JP2018045632A - Information distribution device, information distribution program, information distribution system and information distribution method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve the efficiency of information distribution processing.SOLUTION: An information distribution device includes: a distribution processing unit which distributes distribution object information on the basis of a distribution condition; an authentication unit which, when a user executes processing based on a selected distribution condition and a distribution destination device, performs access permission acquisition processing of using user authentication information to acquire access permission information and service permission acquisition processing of using the access permission information to acquire service permission information; and an authentication information storage unit in which identification information identifying the distribution destination device, the access permission information and the service permission information are stored in association with each other. If access permission information and reusable service permission information are stored in the authentication information storage unit, the authentication unit does not execute the access permission acquisition processing and the service permission acquisition processing to acquire service permission information from the authentication information storage unit. If reusable service permission information is not stored but access permission information is stored, the authentication unit acquires new service permission information.SELECTED DRAWING: Figure 13

Description

  The present invention relates to an information distribution apparatus, an information distribution program, an information distribution system, and an information distribution method.

  Information distribution apparatuses that distribute distribution target information to a predetermined distribution destination according to a distribution rule set in advance are known. An information distribution system that combines the information distribution apparatus, an information input apparatus that generates distribution target information, and an authentication apparatus that manages user authentication and access authentication is also known. In the information distribution system, for example, an MFP (Multi Function Peripheral) or a PC (Personal Computer) having a scanner function that converts document information and image information into digital data as document information and image information as distribution target information. ) Etc. are used.

Kerberos authentication is known as a kind of authentication method using an authentication device used in the information distribution system as described above.
Kerberos authentication is a method for centrally managing access authentication and the like for devices registered in the management area of the authentication device. For example, when a user executes processing using an information distribution device, user authentication for authenticating the user's validity and access authority to the distribution destination device using the information distribution device based on the user authentication are granted. Execute access authentication to authenticate.

  Kerberos authentication acquires a ticket granting ticket (TGT) for acquiring a service ticket (TGS) indicating access permission to a distribution destination device in access authentication. That is, first, a TGT is acquired, and a service ticket for the distribution destination apparatus is obtained using the TGT.

Therefore, when Kerberos authentication is used, the information distribution device improves the convenience of the user without causing the user to repeatedly input the user ID and password when executing an information distribution request from the same user. it can. An information distribution system using such Kerberos authentication is known (see, for example, Patent Document 1).

  According to the Kerberos authentication method disclosed in Patent Document 1, if the TGT is valid, a service ticket can be acquired without performing user authentication again. However, even if the TGT is valid, the information distribution apparatus needs to acquire an access permission every time it executes an access process for the distribution destination apparatus serving as an information distribution destination. Further, access authorization to the same distribution destination apparatus in the same information distribution process acquired in the past by user authentication using the same user ID cannot be reused, and needs to be acquired again.

  For example, in the case of a configuration in which access management is performed by a plurality of authentication devices, it is necessary to specify an authentication device that can respond by a DNS round robin (DNS (Domain Name System) round robin). In this case, the time until access to the authentication device (the time required for each authentication server to time out for the number of authentication servers that have failed authentication) can be a cause of overall processing delay. In this case, the time required for the distribution process in the information distribution apparatus is lengthened, which causes a decrease in the overall efficiency of the distribution process.

  That is, there is a further problem in improving the efficiency of information distribution processing using the technology disclosed in Patent Document 1.

  The present invention has been made to solve such problems, and an object of the present invention is to provide an information distribution apparatus that improves the efficiency of information distribution processing.

  In order to solve the above-described problem, an information distribution apparatus according to an aspect of the present invention includes a distribution processing unit that performs information distribution processing for distributing distribution target information to a distribution destination apparatus based on a distribution condition set in advance. When executing the information distribution process based on the distribution condition selected by the user and the distribution destination device, the user authentication information indicating the right authority of the user with respect to the distribution destination device is used to send the information from the external authentication device. An access permission acquisition process for acquiring access permission information for a distribution destination apparatus; an authentication unit for executing a service permission acquisition process for acquiring service permission information for the distribution destination apparatus from the authentication apparatus using the access permission information; The identification information for identifying the distribution destination device, the access permission information for the distribution destination device, and the service permission information are stored in association with each other. An authentication information storage unit that executes a storage process, and the authentication unit corresponds to the distribution destination device in the information distribution process based on the distribution condition and the distribution destination device selected by the user. It is determined whether or not the access permission information and the service permission information are stored in the authentication information storage unit, and when the service permission information that can be reused is stored, the access permission acquisition process; The service permission information is acquired from the authentication information storage unit without executing the service permission acquisition process, and the reusable service permission information is not stored and the access permission information is stored. Without executing the access permission acquisition process, the access permission information is acquired from the authentication information storage unit, and a new service is created based on the access permission information. Obtaining a soluble information, characterized in that.

  According to the present invention, the efficiency of information distribution processing can be improved.

It is a figure which shows the operation | use form of the information delivery system which concerns on embodiment of this invention. It is a block diagram which shows the hardware constitutions of the information delivery apparatus which concerns on embodiment of this invention. It is a block diagram which shows the hardware constitutions of the information input device which concerns on embodiment of this invention. It is a block diagram which shows the function structure of the information delivery apparatus which concerns on embodiment of this invention. It is the schematic which shows the structure of the workflow which concerns on embodiment of this invention. It is a figure which shows the plug-in setting information which concerns on embodiment of this invention. It is a figure which shows the structure of the authentication information table which concerns on embodiment of this invention. It is a block diagram which shows the function structure of the information input device in embodiment of this invention. It is a figure which shows the operation screen of the image input device which concerns on embodiment of this invention. It is a sequence diagram which shows the flow of the login authentication process which is a part of information delivery process which concerns on embodiment of this invention. It is a sequence diagram which shows the flow of the workflow execution instruction | indication process which is a part of information delivery process which concerns on embodiment of this invention. It is a sequence diagram which shows the flow of the workflow execution process which is a part of information delivery process which concerns on embodiment of this invention. It is a flowchart which shows the detailed flow of the workflow process which concerns on embodiment of this invention. It is a flowchart which shows another detailed flow of the workflow process which concerns on embodiment of this invention. It is a figure which shows another structure of the authentication information table which concerns on embodiment of this invention. It is a sequence diagram which shows the flow of the workflow execution instruction | indication process which is a part of information delivery process which concerns on another embodiment of this invention. It is a sequence diagram explaining the flow of the process by the Kerberos authentication used with the conventional information delivery apparatus.

