JP2017182781A - Access management device, access management method and access management program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an access management device, access management method and access management program that allow a login screen to be displayed on a user terminal when the user terminal accesses an URL by a user and transition site, the URL is analyzed based on a prescribed master to implement security checking, and the checking is OK.SOLUTION: According to the present embodiment, a hard-to-conjecture URL issued by a system is configured to be a prerequisite for access to a login page, and thereby access from outsiders is prevented. Further, a different URL is issued for each user of the system to identify which any of users the access is from based on the URL used in the access to the login page. Upon login authentication, only when not only a conventional combination of the ID and password but also a combination of users identified by the ID, password and URL are all correct, the login is permitted.SELECTED DRAWING: Figure 4

Description

  The present invention relates to an access management device, an access management method, and an access management program.

  In paragraph 0062 of Patent Document 1, “EC server 300 is based on the first authentication based on the combination of the login ID and the password and the access to the randomly generated confirmation URL as the authentication process of the customer who requests login. Second authentication is performed. ... The EC server 300 prevents unauthorized access such as customer impersonation by performing double authentication processing in this way. Is described.

  Patent Document 2 discloses an information processing system including a portable browsing terminal, a gateway computer, and the like, and paragraph 0036 shows a gateway computer that has received a login screen display request from the portable browsing terminal. Displays a login screen on the display of the terminal.

Japanese Patent No. 5691853 JP 2001-331389 A

  However, in the prior art, “when a user terminal accesses a URL for each user / transition site, the system analyzes the URL based on a predetermined master and performs a security check. There is a problem that the function of “displaying the screen on the user terminal” cannot be realized.

  The present invention has been made in view of the above problems. When a user terminal accesses a URL for each user / transition site, the system analyzes the URL based on a predetermined master and performs a security check. If the check is OK, an object of the present invention is to provide an access management apparatus, an access management method, and an access management program that can display a login screen on the user terminal.

  In order to solve the above-described problems and achieve the object, an access management apparatus according to the present invention is an access management apparatus including a storage unit and a control unit, and the storage unit includes a gateway account and a login An account storage unit that stores an account including an account, and the control unit transmits, from the user terminal, a gateway transmission unit that transmits a URL for each user or a URL for each transition website to the user based on the gateway account; And a display control unit that displays a login screen for authenticating the login account on the user terminal when the URL for each user or the URL for each transition website is accessed. .

  In the access management apparatus according to the present invention, the URL for each user and the URL for each transition Web site are set to an accessible expiration date, and the display control means includes the user within the expiration date. When a URL for each user or a URL for each transition Web site is accessed from a terminal, the login screen is displayed on the user terminal.

  In the access management apparatus according to the present invention, when the control unit accesses an URL for each user or a URL for each transition Web site from an unknown user terminal, the control unit transmits the unknown user terminal to the user. Security code transmitting means for transmitting a security code for authentication; and when the security code is input from the unknown user terminal, the display control means displays the login screen on the user terminal. It is characterized by.

  The access management apparatus according to the present invention is characterized in that the URL for each user and the URL for each transition Web site are URLs set by the user.

  The access management apparatus according to the present invention is characterized in that the URL for each user and the URL for each transition Web site are URLs set in a secure environment by the user.

  In the access management apparatus according to the present invention, the gateway account includes an email address of the user, access authority data of the user terminal, and / or identification data of the user terminal.

  In the access management apparatus according to the present invention, the login account includes a user ID and / or a login password.

  The access management method according to the present invention is an access management method executed by an access management apparatus including a storage unit and a control unit, wherein the storage unit includes an account storage including a gateway account and a login account. And a gateway transmission step of transmitting a URL for each user or a URL for each transition website to a user based on the gateway account, executed by the control unit, and a URL for each user from a user terminal or And a display control step of displaying a login screen for authenticating the login account on the user terminal when the URL for each transition website is accessed.

  An access management program according to the present invention is an access management program for causing an access management apparatus including a storage unit and a control unit to execute, wherein the storage unit includes an account including a gateway account and a login account. A gateway transmitting step of transmitting a URL for each user or a URL for each transition Web site to a user based on the gateway account in the control unit; and a URL for each user or the transition from a user terminal And a display control step for displaying a login screen for authenticating the login account on the user terminal when accessing a URL for each website.

