible disk (FD), or PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, etc. via an adapter. The access to the external memory 211 such as a compact flash (registered trademark) memory is controlled.

  A communication I / F controller 208 is connected to and communicates with an external device via a network (for example, the LAN 600 shown in FIG. 1), and executes communication control processing on the network. For example, communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the CRT 210 by executing outline font rasterization processing on a display information area in the RAM 203, for example. In addition, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the CRT 210.

  Various programs to be described later for realizing the present invention are recorded in the external memory 211 and executed by the CPU 201 by being loaded into the RAM 203 as necessary. Furthermore, definition files and various information tables used when executing the program are also stored in the external memory 211, and a detailed description thereof will be described later.

  Next, the hardware configuration of the multifunction machine 300 shown in FIG. 1 will be described with reference to FIG.

  FIG. 3 is a block diagram illustrating an example of a hardware configuration of the multifunction peripheral 300 illustrated in FIG.

  In FIG. 3, reference numeral 316 denotes a controller unit which is connected to a scanner 314 functioning as an image input device and a printer unit 312 functioning as an image output device, while being connected to a LAN (for example, the LAN 600 shown in FIG. 1) or a public line (WAN). ) (For example, PSTN or ISDN) to input / output image data and device information.

  In the controller unit 316, reference numeral 301 denotes a CPU, which is a processor that controls the entire system. A RAM 302 is a system work memory for the CPU 301 to operate, and is also a program memory for recording a program and an image memory for temporarily recording image data.

  A ROM 303 stores a system boot program and various control programs. A hard disk drive (HDD) 304 stores various programs for controlling the system, image data, and the like.

  An operation unit interface (operation unit I / F) 307 is an interface unit with the operation unit (keyboard) 308. Further, the operation unit I / F 307 serves to transmit the key information (for example, pressing of the start button) input from the operation unit 308 to the CPU 301.

  A network interface (Network I / F) 305 is connected to the network (LAN) 600 and inputs / outputs data. A modem (MODEM) 306 is connected to a public line and inputs / outputs data such as FAX transmission / reception.

  An external interface (external I / F) 318 is an I / F unit that accepts external inputs such as USB, IEEE 1394, printer port, RS-232C, etc. In this embodiment, an IC card (storage medium) required for authentication ) Is connected to the external I / F unit 318. The CPU 301 can control reading of information from the IC card by the card reader 319 via the external I / F 318, and can acquire information read from the IC card. The above devices are arranged on the system bus 309.

  The card reader 319 executes a card reader driver program by the CPU 301 and issues a control command for reading the IC card by the card reader program, whereby the card reader reads a predetermined area of the IC card. Get the stored data.

  Reference numeral 320 denotes an image bus interface (IMAGE BUS I / F), which is a bus bridge that connects the system bus 309 and an image bus 315 that transfers image data at high speed and converts the data structure.

  The image bus 315 is configured by a PCI bus or IEEE1394. The following devices are arranged on the image bus 315.

  A raster image processor (RIP) 310 develops vector data such as a PDL code into a bitmap image. A printer interface (printer I / F) 311 connects the printer unit 312 and the controller unit 316 and performs synchronous / asynchronous conversion of image data. A scanner interface (scanner I / F) 313 connects the scanner 314 and the controller unit 316 and performs synchronous / asynchronous conversion of image data.

  An image processing unit 317 performs correction, processing, and editing on input image data, and performs printer correction, resolution conversion, and the like on print output image data. In addition to this, the image processing unit 317 performs image data rotation and compression / decompression processing such as JPEG for multi-valued image data and JBIG, MMR, MH for binary image data.

  The scanner unit 314 illuminates an image on paper as a document and scans it with a CCD line sensor, thereby converting it into an electrical signal as raster image data. The original paper is set on the tray of the original feeder, and when the apparatus user gives a reading start instruction from the operation unit 308, the CPU 301 gives an instruction to the scanner 314, and the feeder feeds the original paper one by one to read the original image. I do.

  The printer unit 312 is a part that converts raster image data into an image on paper. The method is an electrophotographic method using a photosensitive drum or a photosensitive belt, and ink is ejected from a micro nozzle array directly on the paper. There is an inkjet method for printing an image, but any method may be used. The activation of the printing operation is started by an instruction from the CPU 301. The printer unit 312 has a plurality of paper feed stages so that different paper sizes or different paper orientations can be selected, and has a paper cassette corresponding thereto.