<Summary of the present invention>
First, the gist of the present invention will be described. The gist of the information distribution apparatus according to the present invention is to improve the efficiency of access authentication to the distribution destination apparatus when executing the distribution process selected by the user. For example, the time required for access authentication for the distribution destination apparatus in the information distribution apparatus is shortened.

  The information distribution apparatus according to the present invention executes access authentication to a distribution destination apparatus that is an information distribution destination using the authentication apparatus. A function for determining whether or not an access permission equivalent to the necessary access permission has already been acquired when the information distribution apparatus receives a request for a new distribution process, and reusing it if there is an existing access permission Is provided.

  In other words, the information distribution apparatus according to the present invention has a function of storing the access permission acquired in advance in a reusable state and a function of determining the presence of the existing access permission when a new access permission is required. Further, the information distribution apparatus according to the present invention has a function of reusing existing access permission to access a distribution destination apparatus and completing a predetermined distribution process. With these functions, the information distribution apparatus according to the present invention can shorten the authentication processing time in information processing and improve the efficiency of the entire information processing.

<Overall configuration of information distribution system>
Hereinafter, embodiments of the present invention will be described with reference to the drawings. By using the information distribution apparatus according to the present embodiment, the information distribution system according to the present embodiment is configured. The embodiment of the information distribution system is a workflow system 100 that executes the process based on the processing conditions defined in advance in the distribution process of the processing target information. As shown in FIG. 1, a workflow system 100 includes a workflow server 10 that is an embodiment of an information distribution apparatus, an MFP (Multi Function Peripheral) 20 that is an embodiment of an information input apparatus, and an embodiment of an authentication apparatus. And an authentication server 30 and a file server 50 that is an embodiment of a delivery destination device to which the workflow server 10 is accessed.

  In the workflow system 100, the workflow server 10, the MFP 20, the authentication server 30, and the file server 50 are connected via a communication network. The communication network connecting these devices may be an office LAN (Local Area Network) used in the office of a user who uses the workflow system 100, a public line such as the Internet, a VPN (Virtual Private Network: Virtual Private Network). Or a communication network that combines these.

<Description of workflow>
First, “workflow”, which is a series of processes executed in the workflow server 10, will be described using an example. FIG. 5 is a diagram illustrating a configuration of a distribution workflow 500 that is an example of a workflow. The distribution workflow 500 is configured by combining a plurality of “plug-ins”. A plug-in is a program module that executes predetermined information processing. The workflow server 10 stores combinations of plug-ins and conditions used for processing operations of the plug-ins. Information that defines a combination of plug-ins is defined as “definition information”. Further, information for setting conditions (operation parameters) relating to the operation of each plug-in is referred to as “bibliographic information”.

  For example, in the case of the above-described distribution workflow 500, the definition information includes an image correction plug-in 501, a PDF conversion plug-in 502, and a folder distribution plug-in 503 as shown in FIG. Is described. For the bibliographic information, for example, the distribution workflow 500 describes information for setting “image correction type (top and bottom identification, inclination correction, etc.)”, “PDF conversion version”, “folder distribution distribution destination”, and the like. ing.

  When the user selects the distribution workflow 500, the workflow server 10 first executes an image correction process for correcting distortion of the processing target information (scanned image) by the image correction plug-in 501. Thereafter, a PDF conversion process for converting the scanned image corrected by the PDF conversion plug-in 502 into the PDF format is executed. Finally, the folder distribution plug-in 503 executes processing for distributing the processing target information in PDF format to a predetermined distribution destination folder.

  In the following description, processing performed by the image correction plug-in 501 and the PDF conversion plug-in 502 is referred to as “intermediate processing”, and processing performed by the folder distribution plug-in is referred to as “distribution processing”.

<Hardware Configuration of Workflow Server 10>
The hardware configuration of the workflow server 10 will be described with reference to FIG. As shown in FIG. 2, the workflow server 10 has a configuration similar to that of a general computer (Computer). That is, the workflow server 10 according to the present embodiment includes a CPU (Central Processing Unit) 101, a RAM (Random Access Memory) 102, a ROM (Read Only Memory) 103, and an I / F (interface) 104 connected via a bus 108. ing. The I / F 104 is connected to an HDD (Hard Disk Drive) 105, an LCD (Liquid Crystal Display) 106, and an operation unit 107.

  The CPU 101 is a calculation unit and controls the operation of the entire information processing apparatus. The RAM 102 is a volatile storage medium capable of reading and writing information at high speed, and is used as a work area when the CPU 101 processes information. The ROM 103 is a read-only nonvolatile storage medium and stores a program such as firmware.

  The I / F 104 connects and controls the bus 108 and various hardware and networks. The HDD 105 is a non-volatile storage medium that can read and write information, and stores an OS (Operating System), various control programs, application programs, and the like. The LCD 106 is a visual user interface for the user to check the state of the information processing apparatus. The operation unit 107 is a user interface such as a keyboard and a mouse for a user to input information to the information processing apparatus.

  In such a hardware configuration, the CPU 101 executes arithmetic processing based on a program stored in the ROM 103 or a program read from the storage medium such as the HDD 105 to the RAM 102, whereby a software control unit is configured. A functional block that realizes the function of the workflow server 10 according to the present embodiment is configured by a combination of the software control unit configured as described above and hardware.

  The authentication server 30 is similar to the workflow server 10 and includes the same hardware as a general PC (Personal Computer).

<Hardware Configuration of MFP 20>
Next, a hardware configuration of the MFP 20 according to the present embodiment will be described with reference to FIG. As shown in FIG. 3, the MFP 20 includes a controller 200, an ADF (Auto Document Feeder) 201, a scanner unit 202, a discharge tray 203, a display panel 204, a feeding table 205, an image forming unit 206, and a discharge tray. 207 and a network I / F 208.

  The controller 200 includes a CPU 211, a RAM 212, a ROM 213, and an I / F 214, which are connected via a bus 218. Further, the HDD 215, the LCD 216, and the operation unit 217 are connected to the I / F 214.