  According to the present invention, when a user terminal accesses a URL for each user / transition site, the system analyzes the URL based on a predetermined master and performs a security check. If the check is OK, a login screen is displayed. Can be displayed on the user terminal.

FIG. 1 is a block diagram illustrating an example of the configuration of the access management apparatus. FIG. 2 is a flowchart illustrating an example of processing of the access management apparatus according to the present embodiment. FIG. 3A is a diagram illustrating an example of an operation flow. FIG. 3-2 is a diagram illustrating an example of an operation flow. FIG. 4 is a diagram illustrating an example of an operation flow. FIG. 5 is a diagram illustrating an example of an operation flow. FIG. 6A is a diagram illustrating an example of an operation flow. FIG. 6B is a diagram illustrating an example of an operation flow. FIG. 7 is a diagram illustrating an example of an operation flow. FIG. 8 is a diagram illustrating an example of an operation flow of the trainee system version. FIG. 9 is a diagram illustrating an example of a system flow. FIG. 10 is a diagram illustrating an example of a system flow. FIG. 11A is a diagram illustrating an example of a system flow. FIG. 11B is a diagram illustrating an example of a system flow. FIG. 12 is a diagram illustrating an example of a system flow. FIG. 13 is a diagram illustrating an example of a flow for managing a plurality of systems with different user management. FIG. 14 is a diagram illustrating an example of a flow for managing a plurality of systems with different user management. FIG. 15 is a diagram showing an example of a system configuration when introducing the external access gateway according to the present embodiment.

  Embodiments of the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment.

[1. Overview]
Conventionally, there is a mechanism for issuing a different URL for each user and identifying the user from the URL used for accessing the login authentication page, and the URL used for access is a URL that has been authenticated by the system. In this case, the login is permitted by omitting the input of the ID and password on the login authentication page. Therefore, in the conventional mechanism, when the URL is leaked, the risk of unauthorized login to the system is high. That is, conventionally, there is a risk that the login page of the Web / mobile system is accessed by an outsider on a network where safety is not established.

  Therefore, in the present embodiment, a security enhancement function based on user-specific URLs is realized in a Web / mobile system on a network (such as the Internet) where safety is not established. Specifically, in this embodiment, in order to access the login page, a URL that is difficult to guess issued by the system is essential, thereby preventing access from outsiders.

  That is, in this embodiment, a different URL is issued for each user of the system, and which user is accessing is identified from the URL used for accessing the login page. At the time of login authentication in this embodiment, login is permitted only when all combinations of IDs, passwords, and URLs identified by users are correct, as well as conventional ID / password combinations.

  Therefore, in this embodiment, even if the URL or user ID may be leaked, unauthorized login can be prevented by reissuing the URL for each user and invalidating the leaked URL In addition, by allowing the user himself / herself to reissue the URL, a quick response to the leakage is made possible.

[2. Constitution]
An example of the configuration of the access management apparatus 100 according to the present embodiment will be described with reference to FIG. FIG. 1 is a block diagram illustrating an example of the configuration of the access management apparatus 100.

  The access management apparatus 100 is a commercially available desktop personal computer. The access management apparatus 100 is not limited to a stationary information processing apparatus such as a desktop personal computer, but is a portable type such as a commercially available notebook personal computer, PDA (Personal Digital Assistant), smartphone, or tablet personal computer. An information processing apparatus may be used.

  The access management apparatus 100 includes a control unit 102, a communication interface unit 104, a storage unit 106, and an input / output interface unit 108. Each part with which the access management apparatus 100 is provided is connected so that communication is possible via arbitrary communication paths.

  The communication interface unit 104 communicatively connects the access management apparatus 100 to the network 300 via a communication device such as a router and a wired or wireless communication line such as a dedicated line. The communication interface unit 104 has a function of communicating data with other devices via a communication line. Here, the network 300 has a function of connecting the access management apparatus 100 and the server 200 so that they can communicate with each other, and is, for example, the Internet or a LAN (Local Area Network).

  The storage unit 106 stores various databases, tables, files, and the like. The storage unit 106 stores a computer program for giving various instructions to a CPU (Central Processing Unit) in cooperation with an OS (Operating System). As the storage unit 106, for example, a memory device such as a RAM (Random Access Memory) and a ROM (Read Only Memory), a fixed disk device such as a hard disk, a flexible disk, and an optical disk can be used. The storage unit 106 includes an account database 106a.

