JP4107252B2 - Communication relay device, communication relay method, and communication relay program - Google Patents

Description

  The present invention relates to a communication relay device or the like that relays communication messages transmitted and received between a client and a server, and in particular, relays communication messages of an application layer, determines a policy according to communication contents and communication conditions, and performs communication. The present invention relates to a communication relay device, a communication relay method, and a communication relay program that determine the content of processing performed on a message.

  2. Description of the Related Art Conventionally, in a communication relay device that relays communication in an application layer in HTTP (HyperText Transfer Protocol) or SOAP (Simple Object Access Protocol), processing such as protocol conversion is performed on a communication message at the time of relay. (For example, see Patent Literature 1, Patent Literature 2, Patent Literature 3, and Patent Literature 4).

  In Patent Document 1, an appropriate communication protocol and communication path are automatically selected in a message communication relay device based on a QoS (Quality of Service) request from a server, client, administrator of the relay device, or the like. Is described.

  Patent Document 2 describes that a message communication relay device automatically adds an electronic signature to a message and verifies the signature based on communication conditions.

  Patent Document 3 describes that an appropriate filter function based on a URL (Uniform Resource Locator) condition is used in a relay device for WWW (World Wide Web) access.

  Further, Patent Document 4 describes that in a WWW access relay device, a Web content conversion module is selected according to a client's ability and request.

  The techniques described in Patent Documents 1 to 4 are common in that the operation is determined according to some communication condition and the determined operation is executed.

  Specifically, the techniques described in Patent Documents 1 to 4 can generally be considered as a configuration like the communication relay device 2000 shown in FIG.

  As shown in FIG. 24, the communication relay device 2000 includes one or more processing modules 2020 that perform message and protocol conversion, and an operation determination unit 2010 that determines a processing module to be executed based on a rule.

FIG. 25 is a flowchart illustrating an example of the operation of the communication relay device 2000.
As shown in FIG. 25, when the request message from the client 2030 is received (step S2401), the processing module 2020 to be executed is determined by the operation determination unit 2010 based on a predetermined communication condition (step S2402). That is, the processing module 2020 corresponding to the communication status is determined in accordance with a predetermined operation determination rule for determining the operation content.

  Next, the processing module 2020 determined by the operation determining unit 2010 is executed (step S2403). Then, a request message processed by the processing module 2020 is transmitted to the server 2040 (step S2404).

  As described above, the request message from the client 2030 is relayed and transmitted to the server 2040. Note that the response message from the server 2040 is also processed in the same manner as described above.

  Conventionally, there has been a case where QoS control of a network system composed of a plurality of relay devices is described by a plurality of constraints with different abstraction levels, which are converted into simple rules and distributed to all devices ( For example, see Patent Document 5).

US Patent Application Publication No. 2003/0115317 Japanese Patent Laid-Open No. 2002-164884 (page 10, FIGS. 2, 4) JP-T-2002-518726 (page 29, FIG. 4) JP 2001-265645 A (pages 19-20, FIGS. 2, 3) JP 2002-204254 A (page 11, FIG. 1)

  However, in the above-described conventional technique, when used on a communication network in which all communication destinations cannot be specified in advance, rules for determining the operation of the communication relay device cannot be described, and the communication destination is not limited. There is a problem that it cannot be applied to a communication relay device used on a type of communication network.

  That is, in the above-described techniques of Patent Documents 1 to 4, which of the plurality of processing modules is used by a combination of simple rules such as “encrypt using this method if communication is to this partner”. It was decided.

  As described above, since it is necessary to set a rule specifying the communication partner, it is impossible to perform an appropriate operation according to the communication state in all communications on the open communication network.

  In addition, since it is necessary to set a rule that identifies the communication partner, the user who sets the rule must write down a simple rule, which takes time to set the rule and easily induces a setting error. There was also a problem.

  In addition, since all restrictions must be given in advance in the technique described in Patent Document 5, as in the techniques of Patent Documents 1 to 4, the communication relay device used on an open communication network is used. There is a problem that a rule for determining the operation cannot be described and cannot be applied to such a communication relay device.

  The present invention solves the above-described problems and makes it possible to easily set rules for determining the operation content of a communication relay device used on an open communication network in which communication destinations are not limited. With the goal.