  The I / F 214 connects and controls the bus 218 and various hardware and networks. The HDD 215 is a non-volatile storage medium capable of reading and writing information, and stores an OS (Operating System), various control programs, application programs, and the like. The LCD 216 is a visual user interface for the user to check the state of the image processing apparatus. The operation unit 217 is a user interface such as a keyboard and a mouse for the user to input information to the image processing apparatus.

  In addition, an ADF 201, a display panel 204, a feeding table 205, an image forming unit 206, and a discharge tray 207 are connected to the I / F 214. Each component connected to these I / Fs 214 operates based on the control of the CPU 211.

  The display panel 204 is an output interface that visually displays the state of the MFP 20, and also serves as an input interface when the user directly operates the MFP 20 or inputs information to the MFP 20 as a touch panel. That is, the display panel 204 includes a function for displaying an image for receiving an operation by the user.

  The network I / F 208 is an interface for the MFP 20 to communicate with other devices such as the workflow server 10 via the network, and uses an Ethernet (registered trademark) or a USB (Universal Serial Bus) interface. The network I / F 208 can communicate using the TCP / IP protocol. The network I / F 208 also functions as an interface for executing facsimile transmission when the MFP 20 functions as a facsimile. Therefore, the network I / F 208 is also connected to a telephone line.

  The CPU 211 is a calculation unit and controls the operation of the entire image processing apparatus. The RAM 212 is a volatile storage medium capable of reading and writing information at high speed, and is used as a work area when the CPU 211 processes information. The ROM 213 is a read-only nonvolatile storage medium, and stores a program such as firmware.

  The CPU 211 plays a role of controlling each unit included in the controller 221 and gives a command to each unit of the controller 221. The CPU 211 also serves as a driving unit that controls or drives the image forming unit 206, the scanner unit 202, and the like. The CPU 211 generates drawing information based on image information to be printed out. The drawing information is information for drawing an image to be formed in the image forming operation by the image forming unit 206 as an image forming unit.

  Further, the CPU 211 processes image data input from the scanner unit 202 and generates image data. This image data is information stored in the HDD 215 as a result of the scanner operation or transmitted to another information processing terminal or storage device via the network I / F 208.

  Further, the CPU 211 displays information on the display panel 204 or acquires information input via the display panel 204, and executes processing based on the acquired information.

  In such a hardware configuration, the CPU 211 executes arithmetic processing based on a program stored in the ROM 213 or a program read from the storage medium such as the HDD 215 to the RAM 212, whereby a software control unit is configured. A functional block as described later is configured by a combination of the software control unit configured as described above and hardware.

  In FIG. 3, the electrical connection is indicated by solid arrows, and the flow of a sheet-like recording medium (for example, paper) on which information is recorded is indicated by broken arrows.

<Functional Configuration of Workflow Server 10>
Next, a functional configuration of the workflow server 10 according to the present embodiment will be described with reference to FIG. The workflow server 10 according to the present embodiment includes a workflow control unit 11, a workflow definition storage unit 12, a communication unit 13, a job queue storage unit 14, a workflow processing unit 15, a device authentication unit 16, an authentication information storage unit 17, a UI ( User Interface) section 18 and the like.

  The workflow control unit 11 acquires the workflow jobs stored in the job queue storage unit 14 in order, and the workflow definition storage unit (for example, the distribution workflow 500) corresponding to the workflow ID included in the workflow job. 12 from. Then, in accordance with the acquired workflow definition, a processing instruction is given to the workflow processing unit 15.

  The workflow definition storage unit 12 stores a distribution workflow 500 as shown in FIG. 5 and a workflow ID for uniquely identifying the distribution workflow 500 in association with each other. As already described, the distribution workflow 500 includes setting information (bibliographic information) used by the plug-ins constituting the distribution workflow 500. Here, an example of the setting information will be described with reference to FIG. The distribution plug-in setting information 61 shown in FIG. 6 is distribution plug-in setting information, a distribution destination route path that clearly indicates the host name of the file server 50 that is the distribution destination device and the position of the distribution destination folder, and the authentication method to be used. , A user name and password used for authentication, an authentication method, and a server name and a domain name for specifying the authentication server 30 are included. The user of the workflow system 100 selects an arbitrary folder under a preset delivery destination route path as a delivery destination. This bibliographic information forms part of the distribution conditions.

  Returning to FIG. The communication unit 13 configures a workflow reception function that receives target information to be executed from outside the workflow server 10 and a workflow job selected by the user, such as the MFP 20 that is an information input device. The workflow jobs accepted by the communication unit 13 are sequentially stored in the job queue storage unit 14.

  The job queue storage unit 14 sequentially stores workflow jobs accepted by the communication unit 13. The job queue storage unit 14 corresponds to the workflow job reading process of the workflow control unit 11.

  The workflow processing unit 15 executes each plug-in included in the workflow definition acquired by the workflow control unit 11 from the workflow definition storage unit 12. For example, as illustrated in FIG. 4, a function of processing a plurality of plug-ins (a first intermediate processing unit 151, a second intermediate processing unit 152, a first distribution unit 153, and a second distribution unit 154) is provided. For example, a distribution processing unit obtained by executing the image correction plug-in 501 by the first intermediate processing unit 151, the PDF conversion plug-in 502 by the second intermediate processing unit 152, and the folder distribution plug-in 503 by the first distribution unit 153. Function.

  The device authentication unit 16 has a function of executing access authentication to the file server 50 as a distribution destination device in response to an instruction from the folder distribution plug-in 503 (distribution plug-in). The authentication method executed in the device authentication unit 16 is Kerberos authentication.

  The UI unit 18 is a user interface of the workflow server 10. When the administrator of the workflow server 10 creates a workflow definition or when the administrator sets workflow setting information, the definition information and the setting information are displayed. Function as an input I / F. Based on information input from the UI unit 18, workflow definition information and setting information to be executed in the workflow processing unit 15 are stored in the workflow definition storage unit 12.

<Outline of Authentication Server 30>
Here, Kerberos authentication executed by the authentication server 30 in order to obtain permission to access the file server 50 in the MFP 20 will be described.

  When using the workflow system 100, user authentication for authenticating that the user is a valid user of the MFP 20 as an information input device and the workflow server 10 as an information distribution device is executed using the authentication server 30. To do. Further, in the distribution process selected by the user, access authentication for authenticating that the access right of the workflow server 10 to the file server 50 is valid is executed using the authentication server 30. Further, service authorization for authenticating the permission of the file distribution service from the workflow server 10 to the file server 50 based on the access authentication is also executed using the authentication server 30.