  The operation unit 308 has an LCD display unit, and a touch panel sheet is pasted on the LCD. The operation unit 308 displays an operation screen of the system. When a displayed key is pressed, the position information is displayed on the operation unit I / F 307. To the CPU 301 via The operation unit 308 includes, for example, a start key, a stop key, an ID key, a reset key, and the like as various operation keys.

  Note that the display unit has different display performance depending on the printer, and a printer that can be operated via a touch panel, a printer that simply has a liquid crystal screen and displays a character string (displays the print status and the name of the document being printed). Is structured.

  Here, the start key of the operation unit 308 is used when starting a document image reading operation. At the center of the start key, there are two color LEDs, green and red, which indicate whether or not the start key can be used. Further, the stop key of the operation unit 308 functions to stop the operation in operation. The ID key of the operation unit 308 is used when inputting the user ID of the user. The reset key is used when initializing settings from the operation unit.

  The card reader 319 reads information stored in the IC card under the control of the CPU 301 and notifies the CPU 301 of the read information via the external I / F 318.

  With the configuration as described above, the multi-function device 300 can transmit the image data read from the scanner 314 to the LAN 600 and print out the print data received from the LAN 600 by the printer unit 312.

  Further, the image data read from the scanner 314 can be faxed to the public line by the modem 306, and the image data received by fax from the public line can be output by the printer unit 312.

  Next, a functional block diagram of the MFP 300 according to the present invention will be described with reference to FIG. In FIG. 4, basic functions will be described, and detailed control processed by each functional unit will be described in a flowchart described later.

  The multifunction machine 300 includes a first reading control unit 401, a second reading control unit 402, an authentication cache acquisition unit 403, an authentication request unit 404, and a login control unit 405 as functional units.

  The first reading control unit 401 is a functional unit for controlling the card reader 319 in order to read first identification information (for example, a serial number) stored in a storage medium (for example, an IC card).

  The second reading control unit 402 is a function for controlling the card reader 319 to read second identification information (for example, internal information including a card ID) stored in a storage medium (for example, an IC card). Part.

  When the second identification information cannot be read from the storage medium, the authentication cache acquisition unit 403 acquires the second identification information according to the first identification information read by the first reading control unit 401 and the authentication cache. It is a functional part to do.

  The authentication request unit 404 is a functional unit that makes an authentication request to a device (for example, an authentication server) that performs authentication processing, using the second identification information acquired by the authentication cache acquisition unit 403.

  In accordance with the result of the authentication request by the authentication request unit 404, the login control unit 405 releases the restriction on the multifunction device operation so that the multifunction device can be used when the authentication is successful, or when the authentication fails, the multifunction device This is a functional unit that controls login to the multifunction device, such as notifying an error to the operation unit.

  Next, this embodiment will be described in detail with reference to the flowcharts of FIGS.

  First, the flowchart of an authentication process is demonstrated using FIG. FIG. 5 is a flowchart of the authentication process.

  The multifunction device 300 stores an authentication program and a card reader driver program that controls the card reader, and is configured to control authentication. In the present embodiment, the authentication program and the card reader program will be described separately. However, the authentication program and the card reader program can be combined into one program.

  In addition to the authentication program, a print program for displaying a list of user print data corresponding to the authenticated IC card and outputting print data designated in accordance with a user instruction is also stored.

  In step S501 to step S513 and step S516 to step S522, which will be described later, the CPU 301 of the multifunction peripheral 300 executes processing. In step S514 and step S515, the CPU 201 of the authentication server 200 executes processing.

  In step S501, in order to start reading the IC card with the card reader 319, a card reading start request is issued to the card reader driver program.

  In step S502, a card reading start request from the authentication program is received, and a card reading start command is issued to the card reader 319. At this time, in order to read, for example, a manufacturing number (first identification information) stored in the IC card, a start command designating a predetermined area is issued. An area in which a number unique to an IC card such as a manufacturing number is stored is standardized according to the type of IC card.

  As a result, the card reader 319 starts polling for card reading in order to read the card.