  The account database 106a stores an account including a gateway account and a login account. Here, the gateway account may include a user's email address, user terminal access authority data, and / or user terminal identification data. Here, the access authority data includes the access authority via the Internet, the access authority via the intranet, the access authority from outside the company, the access authority from within the company, the access authority from the PC website, and / or the mobile web. It may be data such as access authority from the site. Further, the identification data may be data for identifying a Web browser installed in the user terminal (for example, a cookie stored in the Web browser). The login account may include a user ID and / or a login password.

  An input device 112 and an output device 114 are connected to the input / output interface unit 108. As the output device 114, a speaker (including a home television), a speaker, and a printer can be used. As the input device 112, in addition to a keyboard, a mouse, and a microphone, a monitor that realizes a pointing device function in cooperation with the mouse can be used. In the following description, the output device 114 may be described as the monitor 114, and the input device 112 may be described as the keyboard 112 or the mouse 112.

  The control unit 102 is a CPU or the like that controls the access management apparatus 100 in an integrated manner. The control unit 102 has an internal memory for storing a control program such as an OS, a program that defines various processing procedures, and necessary data, and performs various information processing based on these stored programs. Run. In terms of functional concept, the control unit 102 includes a gateway transmission unit 102a, a user determination unit 102b, a security code transmission unit 102c, and a display control unit 102d.

  The gateway transmission unit 102a transmits a URL for each user or a URL for each transition website to the user based on the gateway account. Here, an accessible expiration date may be set for the URL for each user and the URL for each transition Web site. The URL for each user and the URL for each transition Web site may be URLs set by the user. Further, the URL for each user and the URL for each transition website may be URLs set in a secure environment by the user. Here, the secure environment may be an intranet environment.

  When there is an access to a URL for each user or a URL for each transition website, the user determination unit 102b determines whether the access is from a (authenticated) user terminal. Here, the user determination unit 102b identifies the (authenticated) web browser based on the cookie stored in the web browser installed in the user terminal, so that the access from the (authenticated) user terminal is performed. It may be determined whether or not. Further, the user determination unit 102b may determine whether the access is within the expiration date.

  When an unknown user terminal accesses a URL for each user or a URL for each transition Web site, the security code transmission unit 102c transmits a security code for authentication of the unknown user terminal to the user. Here, the access from the unknown user terminal may include an access from a web browser different from the authenticated web browser installed in the user terminal.

  When the user terminal accesses the URL for each user or the URL for each transition website from the user terminal, the display control unit 102d displays a login screen for authenticating the login account on the user terminal. Here, the display control unit 102d may display a login screen on the user terminal when the user terminal accesses the URL for each user or the URL for each transition website within the expiration date. The display control unit 102d may display a login screen on the user terminal when a security code is input from an unknown user terminal. Here, the display control unit 102d may display the login screen on the display device of the user terminal by transmitting the login screen to the user terminal. Further, the display control unit 102d may display a security code input screen for inputting a security code on the user terminal.

[3. Concrete example]
A specific example of processing of the access management apparatus 100 according to the present embodiment will be described with reference to FIGS.

[Access management process]
Here, an example of the access management process in the present embodiment will be described with reference to FIG. FIG. 2 is a flowchart illustrating an example of processing of the access management apparatus 100 in the present embodiment.

  As shown in FIG. 2, the gateway transmission unit 102a is based on the gateway account stored in the account database 106a, and the URL for each user or the transition website for which the expiration date for accessing the user's email address is set. Is transmitted (step SA-1).

  Then, when there is an access to the URL for each user or the URL for each transition Web site, the user determination unit 102b determines whether the access is within the expiration date (step SA-2).

  When the user determination unit 102b determines that the access is not within the expiration date (step SA-2: No), the user determination unit 102b rejects the access and shifts the process to step SA-1.

  On the other hand, if the user determination unit 102b determines that the access is within the expiration date (step SA-2: Yes), the process proceeds to step SA-3.

  Then, the user determination unit 102b identifies the authenticated web browser based on the cookie stored in the web browser installed in the user terminal based on the gateway account stored in the account database 106a. It is determined whether the access is from a completed user terminal (step SA-3).