  In user authentication, authentication information consisting of a combination of a user ID and a password that uniquely identifies a legitimate user is input to the MFP 20, the authentication server 30 proves the legitimacy of the authentication information, and the legitimate authority of the user Issue certification information, which is information to be used.

  In the access authentication (access permission acquisition process), the validity of the use authority for the file server 50 is authenticated from the workflow server 10 using the authentication server 30 based on the authentication information. The access permission information, which is information indicating the access permission authority to the file server 50, is issued from the authentication server whose use authority is confirmed to the workflow server 10.

  In the service permission (service permission acquisition process), service permission information for authenticating permission of folder access from the workflow server 10 to the file server 50 using the authentication server 30 is issued based on the access permission information. The file server 50 executes information distribution processing (for example, folder distribution processing) for the file server 50 together with the service permission information.

  FIG. 17 is a sequence diagram showing an overview of Kerberos authentication used in the present embodiment. As shown in FIG. 17, the first distribution unit 153 that executes the folder distribution plug-in 503 permits the device authentication unit 16 to access the file server 50 after being authenticated as a valid user in the user authentication. An access authentication request for obtaining the request is made (S1701). Upon receiving the access authentication request, the device authentication unit 16 executes a TGT request process for obtaining a TGT (Ticket Granitary Ticket) from the authentication server 30 (S1702). In step S <b> 1702, the user name and password are transmitted from the workflow server 10 to the authentication server 30.

  When the authentication is successful in the authentication server 30, a TGT is transmitted from the authentication server 30 to the device authentication unit 16 (S1703). The device authenticating unit 16 that has acquired the TGT executes a service ticket request process for obtaining permission to access the file server 50 that is a distribution destination in the distribution process executed by the first distribution unit 153 (S1704). After confirming that the authentication server 30 is a valid TGT, the authentication server 30 transmits a service ticket to the device authentication unit 16 (S1705).

  The device authentication unit 16 passes the acquired service ticket to the first distribution unit 153 (S1706). The first distribution unit 153 performs distribution processing with the service ticket on the file server 50 (S1707).

  In the Kerberos authentication, once the authentication for acquiring the TGT is executed, when the MFP 20 subsequently accesses the file server 50, the service ticket can be requested using the TGT. That is, there is an advantage that it is not necessary to perform authentication by the user ID and password every time the MFP 20 accesses the file server 50.

  As described above, the authentication server 30 in the present embodiment is an information processing apparatus that performs user authentication in the MFP 20 and access authentication to the file server 50 in the MFP 20.

  The authentication server 30 plays a role as a KDC (Key Distribution Center) in Kerberos authentication. That is, the authentication server 30 has a function as an AS (Authentication Server) that performs user authentication, a function as a TGS (Ticket Granting Server) that issues a ticket for using a service such as the file server 50, and the like. For example, the authentication server 30 may be realized by a domain controller in which an active directory is introduced.

<Functional Configuration of MFP 20>
Next, a functional configuration of the MFP 20 according to the present embodiment will be described with reference to FIG. As illustrated in FIG. 8, the MFP 20 includes a controller 221, an information reading unit 222, a display unit 223, a recording medium output unit 224, an external connection control unit 225, and a user authentication unit 226. The MFP 20 is an information input device for document information and image information as distribution target information, and has a scanner function for converting the document information and image information into digital data.

  The controller 221 includes a main control unit 231, an engine control unit 232, an image processing unit 233, an operation display control unit 234 and an input / output control unit 235. The MFP 20 is configured as a multifunction machine having an information reading unit 222 and a recording medium output unit 224.

  The display unit 223 is a function realized by the display panel 204 that is an output interface that visually displays the state of the MFP 20, and is also an input interface that inputs information directly operated by the user as a touch panel. That is, the display unit 223 includes a function for displaying an image for receiving an operation by the user.

  Here, an example of a workflow selection screen 910 displayed on the display unit 223 and a processing condition selection screen 920 displayed after a predetermined workflow is selected on the workflow selection screen 910 will be described with reference to FIG. As shown in FIG. 9A, the workflow selection screen 910 displays workflows that can be selected in the MFP 20. The example of FIG. 9A shows a state in which five workflows can be selected.

  When a specific workflow is selected on the workflow selection screen 910, a processing condition selection screen 920 as shown in FIG. 9B is displayed on the display unit 223 by the operation display control unit 234. Here, when the “folder distribution plug-in” is included in the workflow selected by the user via the display unit 223, it is necessary to specify a distribution destination folder. Therefore, in this case, the processing condition selection screen 920 is displayed on the display unit 223 by the operation display control unit 234.

  When the user touches the delivery destination parameter 921 displayed on the processing condition selection screen 920, the touched parameter is selected as the path of the delivery destination folder.

  Returning to FIG. The external connection control unit 225 is an interface for the MFP 20 to communicate with other devices such as the workflow server 10 via the network. The external connection control unit 225 is realized by the network I / F 208 shown in FIG.

  The user authentication unit 226 performs user authentication when the user logs in to the MFP 20. Further, based on the user ID and password input via the display unit 223, a user login process to the MFP 20 is executed. Further, the user authentication unit 226 may access the authentication server 30 and execute user authentication in the login process.

  The controller 221 is configured by a combination of software and hardware. Specifically, the controller 221 is configured by a software control unit configured by the CPU 211 performing an operation according to a program read from the program stored in the ROM 213 to the RAM 212 and hardware such as an integrated circuit. The controller 221 functions as a control unit that controls the entire MFP 20.

  The main control unit 231 plays a role of controlling each unit included in the controller 221 and gives a command to each unit of the controller 221. The engine control unit 232 serves as a drive unit that controls or drives the recording medium output unit 224, the information reading unit 222, and the like. The image processing unit 233 generates drawing information based on the image information to be output under the control of the main control unit 231. The drawing information is information for drawing an image to be formed by the image forming unit included in the recording medium output unit in the image forming operation.

  In addition, the image processing unit 233 processes the imaging data input from the information reading unit 222 and generates image data. This image data is the processing target information and is the distribution target information when the distribution process is executed. The image data is information stored in the storage area of the MFP 20 as a result of the scanner operation or transmitted to another information processing terminal or storage device via the external connection control unit 225.