Communication relay apparatus according to the invention receives the message via the communication network, a communication relay device for transmitting subjected to a treatment in the received message (e.g., a communication relay device 101,201,301,401,501,601 , 701, 801, 901, 1201), and communication means (for example, the communication means 120) for transmitting and receiving messages and the communication means receiving the message in advance without specifying the communication destination in advance. A plurality of processing decision policies (for example, policy 133, “any encryption, method A1, key A1” or “log” shown in FIG. 20) that indicate processing restrictions on the received message in accordance with the predetermined processing decision policy decision rule. Policy determination to determine zero or more processing determination policies to be used for determining processing to be performed on received messages. Stage (e.g., policy decision unit 130) and the processing determination policy determined by the policy decision unit (e.g. policy 111) determines that zero Not the processing time, the processing determination policy determined by the policy decision unit When the number is one or more, processing content determination means (for example, module control means 150) for determining processing to be performed on the received message based on the determined processing determination policy, and processing determination policy determined by the policy determination means When there are one or more, a simple constraint generation rule (for example, the simple constraint 113) that is simplified so as to satisfy all of the plurality of constraints included in the determined processing decision policy (for example, the simple constraint 113) , If there are “log required” and “log optional”, simplify to “log required”, and if there are multiple “log optional”, And a simple constraint generating means for generating (e.g. constraint calculation unit 140) according to the rules), such as to simplify optionally "processing content determining means, in accordance with simple constraints generated by simple constraint generating means, prepared in advance The processing to be performed on the received message is determined by determining zero or more processing modules to be used for the processing to be performed on the message from a plurality of processing modules (for example, processing module 160) (for example, step S206) .

By the structure described above, can be easily set by the policy rules to determine the content of the message to the communication relay apparatus performs processing received via the communications network, is set when the communication of the message By acquiring the policy, it is possible to determine appropriate processing contents even when communicating with a communication destination that is not grasped in advance.

  The policy determination means includes, for example, a policy selection means (for example, policy selection means 131) for selecting a process determination policy to be used for determining a process to be applied to the message, and a process selected by the policy selection means. It includes a policy acquisition unit (for example, policy acquisition unit 132) that acquires a policy for determination.

  Policy setting means (for example, policy setting means 202) for setting a process determination policy is provided, and the policy determination means stores policy determination policy set by the policy setting means (for example, policy storage means 135). And the policy acquisition means may be configured to acquire a part or all of the processing decision policy selected by the policy selection means from the policy storage means (for example, step S204).

  The policy acquisition unit may be configured to acquire a processing determination policy stored outside the communication relay device (for example, a server, a client, or another system) via a communication network.

  The policy acquisition means may be configured to acquire a processing determination policy included in the received message.

  A policy decision rule setting unit (for example, policy setting unit 202) for newly setting a policy decision rule for processing decision is provided, and the policy decision unit stores the policy decision rule for process decision set by the policy decision rule setting unit The policy determination rule storage unit for determination (for example, policy determination rule storage unit 134) may be included.

  The policy determination means determines a processing determination policy to be used from a plurality of processing determination policies including a processing determination policy (for example, policy 1222) stored in the transmission destination (for example, server 171) of the received message. It may be configured.

  The policy determination means determines a processing determination policy to be used from a plurality of processing determination policies including a processing determination policy (for example, policy 1221) stored in the transmission source (for example, client 170) of the received message. It may be configured.

  The policy determination rule for process determination includes, for example, a policy determination condition (for example, the policy determination condition shown in FIG. 19) indicating a condition for setting a process determination policy used for determining a process to be performed on the received message, and the policy determination condition. The storage location of the policy for determining the processing satisfying the condition (for example, the URL shown in FIG. 19) is associated with each other.

  Based on the received message, state information (for example, information represented by a message source IP address, a destination URL, a structured document data tag in the message, etc.) indicating a communication state related to the message is created. State information creation means (for example, state information creation means 502) is provided, and the policy determination means determines a processing decision policy to be used based on the state information created by the state information creation means (for example, step S203 shown in FIG. 8). ) May be configured.

  State information creation rule storage means (for example, state information creation rule storage means 503) for storing state information creation rules (for example, see FIG. 18) used for creating state information is provided, and the state information creation means stores state information creation rule storage. The status information may be created according to the status information creation rules stored in the means.

  The status information includes, for example, an item (for example, URL, SERVER, CLIENT, etc., shown in FIG. 18) indicating the communication status related to the message, and an item content (eg, the content of the destination URL shown in FIG. , The contents of the host name of the destination URL and the contents of the connection destination IP address).