  In step S503, it is determined whether the IC card is placed over the card reader and the card is read (detected). If the IC card is detected, the process proceeds to step S504. If the IC card is not detected, the polling process is continued (waiting for reading). When an IC card is detected, the card reader 319 notifies the IC card manufacturing number.

  As shown in FIG. 9, the IC card is composed of an area in which the card manufacturing number is stored and an area in which card internal information capable of storing arbitrary data is stored. In addition, a card ID used as authentication information is stored in a specific portion of the card internal information. In the present embodiment, “Dev0100000Emp010001” is data corresponding to the card ID. In addition to the card ID, a user ID or employee number may be used.

  Steps S501 to S503 are processing for controlling reading of the first identification information stored in the storage medium (first reading control).

  In step S504, the serial number transmitted from the card reader 319 is acquired, and the serial number is notified to the authentication program.

  In step S505, the notified manufacturing number is acquired. The acquired serial number is stored in the RAM 302.

  In step S506, when the serial number is acquired, reading the area in which the card internal information is stored in order to read the information (internal information of the card) stored in the area that can be arbitrarily stored in the IC card. Request the card reader driver program for the request.

  Steps S506 to S507 are processing for controlling the reading of the second identification information stored in the storage medium (second reading control).

  In step S507, in response to a read request from the authentication program, a read command is issued to the card reader 319 in order to read the internal information of the IC card detected in step S503. When the internal information is read by the card reader 319 by the reading command, the internal information is acquired from the card reader 319. If the user removes the IC card from the card reader 319 before reading the internal information and the internal information cannot be read, the internal information cannot be acquired from the card reader 319, so that authentication error information is generated.

  In step S508, if the internal information is acquired in step S507, the internal information is transmitted as a reading result. If the internal information cannot be read, authentication error information is transmitted as the reading result.

  In step S509, the reading result is received from the card reader driver program.

  In the present embodiment, after obtaining the manufacturing number in step S505, a request for reading internal information from the authentication program is made in step S506. However, the present invention is not limited to this. If the reading result (internal information or reading error) is obtained without issuing a notification to the authentication program, and the reading result (internal information or reading error) is acquired,

The reading result may be transmitted. That is, it is only necessary to perform the process of reading the manufacturing number and the internal information.

  In step S510, it is determined whether desired identification information (for example, card ID or user ID) has been acquired from the received reading result. If the identification information can be acquired, it is determined that the internal information has been successfully read, and the process proceeds to step S513. If the identification information cannot be acquired, that is, if a reading error is acquired, it is determined that reading has failed, and the process proceeds to step S511.

  In step S511, when reading fails because reading has not been completed normally, the cache table of FIG. 8 stored in the RAM 302 (authentication information obtained in the past by authentication with the authentication server) is stored in step S505. Search with the serial number obtained in.

  Step S511 obtains the second identification information according to the first identification information read by the first reading control and the authentication cache when the second identification information could not be read by the second reading control. (Authentication cache acquisition).

  In step S512, the manufacturing number acquired in step S505 is searched in the cache table of FIG. 8 to determine whether or not a matching manufacturing number exists. If the manufacturing number exists, the process proceeds to step S513. If the manufacturing number does not exist, the process proceeds to step S520.

  In step S520, information indicating an authentication failure is displayed on the panel of the operation unit 308 of the multifunction machine 300. Specifically, this authentication failure is an authentication failure because the internal information could not be read, so to indicate why the user had an authentication error, “The IC card could not be read properly. IC. Please hold the card over the card reader properly. "

  Step S520 is a process for displaying that the authentication failure due to the read error indicates that the second identification information cannot be acquired by acquiring the authentication cache.

  Thereby, the user grasps whether the authentication has failed due to the IC card not being registered in the authentication table of the authentication server, or whether the authentication has failed due to a problem in the method of holding the IC card of the user. Authentication failure when the IC card is held over again can be prevented.

  In step S513, an authentication request including the identification information acquired in step S510 or the identification information (card ID in FIG. 8) stored corresponding to the manufacturing number matched by the search in step S511 is transmitted to the authentication server 200. .

In step S513, an authentication request is made using the second identification information acquired by acquiring the authentication cache, and if the second identification information is read by the second reading control, the read second information is read. This is a process of requesting authentication using the identification information of No. 2.