  The operation display control unit 234 displays information on the display unit 223 or notifies the main control unit 231 of information input via the display unit 223. The input / output control unit 235 inputs information input via the external connection control unit 225 to the main control unit 231. Further, the main control unit 231 controls the input / output control unit 235 to access the external connection control unit 225 and devices connected to other networks via the network.

  The MFP 20 operates as a scanner when a scan execution instruction is input from another terminal such as the PC 40 via the operation of the display unit 223 by the user or the external connection control unit 225. In response to the scan execution instruction, the operation display control unit 234 or the input / output control unit 235 executes a process of transferring a scan execution signal to the main control unit 231. The main control unit 231 controls the engine control unit 232 based on the received scan execution signal.

<First Embodiment>
Next, a first embodiment of the information distribution apparatus according to the present invention will be described. 10 to 12 show the flow of processing of the workflow system 100 configured with the workflow server 10 according to the present embodiment as a center. The steps of each process are marked as S1001 and S1002. Processing in the workflow system 100 can be classified into user authentication processing, workflow selection processing, and workflow selection processing.

<User authentication process>
First, user authentication processing will be described. The user 300 inputs a user ID and password as user authentication information via the display panel 204 of the MFP 20 (S1001). The input user ID and password are transmitted to the authentication server 30 via the user authentication unit 226 (S1002). The authentication server 30 executes user ID and password authentication processing, and the authentication result is returned to the user authentication unit 226 (S1003). If the authentication result from the authentication server 30 is “authentication success”, an authentication success notification is passed to the main control unit 231 (S1004).

  Next, an acquisition request for login user information and workflow information is notified from the main control unit 231 to the external connection control unit 225 (S1005). Subsequently, login user information and workflow information are transmitted to the communication unit 13 of the workflow server 10 via the external connection control unit 225 (S1006). The communication unit 13 notifies the workflow control unit 11 of the login user information and requests a workflow information acquisition request (S1007).

  The workflow control unit 11 identifies the requested workflow (S1008), and notifies the main control unit 231 of workflow information corresponding to the identified workflow from the workflow control unit 11 via the communication unit 13 (S1009).

  The main control unit 231 notifies the workflow information to the display unit 223 via the operation display control unit 234 (S1010). As a result, a workflow selection screen 910 is displayed on the display panel 204.

  As described above, user authentication is executed using the authentication server 30, and workflow information corresponding to the authenticated user 300 is displayed on the display panel 204 on the MFP 20. Thus, the user 300 can select a predetermined workflow from the display on the display panel 204.

<Workflow selection process>
Next, the workflow selection process will be described. First, when a predetermined workflow is selected from the workflow selection screen 910 displayed on the display panel 204, if a distribution process is included, it is necessary to select a distribution destination as in the processing condition selection screen 920. Become. Here, when a workflow and a delivery destination are selected (S1101), the selected workflow and delivery destination are stored (S1102).

  Subsequently, the user 300 performs a workflow execution operation (S1103). The workflow execution operation is an operation on the operation screen displayed on the display panel 204. In response to this operation, the display unit 223 instructs the main control unit 231 to execute the selected workflow (S1104).

  Subsequently, the main control unit 231 generates a workflow job, notifies the external connection control unit 225 of an execution instruction request for the generated workflow job (S1105), and the external connection control unit 225 notifies the workflow server 10. A workflow execution instruction is transmitted (S1106). The communication unit 13 of the workflow server 10 passes the received workflow execution instruction to the workflow control unit 11 (S1107), and the workflow control unit 11 stores the workflow job in the job queue storage unit 14 (S1108).

  In the processing flow described above, a workflow job including a workflow designated by the user 300 and a delivery destination is stored in the job queue storage unit 14 and is executed at a predetermined timing.

<Workflow execution process>
After user authentication is completed, a workflow job is selected, and the workflow job is stored in the job queue storage unit 14, the workflow control unit 11 acquires the workflow from the job queue storage unit 14 at a predetermined timing. (S1201). If the acquired workflow job is the distribution workflow 500 described with reference to FIG. 5, first, execution instructions for the image correction plug-in 501 and the PDF conversion plug-in 502 that are intermediate processes are sent to the workflow processing unit 15. This is performed (S1202).

  Subsequently, in the workflow processing unit 15, for example, an image correction process is executed in the first intermediate processing unit 151, and a PDF conversion process is executed in the second intermediate processing unit 152 (S1203).

  After the intermediate process is completed, execution of folder distribution processing in the first distribution unit 153 is instructed (S1204). Here, a device authentication process is executed (S1205). In the device authentication process, a service ticket request to the device authentication unit 16 (S1206), or a TGT request and a service ticket request to the authentication server 30 are executed as necessary (S1207).

  After the device authentication process is completed normally, the first distribution unit 153 executes the distribution process (1208).

<Embodiment of Information Distribution Method>
Next, details of the information distribution method executed in the workflow server 10 according to the present embodiment will be described with reference to the flowchart of FIG. The process described below describes in detail the apparatus authentication process executed in steps S1205 to S1207 in the sequence diagram described with reference to FIG. These processes exemplify what is realized by the arithmetic processing function of the CPU 101 using the information distribution program stored in the ROM 103.

  First, it is determined whether or not the Kerberos authentication setting in the folder distribution plug-in 503 is valid (S1301). If the Kerberos authentication setting is invalid (S1301 / NO), the process ends.

  If the Kerberos authentication setting is valid (S1301 / YES), the setting information in the folder distribution plug-in 503 is acquired, and it is determined whether or not the user authentication method set in the setting information is a fixed user method. (S1302). If the user authentication method is a fixed user method (S1302 / YES), the set fixed user information is acquired (S1303). If the user authentication method is a login user method (S1302 / NO), login user information is acquired from the workflow job (S1304).

  An example of the setting information in the folder distribution plug-in 503 is the distribution plug-in setting information 61 (see FIG. 6) already described. In the “fixed user method”, a TGT and a service ticket acquisition process, which will be described later, are executed using a user name and password set by the administrator (“user name” item and “password” item in FIG. 6). The “login user method” executes TGT and service ticket acquisition processing, which will be described later, using user information such as a user name and password input when the user 300 logs in to the MFP 20. In the case of the login user method, even if a user name and a password are set in the distribution plug-in setting information 61, they are not referred to.