  If the user determination unit 102b determines that the access is from an authenticated user terminal (step SA-3: Yes), the process proceeds to step SA-7.

  On the other hand, the user determination unit 102b is not an access from an authenticated user terminal (access from an unknown user terminal (for example, access from a web browser different from an authenticated web browser installed in the user terminal). Is determined (step SA-3: No), the process proceeds to step SA-4.

  Then, the security code transmitting unit 102c transmits a security code for authentication of an unknown user terminal to the user's email address (step SA-4).

  Then, the display control unit 102d transmits the security code input screen for inputting the security code to the user terminal, thereby displaying the security code input screen on the display device of the user terminal (step SA-5).

  Then, the display control unit 102d determines whether or not the security code transmitted by the security code transmission unit 102c has been input to the security code input screen (step SA-6).

  If the display control unit 102d determines that the security code transmitted by the security code transmission unit 102c has not been input to the security code input screen (step SA-6: No), the process ends.

  On the other hand, if the display control unit 102d determines that the security code transmitted by the security code transmission unit 102c has been input to the security code input screen (step SA-6: Yes), the display control unit 102d shifts the processing to step SA-7.

  Then, the display control unit 102d transmits a login screen for authenticating the login account to the user terminal, thereby displaying the login screen on the display device of the user terminal, thereby executing login processing by the user (step SA). -7), The process is terminated.

  Here, an example of the operation flow in the present embodiment will be described with reference to FIGS. 3A to 7 are diagrams illustrating an example of an operation flow.

  As shown in FIG. 3A, in this embodiment, a gateway (G / W) account is prepared, and the URL to be accessed is confirmed as shown in FIG. 3-2.

  In the present embodiment, when the terminal approval function is invalid, the system may be accessed from outside the company (insecure environment) as shown in the upper diagram of FIG. In the present embodiment, when the terminal approval function is valid, the system may be accessed from outside the company (insecure environment) as shown in the lower diagram of FIG. In this embodiment, in order to determine whether the browser is an approved browser by identifying the browser user agent and the cookie stored on the user terminal side, the same browser is used with the same version of the user terminal. Even if accessed, if the cookie information is different, it may be treated as a different terminal. In this embodiment, even when Cookie is deleted, it may be treated as an unknown user terminal.

  Further, in the present embodiment, when the validity period of the URL has expired, as shown in the upper diagram of FIG. 5, access from outside the company (insecure environment) to the system may be denied. Further, in the present embodiment, when the validity period of the URL has expired, as shown in the lower diagram of FIG. 5, the validity period may be extended for access to the system from the company (secure environment).

  Also, as shown in FIG. 6A, when accessing by another person's URL, that is, when Tanaka tries to log in using the URL of Suzuki at the terminal in Tanaka, and the user terminal approval function is invalid, In the present embodiment, the login screen is displayed, but the user cannot log in because Suzuki's login ID and login password cannot be entered. Also, as shown in FIG. 6B, when accessing by another person's URL, that is, Tanaka tries to log in using the URL of Suzuki at the terminal in Tanaka, and the user terminal approval function is valid, In this embodiment, it is determined that the access is not from an authenticated user terminal, and an access notification and a security code from an unknown user terminal are transmitted to Suzuki.

  Also, as shown in FIG. 7, when there is a possibility that the URL has been leaked, in this embodiment, the URL can be regenerated only from within the company (secure environment).

  Here, with reference to FIG. 8 to FIG. 14, an example of the operation flow of the trainee system at the driving school in this embodiment will be described. FIG. 8 is a diagram illustrating an example of an operation flow of the trainee system version. 9 to 12 are diagrams illustrating an example of a system flow. 13 and 14 are diagrams illustrating an example of a flow when managing a plurality of systems with different user management.

  As shown in Fig. 8, in the system used by the students attending the driving school to reserve the curriculum of the driving school, the security school's security settings and gateway account preparation, etc. It may be set from any network. Here, in this embodiment, it is recommended that the individual URL be issued on a secure network in the company at the time of registration in the enrollment procedure of the trainee, but in order for the trainee to issue the individual URL, Since it takes time and effort to go to the school, the individual URL to be accessed may be issued on the secure network by the school staff instead of the trainee, and the trainee may be notified by e-mail.