  In step S514, the identification information is received, and authentication is performed by searching the authentication table of FIG. In step S515, if there is identification information (card ID in FIG. 8) that matches the authentication table, an authentication result indicating successful authentication is transmitted. If there is no identification information that matches the authentication table, an authentication result indicating an authentication failure is transmitted. If the authentication is successful, user information including a user ID, a card ID, a mail address, and the like is transmitted.

  In step S516, an authentication result is received from authentication server 200.

  In step S517, it is determined whether the authentication is successful according to the authentication result. If the authentication is successful, the process proceeds to step S518. If the authentication fails, the process proceeds to step S521.

  In step S521, since there is no data corresponding to the authentication table as a result of the authentication request to the authentication server 200, “Card not registered. Register card.” Is displayed.

  In step S521, that is, when the second identification information can be read by the second reading control and the authentication request is made using the read second identification information, the storage medium does not exist. To indicate authentication failure due to

  Thereby, the user can recognize the reason for the authentication failure, and the authentication failure when the IC card is held again can be prevented.

  In step S518, the card ID is acquired using the cache data, and it is determined whether or not an authentication request has been made to the authentication server using the card ID. When the cache data is used, that is, when the card ID is searched in step S511, the processing is terminated without updating the cache, and the authentication result is included in the area managed by the multifunction peripheral 300 for login in step S522. Set user information to be logged in and log in.

  In step S519, the serial number acquired in step S505, the card ID of the user information included in the authentication result (or the card ID received in step S509), and the reading success time (for example, when YES is determined in step S510) The corresponding cache data is updated at the time stored in (1). The successful reading time may be a time when the authentication is successful. The cache data is updated and login is performed in the same manner as in step S522 described above. When there is no cache data, a serial number, a card ID, and a reading success time are newly added to the cache table.

  Step S519 is a process of storing an authentication cache in which the first identification information and the second card are associated with each other.

  Next, a flowchart of cache data maintenance processing will be described with reference to FIG. FIG. 5 is a flowchart of cache data maintenance processing.

  The process of the flowchart in FIG. 6 is an authentication program process that is executed when a predetermined date and time comes, and is executed by the CPU 301.

  In step S601, it is determined whether all the caches in the cache table of FIG. 8 have been confirmed. If all the caches have been confirmed, the process ends. If all the cache data has not been confirmed, the process proceeds to step S602 in order to obtain the unconfirmed cache data.

  In step S602, unconfirmed cache data is acquired from the cache table of FIG.

  In step S603, it is confirmed whether the read success time of the acquired cache data is within the expiration date. Specifically, it is determined whether the authentication program is within a predetermined period as a setting. For example, it may be determined whether or not 24 hours have passed since the reading success time. If it has exceeded the expiration date, the process proceeds to step S604. If it is within the expiration date, the process returns to step S601 to acquire the next cache data.

  In step S604, the cache data acquired in step S602 is deleted from the cache table of FIG.

  Next, an authentication table stored in the authentication server 200 will be described with reference to FIG. FIG. 7 is a diagram illustrating an example of an authentication table stored in the external memory 211 by the authentication server 200.

  The authentication table is configured to be able to store a user ID, a card ID, a password, a mail address, and a department to which the authentication table is stored, and data is registered in each item. In addition, the structure which has other items, for example, items, such as authority, may be sufficient.

  It is assumed that the authentication table is registered in advance by the system administrator, but it may be configured such that the user inputs various data from the client terminal 100 or the multifunction device 300 to register it.

  Authentication using an IC card is executed using this authentication table. Since the MFP 300 has keyboard authentication that allows a user to input a user ID and a password in addition to authentication using an IC card, in the case of keyboard authentication. Can also be authenticated using the authentication table.

  In this embodiment, the configuration in which the authentication table is stored in the authentication server 200 has been described. However, the authentication table (which may be an authentication file or the like) is stored in the HDD 304 of the multi-function device 300, and authentication is performed in the multi-function device 300. It is also possible to make it.

  That is, the authentication process by searching the authentication table is not limited to being executed by the authentication server 200.

  Next, a cache table stored in the multifunction machine 300 will be described with reference to FIG. FIG. 8 is a diagram illustrating an example of a cache table stored in the RAM 302 by the multifunction machine 300.