  Next, in the acquired distribution plug-in setting information 61, a “corresponding service ticket” corresponding to the user name, the distribution destination domain name, the distribution destination host name, and the protocol has already been acquired and stored in the authentication information storage unit 17. It is determined whether or not it has been performed (S1305).

  Here, the first authentication information table 71 stored in the authentication information storage unit 17 will be described with reference to FIG. As shown in FIG. 7, the first authentication information table 71 corresponds to each column of “user ID”, “authentication domain”, “TGT”, “protocol”, “distribution destination host name”, and “service ticket”. Information is stored in association with each other so that it can be uniquely identified as a set of information.

  In the user ID column, identification information for uniquely identifying the user when the device authentication unit 16 executes the authentication process is stored. In the case of the “fixed user method”, the “user name” in the distribution plug-in setting information 61 is stored. In the case of the “login user method”, the “login user name” included in the workflow job transmitted from the MFP 20 to the workflow server 10 is stored.

  Information indicating a domain managed by the authentication server 30 is stored in the authentication domain column. That is, the “domain name” in the distribution plug-in setting information 61 is stored.

  In the TGT column, the data body of the TGT acquired from the authentication server 30 or the data storage path is stored.

  The protocol column stores information indicating a protocol used when distributing distribution target information to a distribution destination. For example, “HTTP” is used for folder distribution using HTTP, “FTP” is used for folder distribution using FTP, and “SMB” is used for mail distribution.

  In the distribution destination host name column, identification information for uniquely identifying the distribution destination apparatus, which is a host name of the file server 50 or mail server of the distribution destination selected by the user, is stored.

  In the service ticket column, “service ticket” stores the data body of the service ticket acquired from the authentication server 30 or the path of the data storage destination.

  As described above, the first authentication information table 71 is used for device authentication processing executed when the workflow server 10 executes information distribution processing based on the distribution conditions and the file server 50 that is a distribution destination device. That is, the first authentication information table 71 stores identification information for identifying the file server 50, TGT for the file server 50, and service ticket for the file server 50 in association with each other and stored.

  If the corresponding service ticket corresponding to the combination of the user name, the authentication domain, and the protocol for which acquisition of the service ticket is requested is stored in the first authentication information table 71 in S1305 (1305 / YES), that service ticket Is read (S1306), and the device authentication process is terminated.

  In S1305, if the corresponding service ticket is not stored in the first authentication information table 71 (1305 / NO), the TGT corresponding to the user name and the authentication domain in the acquired distribution plug-in setting information 61 has already been acquired, It is determined whether it is stored in the authentication information storage unit 17 (S1307).

  In S1307, if the corresponding TGT is stored in the first authentication information table 71 (S1307 / YES), the TGT is read (S1308). Subsequently, a service ticket is requested from the authentication server 30 using the read TGT, and the service ticket is acquired (S1309). Subsequently, the workflow processing unit 15 executes a storage process of storing the service ticket acquired from the authentication server 30 via the device authentication unit 16 in the first authentication information table 71 stored in the authentication information storage unit 17 ( S1310).

  If the corresponding TGT is not stored in the first authentication information table 71 in S1307 (S1307 / NO), the authentication server 30 is requested to obtain the TGT and the TGT is acquired (S1311). Subsequently, the TGT acquired from the authentication server 30 is stored in the first authentication information table 71 (S1312). Thereafter, in step S <b> 1309, the workflow processing unit 15 acquires a service ticket from the authentication server 30 via the device authentication unit 16. Thereafter, the storage unit 15 executes a storage process of storing the service ticket acquired in S1310 in the first authentication information table 71 stored in the authentication information storage unit 17 (S1310).

As described above, according to the information distribution method using the information distribution program according to the present embodiment, the authentication process to the distribution destination required in the distribution process of the MFP 20 is acquired when the authentication process is executed in advance with the authentication server 30. It is determined whether or not the access authority can be used effectively.
As a result of the determination, if the access authority that has already been acquired is valid, device authentication is performed using that access authority. As a result, the authentication process can be executed efficiently, and the time for the information distribution process can be shortened.

<Modification of Embodiment of Information Distribution Method>
Next, a modified example of the information distribution method executed in the workflow server 10 according to the present embodiment will be described with reference to FIG. The processing described below is partly in common with the information distribution method already described with reference to FIG. Therefore, the common processing will be briefly described, and different portions will be described in detail.

  First, if the Kerberos authentication setting in the folder distribution plug-in 503 is invalid (S1401 / NO), the process ends. If the Kerberos authentication setting is valid (S1401 / YES), the setting information in the folder distribution plug-in 503 is acquired, and if the authentication method is a fixed user method (S1402 / YES), the set fixed user information Is acquired (S1403). If the authentication method is the login user method (S1402 / NO), login user information is acquired from the workflow job (S1404).

  Next, the current date and time are acquired (S1405). The acquired date / time is temporarily stored in the RAM 102.

  Next, in the second authentication information table 72 stored in the authentication information storage unit 17, it is determined whether or not a service ticket within the expiration date has already been acquired and stored (S1406).

  Here, the second authentication information table 72 will be described. The difference from the first authentication information table 71 described above is that the “TGT expiration date” column and the “service ticket expiration date” column are associated with each other. In the expiration date column of TGT, the value of the expiration date and time acquired by analyzing “TGT” is stored. In the expiration date column of the service ticket, the value of the expiration date and time obtained by analyzing the “service ticket” is stored.

  In S1406, the determination process for determining whether or not the expiration date is within the expiration date is based on a comparison between the value obtained by subtracting the ticket threshold from the current date and time acquired in S1405 and the value stored in the expiration date column of the service ticket. Done. Specifically, it is based on whether or not the value obtained by subtracting the ticket threshold from the current date and time acquired in S1405 is earlier than the value stored in the expiration date column of the service ticket. That is, in the service ticket stored in the second authentication information table 72, if the past date and time from the current date and time by a threshold (for example, 600 seconds) is later than the expiration date of the service ticket, the service ticket is It is effective (S1406 / YES). In this case, the service ticket is read (S1307), and the device authentication process is terminated.

  If a valid service ticket is not saved in S1406 (1406 / NO), whether or not a TGT within the valid period has already been acquired and saved in the second authentication information table 72 stored in the authentication information storage unit 17. It is determined whether or not (S1407).