  Also, as shown in FIG. 9, in the account registration and security setting in the present embodiment, Gx users and account information used in the external access gateway are registered, and the user master and the G / W account master are the same. The association may be performed by holding an internal user GUID (InternalUserGuid). Further, in the present embodiment, security information such as when an account can be accessed and when it can be accessed may be registered. In FIG. 9, access from 201X / 04/01 to 201X + 1 / Security that cannot be accessed is set from 03/31.

  Also, as shown in FIG. 10, in the issuance of the access URL in this embodiment, a secure URL for authentication as a registered account may be issued, and the user may acquire an access URL dedicated to himself / herself. Further, as shown in FIGS. 11A and 11B, in the access by the user in the present embodiment, the user accesses the system from the notified URL, and the corresponding page of the main system via the external access gateway. You may access Also, as shown in FIG. 12, with regard to the deletion of the ticket data in the present embodiment, the ticket data issued by the gateway may be deleted from the gateway website, and the application is started in terms of internal processing of the system. Sometimes a thread that loops infinitely for ticket deletion may be launched to delete tickets at regular intervals.

  FIG. 13 shows a system flow in the case where a plurality of Web systems having different login screens and / or different user authentication methods are managed by one external access gateway. Here, as shown in the left diagram of FIG. 13, in the transition from the individual URL to the Web site in this embodiment, the business system user and the trainee system user have the same external access gateway. Using the URL mechanism, the “business system” and the “trainee system” may be accessible from different Web systems. Further, as shown in the right diagram of FIG. 13, in order to realize the operation shown in the left diagram of FIG. 13, in this embodiment, a database for an external access gateway, a database for a business system (a user for a business system) And a database for the trainee system (including user authentication data for the trainee system). Specifically, as shown in FIG. 14, the transition from the individual URL to the website may be performed using these databases.

  An example of a system configuration in the present embodiment will be described with reference to FIG. FIG. 15 is a diagram showing an example of a system configuration (infrastructure logical configuration) when the external access gateway according to the present embodiment is introduced.

  As shown in FIG. 15, in the present embodiment, access via the Internet can be made only for an external public server, and the Internet information server for IIS (IIS) may not be able to secure a secure connection. .

  As described above, in the present embodiment, two-step authentication, that is, a dedicated URL for each individual and system login authentication, may be realized so that authentication including an authentication code for terminal authentication can be performed. Further, in the present embodiment, it is assumed that the individual user-specific URL can be set by assuming that the URL is changed when the authentication code is confirmed by unauthorized access. In the present embodiment, an expiration date may be set for the individual URL. In the present embodiment, the internal access may be an intranet, and the external access may be the Internet.

  Moreover, in this embodiment, since it manages with the mechanism different from user management, you may utilize in combination with the structure of another user management (for example, user management in a driving school). In the present embodiment, the URL may not be issued through the individual dedicated URL connection.

  Therefore, in this embodiment, an authentication function in the stage before opening the login screen is realized. In the present embodiment, the authentication process is performed by a combination of the individual URL and terminal authentication. Further, in this embodiment, the setting of the individual dedicated URL can be set for each individual, but the individual dedicated URL may be issued in an intranet environment.

  In the present embodiment, an access management device for managing access from a user terminal as an information processing terminal of a plurality of users to a predetermined first link destination using a browser, When receiving information indicating that there is access to a second link destination that is different from the second link destination and is uniquely assigned to each of a plurality of users, By referring to the user information master in which user information related to the user who can access the link destination is registered, the access to the second link destination can be made from the user terminal of the user registered in the user information master. There may be provided an access management device characterized by comprising user discriminating means for discriminating whether or not the access is applicable. Thereby, in this embodiment, prior to access to the first link destination (eg, login screen) or authentication for the access, a barrier of access to the second link destination can be provided. Unauthorized access to one link destination can be suppressed.

  Further, in the present embodiment, the user discriminating unit determines that, as a result of the user discrimination, access to the second link destination does not correspond to access from the user terminal of the user registered in the user information master, Authentication means for transmitting authentication processing information for performing authentication processing using identification information for identifying a user to which the second link destination is assigned to a user terminal that has accessed the second link destination. In addition, an access management device characterized in that it may be included may be provided. Thereby, in the present embodiment, it is possible to prevent further access (login) of a person who tries to gain unauthorized access, and to obtain identification information of the person who tries to gain unauthorized access.