  The cache table is configured to be able to store the card manufacturing number, the card ID, and the reading success time in association with each other, and data is registered in each item. Note that the cache table may have items such as a user ID and store other data.

  Thus, since the card manufacturing number and the card ID are stored in association with each other, even if the internal information cannot be read in step S506 and the card ID (second identification information) cannot be acquired, it is acquired in step S504. Since the card ID can be acquired from the manufactured serial number (first identification information), authentication processing can be executed and authentication failures can be reduced.

  Next, data stored in the IC card will be described with reference to FIG. FIG. 9 is a schematic diagram showing data in the IC card.

  The IC card has a card serial number area pre-recorded on the IC card and a card internal information area that can be arbitrarily stored by an administrator who manages the IC card.

  The area for reading the card serial number is an area determined by the format of the IC card, and the area for the card internal information is an area for reading inside the IC card as setting information of the authentication program. Each data can be read through the card reader 319.

  In the above description, the authentication request including the card ID is transmitted to the authentication server 200 in step S513. However, the manufacturing number acquired in step S505 may be transmitted together with the card ID.

  Processing for transmitting the card ID and the manufacturing number will be described with reference to the flowchart of FIG. In addition, description is abbreviate | omitted about the same process in the flowchart of FIG.

  In step S1001, the CPU 301 executes processing, and in steps S1002 to S1006, the CPU 201 executes processing.

  In step S1001, an authentication request including the card ID obtained by searching in step S511 or the card ID obtained in step S509 and the manufacturing number obtained in step S505 is transmitted to the authentication server 200.

  In step S1002, an authentication request is received from the multifunction device 300.

  In step S1003, it is determined whether the card ID acquired from the authentication request exists in the authentication table of FIG. If the card ID exists in the authentication table, the process proceeds to step S1004. If the card ID does not exist in the authentication table, the process proceeds to step S1006 to transmit an authentication result indicating an authentication failure.

  In step S1004, it is determined whether or not the manufacturing number stored in association with the card ID matched in step S1003 matches the manufacturing number acquired from the authentication request. If the manufacturing numbers match, the process proceeds to step S1005. If the manufacturing numbers do not match, the IC card that has read the manufacturing number is different from the IC card that has read the card ID, so that the authentication result indicates an authentication failure. Is transferred to step S1006.

  In step S1005, user information corresponding to the card ID stored in the authentication table is acquired.

  In step S1006, if the authentication is successful (YES in step S1004), an authentication result including the user information acquired in step S1005 and information indicating successful authentication is generated, and the authentication result is transmitted to the MFP 300. . If authentication fails (NO in step S1003 and NO in step S1004), an authentication result including information indicating the authentication failure is generated, and the authentication result is transmitted to the MFP 300. Processing after the authentication result is received by the multifunction device 300 is the same as that shown in FIG.

  In the process of FIG. 10 described above, the manufacturing number (first identification information) and the card ID (second identification information) are transmitted to the authentication server for authentication, so the first reading (YES in step S503) Even when different IC cards are read in the second reading (step S507), the combination of the manufacturing number (first identification information) and card ID (second identification information) registered in the authentication server is checked. Therefore, the authentication failure due to the reading error can be reduced and the authentication can be appropriately performed.

  More specifically, when a person who has two IC cards holds two IC cards on the neck strap and holds the IC card over the card reader, he / she logs in nearby. Since there is an IC card that is not used (another IC card), the other card may be erroneously read. It is possible to reduce the occurrence of an erroneous login due to the authentication process being performed with another IC card, which occurs in this case.

  As described above, according to the present embodiment, when a storage medium (for example, an IC card) has a reading error, the authentication server (information processing apparatus) has an authentication cache corresponding to the read storage medium. By making an authentication request using information contained in the authentication cache, it is possible to reduce authentication failures due to read errors.

  Also, when reading the internal information of the IC card, since the reading process occurs such as reading the internal information after reading the serial number, the user must hold the IC card over the card reader longer than usual. I must. For this reason, the time for holding the IC card over the card reader becomes short, such as when you are in a hurry, and the IC card cannot be read a plurality of times, resulting in a reading error and a login failure as a result of an authentication failure. Although the user intends to hold the IC card appropriately, the authentication fails, which is not convenient for the user. However, in the present embodiment, the above-mentioned authentication failure can be reduced. Therefore, it is convenient for the user.