  In S1407, whether or not it is within the expiration date is determined by whether or not the value obtained by subtracting the ticket threshold from the current date and time acquired in S1405 is earlier than the value stored in the expiration date column of the TGT. Based. That is, among the TGTs stored in the second authentication information table 72, if the date and time past the current date and time by a threshold (for example, 600 seconds) is in the future from the expiration date of the TGT, the TGT is valid. (S1408 / YES). In this case, the TGT is read (S1409).

  Subsequently, a service ticket is requested from the authentication server 30 using the read TGT, and the service ticket is acquired (S1410). Subsequently, the service ticket acquired from the authentication server 30 is stored in the first authentication information table 71 (S1411).

  In S1406, if a valid TGT is not stored (1408 / NO), the authentication server 30 is requested to obtain a TGT and the TGT is acquired (S1412). Subsequently, the TGT acquired from the authentication server 30 is stored in the second authentication information table 72 (S1413). Thereafter, in S1410, a service ticket is acquired, and the service ticket acquired in S1411 is stored.

  As described above, according to the information distribution method using the information distribution program according to the present embodiment, the authentication process to the distribution destination required in the distribution process of the MFP 20 is acquired when the authentication process is executed in advance with the authentication server 30. It is determined whether or not the access authority can be used effectively. This determination can be based on the expiration date of the TGT or service ticket. As a result of the determination, if the access authority that has already been acquired is within the validity period, device authentication is performed using that access authority. As a result, the authentication process can be executed efficiently, and the time for the information distribution process can be shortened.

Second Embodiment
Next, a second embodiment of the information distribution apparatus according to the present invention will be described. The description of the same part as the processing flow of the workflow system 100 according to the first embodiment that has already been described is omitted, and only a different part will be described.

  The user authentication process (see FIG. 10) and the device authentication process (see FIG. 12) are the same.

<Workflow selection process>
The workflow selection process will be described. The user 300 selects a predetermined workflow from the workflow selection screen 910 displayed on the display panel 40 (S1601). The selected workflow is stored (S1602).

Subsequently, an instruction to notify the ID of the selected workflow and the login user information is performed (S1603). Subsequently, the workflow ID and the login user information are notified from the external connection control unit 225 to the communication unit 13 of the workflow server 10 (S1604).
The communication unit 13 transfers the notified workflow ID and user login information to the workflow control unit 11 (S1605). The workflow control unit 11 identifies a workflow from the transferred workflow ID (S1606).

  Here, the workflow control unit 11 executes a process of acquiring an authentication ticket before executing the apparatus authentication process which is a part of the workflow execution process (S1607). The specific process in S1607 is the process already described with reference to FIGS.

  Subsequently, the user-300 selects a distribution destination on the processing condition selection screen 920 displayed on the display panel 40 (S1608). The selected delivery destination is stored (S1609).

  Subsequently, the user 300 performs a workflow execution operation (S1610). The workflow execution operation is an operation on the operation screen displayed on the display panel 40. In response to this operation, the display unit 223 instructs the main control unit 231 to execute the selected workflow (S1611).

  Following this, the main control unit 231 generates a workflow job, notifies the external connection control unit 225 of an execution instruction request for the generated workflow job (S1612), and the external connection control unit 225 notifies the workflow server 10. A workflow execution instruction is transmitted (S1613). The communication unit 13 of the workflow server 10 passes the received workflow execution instruction to the workflow control unit 11 (S1614), and the workflow control unit 11 stores the workflow job in the job queue storage unit 14 (S1615). Thereafter, the workflow server 10 executes the workflow according to the processing flow described with reference to FIG.

  In the processing flow described above, a workflow job including the workflow specified by the user 300 and the delivery destination is stored in the job queue storage unit 14 and is executed at a predetermined timing (see FIG. 12). . In addition, by executing the ticket acquisition process that is a part of the authentication process prior to the workflow execution instruction, the ticket acquisition process can be executed in parallel with the process before the distribution process in the workflow. . For example, if the ticket acquisition process is completed before the apparatus authentication unit 16 executes the apparatus authentication process in the execution of the workflow, the first distribution unit 153 distributes the service ticket that has already been acquired. Processing can be executed. As a result, the processing time of the distribution process can be further shortened.

10 workflow server 11 workflow control unit 12 workflow definition storage unit 13 communication unit 14 matrix storage unit 15 workflow processing unit 16 device authentication unit 17 authentication information storage unit 18 UI unit 20 MFP
30 Authentication Server 40 Display Panel 50 File Server 61 Distribution Plug-In Setting Information 71 First Authentication Information Table 72 Second Authentication Information Table 100 Workflow System 101 CPU
102 RAM
103 ROM
104 I / F
105 HDD
106 LCD
107 operation unit 108 bus 151 first intermediate processing unit 152 second intermediate processing unit 153 first distribution unit 154 second distribution unit 200 controller 202 scanner unit 203 discharge tray 204 display panel 205 feeding table 206 image forming unit 207 discharge tray 208 Network I / F
211 CPU
212 RAM
213 ROM
214 I / F
215 HDD
216 LCD
217 Operation unit 218 Bus 221 Controller 222 Information reading unit 223 Display unit 224 Recording medium output unit 225 External connection control unit 226 User authentication unit 231 Main control unit 232 Engine control unit 233 Image processing unit 234 Operation display control unit 235 Input / output control unit 300 User 500 Distribution workflow 501 Image correction plug-in 502 PDF conversion plug-in 503 Folder distribution plug-in 910 Workflow selection screen 920 Processing condition selection screen 921 Distribution destination parameter

JP 2014-52843 A

Claims (12)