  In the present embodiment, the first terminal information is acquired that includes one or both of terminal specifying information for specifying a user terminal and browser specifying information for specifying a browser used in the user terminal. Acquire the access history information related to the history of access from the user terminal to one or both of the acquisition means and the first link destination and the second link destination in association with the terminal information acquired by the first acquisition means. A second acquisition unit, and the user determination unit includes a terminal that has acquired the first acquisition unit and the access acquired by the second acquisition unit by the user terminal that has accessed the second link destination. A result of determination by the terminal determination means, including terminal determination means for determining whether the terminal information associated with the information corresponds to known terminals that match each other When the user terminal that accesses the second link destination corresponds to the known terminal, it is determined that the access to the second link destination corresponds to the access from the user terminal of the user registered in the user information master. An access management device characterized by the above may be provided. Thereby, in this embodiment, if terminal authentication has been completed, access to the first link destination is simplified.

  Further, in the present embodiment, when it is determined that the user terminal that has accessed the second link destination is not a known terminal as a result of the determination by the terminal determination unit, the user determination unit moves to the second link destination. An authentication unit for transmitting authentication processing information for performing authentication processing using the grant information uniquely assigned to the user to which the second link destination is assigned to the accessed user terminal; An access management device characterized by the above may be provided. Thereby, in this embodiment, prior to access to the first link destination, it is possible to provide a barrier called terminal authentication using the grant information (security code).

  In the present embodiment, a secure environment is provided in the communication system including the access management device and the user terminal, and the access management device provides An allocation unit that allocates a unique link destination to the user as the second link destination, and a holding unit that holds the link destination allocated by the allocation unit in association with user information registered in the user information master. A featured access management device may be provided. Thereby, in this embodiment, the second link destination can be assigned in a secure environment (intra-company), and the possibility that the second link destination assigned to a third party leaks is reduced. Can do.

  In the present embodiment, a token that is issued in advance to a user registered in the user information master and includes a character string for identifying an authenticated user is accessed to the first link destination. In this case, an access management apparatus may be provided, further comprising an acquisition unit that acquires from a user terminal that accesses the first link destination. Thereby, in the present embodiment, browsing can be performed in a secure environment using a token after the authentication processing.

[4. Other Embodiments]
In addition to the above-described embodiments, the present invention may be implemented in various different embodiments within the scope of the technical idea described in the claims.

  For example, among the processes described in the embodiments, all or part of the processes described as being automatically performed can be performed manually, or all of the processes described as being performed manually are all performed. Alternatively, a part can be automatically performed by a known method.

  In addition, the processing procedures, control procedures, specific names, information including parameters such as registration data and search conditions for each processing, screen examples, and database configurations shown in the present specification and drawings, unless otherwise specified. Can be changed arbitrarily.

  Further, regarding the access management apparatus 100, each illustrated component is functionally conceptual and does not necessarily need to be physically configured as illustrated.

  For example, the processing functions provided in the access management apparatus 100, particularly the processing functions performed by the control unit 102, are realized entirely or arbitrarily by a CPU and a program interpreted and executed by the CPU. It may also be realized as hardware by wired logic. The program is recorded on a non-transitory computer-readable recording medium including a programmed instruction for causing the information processing apparatus to execute the processing described in the present embodiment. 100 mechanically read. In other words, in a storage unit such as a ROM or a HDD (Hard Disk Drive), a computer program for giving instructions to the CPU in cooperation with the OS and performing various processes is recorded. This computer program is executed by being loaded into the RAM, and constitutes a control unit in cooperation with the CPU.

  The computer program may be stored in an application program server connected to the access management apparatus 100 via an arbitrary network, and may be downloaded in whole or in part as necessary. is there.

  In addition, a program for executing the processing described in this embodiment may be stored in a non-temporary computer-readable recording medium, or may be configured as a program product. Here, the “recording medium” refers to a memory card, USB (Universal Serial Bus) memory, SD (Secure Digital) card, flexible disk, magneto-optical disk, ROM, EPROM (Erasable Programmable Read Only Memory), EEPROM (registration). Trademark) (Electrically Erasable and Programmable Read Only Memory), CD-ROM (Compact Disk Read Only Memory), MO (Magneto-Optical disk), DVD (Digital Digital, Trademark) Any “portable physical media It is intended to include.