  Further, when the authentication is successful, the authentication cache is stored, and when it is read a plurality of times, the reading success time is updated, so that security can be maintained.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as, for example, a system, apparatus, method, program, or recording medium, and specifically includes a plurality of devices. The present invention may be applied to a system including a single device.

  Furthermore, although the present embodiment has been described on the assumption that a multi-function device is used, any device that authenticates using a storage medium storing identification information used for authentication such as an IC card may be used. It may be a device.

  The program according to the present invention is a program that allows a computer to execute the processing methods of the flowcharts shown in FIGS. 5, 6, and 10. The storage medium according to the present invention uses the processing methods of FIGS. 5, 6, and 10. A computer executable program is stored. Note that the program according to the present invention may be a program for each processing method of each apparatus in FIGS. 5, 6, and 10.

  As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by executing the reading.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk, solid state drive, or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Further, the present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network using a communication program, the system or apparatus can enjoy the effects of the present invention.

  In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

100 Client terminal 200 Authentication server 300 Multifunction device 600 LAN
401 First read control unit 402 Second read control unit 403 Authentication cache acquisition unit 404 Authentication request unit 405 Login control unit

Claims (9)

An information processing apparatus for storing an authentication cache in which first identification information and second identification information stored by successful authentication are associated with each other, and capable of logging in by reading a storage medium,
First reading control means for controlling reading of the first identification information stored in the storage medium;
Second reading control means for controlling reading of the second identification information stored in the storage medium;
When the second identification information cannot be read by the second reading control means, the second identification information is changed according to the first identification information and the authentication cache read by the first reading control means. An authentication cache acquisition means to acquire;
An information processing apparatus comprising: an authentication requesting unit that makes an authentication request using the second identification information acquired by the authentication cache acquiring unit. The authentication request means includes
2. The information processing apparatus according to claim 1, wherein when the second identification information is read by the second reading control unit, an authentication request is made using the read second identification information. Authentication that stores an authentication cache in which the first identification information and the second card are associated with each other when authentication is successful by an authentication request using the second identification information read by the second reading control means The information processing apparatus according to claim 2, further comprising a cache storage unit. 4. The display device according to claim 2, further comprising: a display unit that displays an authentication failure due to a reading error when the second identification information cannot be acquired by the authentication cache acquisition unit. The information processing apparatus according to claim 1. The display means includes
If the second reading control means can read the second identification information and the authentication request is made using the read second identification information, the authentication failure is caused by the absence of the storage medium. The information processing apparatus according to claim 4, wherein a display to the effect is displayed. 6. The information processing apparatus according to claim 1, further comprising login control means for controlling login to the information processing apparatus according to a result of the authentication request by the authentication request means. The authentication request means requests authentication of the first identification information and the second identification information,
The login control unit logs in to the information processing apparatus when authentication is successful according to a combination of the first identification information and the second identification information requested to be authenticated. 6. The information processing apparatus according to 6. A processing method of an information processing apparatus capable of storing an authentication cache in which first identification information and second identification information stored by successful authentication are associated with each other and capable of logging in by reading a storage medium ,
The information processing apparatus is
A first reading control step for controlling reading of the first identification information stored in the storage medium;
A second reading control step for controlling reading of the second identification information stored in the storage medium;
When the second identification information cannot be read in the second reading control step, the second identification information is changed according to the first identification information and the authentication cache read in the first reading control step. An authentication cache acquisition step to be acquired; and
An authentication request step for requesting an authentication using the second identification information acquired in the authentication cache acquisition step. A program that can be executed by an information processing apparatus that stores an authentication cache in which first identification information and second identification information stored by successful authentication are associated with each other and can log in by reading a storage medium. And
The information processing apparatus;
First reading control means for controlling reading of the first identification information stored in the storage medium;
Second reading control means for controlling reading of the second identification information stored in the storage medium;
When the second identification information cannot be read by the second reading control means, the second identification information is changed according to the first identification information and the authentication cache read by the first reading control means. An authentication cache acquisition means to acquire;
A program that functions as an authentication request unit that makes an authentication request using the second identification information acquired by the authentication cache acquisition unit.

Images