A distribution processing unit for executing an information distribution process for distributing distribution target information to a distribution destination device based on a predetermined distribution condition;
When executing the information distribution process based on the distribution condition selected by the user and the distribution destination device, the distribution is performed from an external authentication device using user authentication information indicating the right authority of the user with respect to the distribution destination device. An access permission acquisition process for acquiring access permission information for the destination device; an authentication unit for executing a service permission acquisition process for acquiring service permission information for the distribution destination device from the authentication device using the access permission information;
Identification information for identifying the delivery destination device, the access permission information for the delivery destination device, and an authentication information storage unit that executes a storage process for storing the service permission information in association with each other;
Have
In the information distribution process based on the distribution condition selected by the user and the distribution destination device, the authentication unit stores the access permission information and the service permission information corresponding to the distribution destination device in the authentication information storage unit. To determine whether it is stored in
When the reusable service permission information is stored, the service permission information is acquired from the authentication information storage unit without executing the access permission acquisition process and the service permission acquisition process, and can be reused. When the service permission information is not stored and the access permission information is stored, the access permission information is acquired from the authentication information storage unit without executing the access permission acquisition process, and the access permission is acquired. Obtain new service authorization information based on the information,
An information distribution apparatus characterized by that. The authentication unit re-uses the access permission information and the service permission information stored in the authentication information storage unit using information indicating a user ID and a distribution destination device among the distribution conditions in the new information distribution process. Determine whether it is available,
The information distribution apparatus according to claim 1. The authentication unit is associated with a date and time obtained by subtracting a predetermined threshold from a current date and time when a new information distribution process is requested, and the access permission information and the service permission information stored in the authentication information storage unit. Determining whether or not the access permission information or the service permission information can be reused by comparing with an expiration date and time.
The information distribution apparatus according to claim 1.   The information distribution apparatus according to any one of claims 1 to 3, wherein the distribution condition includes a user authentication method, and the user authentication method is a fixed user method.   The information distribution apparatus according to any one of claims 1 to 3, wherein the distribution condition includes a user authentication method, and the user authentication method is a login user method. Computer
A distribution processing unit for executing an information distribution process for distributing distribution target information to a distribution destination device based on a predetermined distribution condition;
When executing the information distribution process based on the distribution condition selected by the user and the distribution destination device, the distribution is performed from an external authentication device using user authentication information indicating the right authority of the user with respect to the distribution destination device. An authentication unit that executes access permission acquisition processing for acquiring access permission information for a destination device, and service permission acquisition processing for acquiring service permission information for the distribution destination device from the authentication device using the access permission information;
Identification information for identifying the distribution destination device, the access permission information for the distribution destination device, and an authentication information storage unit that executes a storage process for storing the service permission information in association with each other,
Run as
In the information distribution processing based on the distribution condition selected by the user and the distribution destination device in the authentication unit, the access permission information and service permission information corresponding to the distribution destination device are stored in the authentication information storage unit. Determining whether it is stored;
Acquiring the access permission information from the authentication information storage unit without executing the access permission acquisition process and the service permission acquisition process when the reusable service permission information is stored;
Acquiring the access permission information from the authentication information storage unit without executing the access permission acquisition process when the reusable service permission information is not stored and the access permission information is stored; ,
Acquiring new service permission information based on the access permission information;
An information distribution program for executing An information input device for inputting distribution target information including document information and image information;
An information delivery device that performs information processing based on a delivery condition defined in advance for the delivery target information;
A distribution destination device that is a distribution destination of the distribution target information in the information distribution device;
Based on user authentication in the information distribution device, an authentication device that performs authentication processing related to access permission and service permission to the distribution destination device;
Is an information distribution system configured by connecting with a communication network,
The information distribution apparatus includes:
A distribution processing unit for executing an information distribution process for distributing distribution target information to a distribution destination device based on a predetermined distribution condition;
When executing the information distribution process based on the distribution condition selected by the user and the distribution destination device, the user authentication information indicating the right authority of the user with respect to the distribution destination device is used to transmit the information from the external authentication device. An authentication unit for executing access permission acquisition processing for acquiring access permission information for the distribution destination device, and service permission acquisition processing for acquiring service permission information for the distribution destination device from the authentication device using the access permission information;
Identification information for identifying the delivery destination device, the access permission information for the delivery destination device, and an authentication information storage unit that executes a storage process for storing the service permission information in association with each other;
Have
In the information distribution process based on the distribution condition selected by the user and the distribution destination device, the authentication unit stores the access permission information and the service permission information corresponding to the distribution destination device in the authentication information storage unit. Determination processing to determine whether or not stored in
When the reusable service permission information is stored, the service permission information is acquired from the authentication information storage unit without executing the access permission acquisition process and the service permission acquisition process,
When the reusable service permission information is not stored and the access permission information is stored, the access permission information is acquired from the authentication information storage unit without executing the access permission acquisition process. , Obtain new service permission information based on the access permission information,
An information distribution system characterized by that. The authentication unit uses the user ID and the information indicating the distribution destination device among the distribution conditions in the new information distribution process, and uses the access permission information and the service permission stored in the authentication information storage unit. Determine if the information is reusable,
The information distribution system according to claim 7. The authentication unit is associated with a date and time obtained by subtracting a predetermined threshold from a current date and time when a new information distribution process is requested, and the access permission information and the service permission information stored in the authentication information storage unit. Determining whether or not the access permission information or the service permission information can be reused by comparing with an expiration date and time.
The information distribution system according to claim 7.   The information distribution system according to any one of claims 7 to 9, wherein the distribution condition includes a user authentication method, and the user authentication method is a fixed user method.   The information distribution system according to any one of claims 7 to 8, wherein the distribution condition includes a user authentication method, and the user authentication method is a login user method. An information input device that inputs distribution target information including document information and image information, an information distribution device that executes information processing based on a predetermined distribution condition for the distribution target information, and the distribution target information in the information distribution device A distribution destination device, which is a distribution destination, and an authentication device that performs authentication processing related to access permission and service permission to the distribution destination device based on user authentication in the information distribution device are connected by a communication network An information distribution method executed in an information distribution system to be executed,
Based on preset distribution conditions, execute information distribution processing for distributing distribution target information to the distribution destination device,
When executing the information distribution process based on the distribution condition selected by the user and the distribution destination device, the distribution destination is transferred from the authentication device using user authentication information indicating the right authority of the user with respect to the distribution destination device. Obtain access permission information for the device,
Using the access permission information to obtain service permission information for the distribution destination device from the authentication device;
Storing the identification information for identifying the distribution destination device, the access permission information for the distribution destination device, and the service permission information in association with each other,
In the information distribution process based on the distribution condition selected by the user and the distribution destination device, it is determined whether or not the access permission information and service permission information corresponding to the distribution destination device are stored.
When the service permission information that can be reused is stored, the service permission information that has already been acquired is acquired without newly acquiring the access permission and the service permission,
When the service permission information that can be reused is not stored and the access permission information is stored, the access permission information is acquired,
Obtain new service permission information based on the access permission information,
An information delivery method characterized by the above.