  The “program” is a data processing method described in an arbitrary language or description method, and may be in any form such as source code or binary code. Note that the “program” is not necessarily limited to a single configuration, and functions are achieved in cooperation with a separate configuration such as a plurality of modules and libraries or a separate program represented by the OS. Including things. In addition, a well-known structure and procedure can be used about the specific structure and reading procedure for reading a recording medium in each apparatus shown to embodiment, the installation procedure after reading, etc.

  Various databases and the like stored in the storage unit are storage means such as a memory device such as RAM and ROM, a fixed disk device such as a hard disk, a flexible disk, and an optical disk. Stores programs, tables, databases, web page files, etc.

  Further, the access management apparatus 100 may be configured as an information processing apparatus such as a known personal computer or workstation, or may be configured as the information processing apparatus to which an arbitrary peripheral device is connected. Further, the access management apparatus 100 may be realized by installing software (including a program or data) that realizes the processing described in the present embodiment in the apparatus.

  Furthermore, the specific form of distribution / integration of the devices is not limited to that shown in the figure, and all or a part of them may be functionally or physically in arbitrary units according to various additions or according to functional loads. It can be configured to be distributed and integrated. That is, the above-described embodiments may be arbitrarily combined and may be selectively implemented.

  The present invention is particularly useful in a Web / mobile system on a network where safety is not established.

DESCRIPTION OF SYMBOLS 100 Access management apparatus 102 Control part 102a Gateway transmission part 102b User determination part 102c Security code transmission part 102d Display control part 104 Communication interface part 106 Storage part 106a Account database 108 Input / output interface part 112 Input device 114 Output apparatus 200 Server 300 Network

Claims (9)

An access management device comprising a storage unit and a control unit,
The storage unit
Account storage means for storing an account including a gateway account and a login account,
With
The controller is
Gateway transmission means for transmitting a user-specific URL or a transition Web site-specific URL to a user based on the gateway account;
Display control means for displaying a login screen for authenticating the login account on the user terminal when the user terminal accesses the URL for each user or the URL for each transition website;
An access management apparatus comprising: The URL for each user and the URL for each transition website are:
There is an expiry date that you can access,
The display control means includes
The login screen is displayed on the user terminal when the user terminal or the transition Web site URL is accessed from the user terminal within the expiration date. Access control device. The controller is
A security code transmitting means for transmitting a security code for authentication of the unknown user terminal to the user when there is an access from the unknown user terminal to the URL for each user or the URL for each transition website;
Further comprising
The display control means includes
The access management apparatus according to claim 1, wherein when the security code is input from the unknown user terminal, the login screen is displayed on the user terminal. The URL for each user and the URL for each transition website are:
The access management apparatus according to any one of claims 1 to 3, wherein the URL is set by the user. The URL for each user and the URL for each transition website are:
The access management apparatus according to claim 4, wherein the URL is set in a secure environment by the user. The gateway account is
The access management apparatus according to any one of claims 1 to 5, further comprising: an e-mail address of the user, access authority data of the user terminal, and / or identification data of the user terminal. The login account is
The access management apparatus according to claim 1, further comprising a user ID and / or a login password. An access management method executed by an access management device comprising a storage unit and a control unit,
The storage unit
Account storage means including gateway account and login account,
With
Executed by the control unit,
A gateway transmission step of transmitting a user-specific URL or a transition Web site-specific URL to the user based on the gateway account;
A display control step of displaying a login screen for authenticating the login account on the user terminal when the user terminal accesses the URL for each user or the URL for each transition website;
An access management method comprising: An access management program for causing an access management device including a storage unit and a control unit to execute,
The storage unit
Account storage means including gateway account and login account,
With
In the control unit,
A gateway transmission step of transmitting a user-specific URL or a transition Web site-specific URL to the user based on the gateway account;
A display control step of displaying a login screen for authenticating the login account on the user terminal when the user terminal accesses the URL for each user or the URL for each transition website;
Access management program to execute.