  The state information creation rule includes item content storage information (for example, URL, SERVER, CLIENT, etc. shown in FIG. 18) and item content storage information (for example, a storage location of communication status related to a message indicating the item content of the state information). 18, the destination URL, the host name portion of the destination URL, and the connection destination IP address) are associated with each other, and the status information creation unit stores the item content in the storage location indicated by the item content storage information. The state information may be created by substituting the state of the communication being performed.

  The communication state stored in the storage location indicated by the item content storage information is specific information included in the message (for example, the destination URL included in the message, the host name of the destination URL, and the connection destination IP address). It may be said.

  The message may include structured text data (for example, XML data), and the specific information included in the message may be a description content (for example, the highest tag) of the structured document data.

  Simple constraint generation means (for example, constraint calculation) for generating a simple constraint (for example, simple constraint 113) obtained by simplifying a plurality of constraints included in the policy for processing determination determined by the policy determination means in accordance with a predetermined simple constraint generation rule Means 140), simple constraint cache means (for example, simple constraint cache means 802, simple constraint cache table 803) for storing state information created by the state information creation means and simple constraints created by the simple constraint creation means; When the newly created state information matches the state information stored in the simple constraint cache unit (for example, Y in step S1201), the processing content determination unit stores the state information in the simple constraint cache unit. From multiple processing modules prepared in advance according to simple constraints Determining zero or more processing modules to be used in the process applied to the message (for example, step S1202, S206) it is, or may be configured to determine the processing to be performed on the received message.

  The policy setting means is constituted by a user interface, for example. The policy setting means is configured by a communication mechanism that receives a policy registration request and a process determination policy via a communication network and sets the received process determination policy in response to the policy registration request, for example.

  The policy setting means checks whether or not the message received by the communication means is a policy registration request message including a policy registration request and a processing decision policy (step S501), and if it is a policy registration request message, the policy registration request message (Step S502) may be set.

The communication relay method according to the invention receives the message via the communication network, a communication relay method for transmitting subjected to a treatment in the received message, that the message was received over a communications network Accordingly, a plurality of process determination policies (for example, policy 133, FIG. 20) that indicate processing restrictions on the received message according to a predetermined process determination policy determination rule without specifying a communication destination in advance . 0 or more processing determination policies (for example, policy 111) to be used for determining processing to be performed on the received message among “encryption optional, method A1, key A1”, “log required”, and the like shown (for example, step S203) , S204), determines that the processing determination policy determined to use decides not to process when zero of use When there are one or more processing decision policies, a simple constraint that is simplified to satisfy all of the multiple constraints included in the decided processing decision policy is generated according to a predetermined simple constraint generation rule. Then, according to the generated simple constraints, zero or more processing modules to be used for processing to be performed on the message are determined from a plurality of processing modules prepared in advance (for example, step S206). The processing to be performed is determined.

By the structure described above, it can be easily set by the policy rules to determine the content of processing to be performed on messages received via a communication network, the policy that is set when communicating messages By acquiring, it is possible to determine appropriate processing contents even when communicating with a communication destination that has not been grasped in advance.

  The process decision policy to be used for deciding the process to be applied to the message is selected from a plurality of process decision policies (for example, step S203), and the selected process decision policy is acquired (for example, step S204). It may be configured to determine a business policy.

  A part or all of the selected policy for processing determination may be acquired from a policy storage unit (for example, policy storage unit 135) in which the policy for processing determination is stored.

  A communication relay device (for example, the communication relay devices 101, 201, 301, 401, 501, 601, 701, 801, 901, 1201) that processes the received message and transmits it (for example, the server 171, the client 170, etc. The processing determination policy stored in the system) may be acquired inside the communication relay device (for example, the storage unit 110) via the communication network.

  The processing decision policy included in the received message may be acquired.

  The configuration may be such that a processing determination policy to be used is determined from a plurality of processing determination policies including a processing determination policy (for example, policy 1222) stored in a transmission destination (for example, server 171) of the received message. .

  The configuration may be such that a processing determination policy to be used is determined from a plurality of processing determination policies including a processing determination policy (for example, policy 1221) stored in the transmission source (for example, client 170) of the received message. .

  The policy determination rule for process determination includes, for example, a policy determination condition indicating a condition for setting a process determination policy used for determining a process to be applied to a received message, and a storage location of the process determination policy satisfying the policy determination condition. Are associated with each other (see, for example, FIG. 19).

  Based on the received message, state information indicating the state of communication related to the message is created (for example, step S801), and a processing decision policy to be used is determined based on the created state information (for example, step shown in FIG. 8). S203) may be configured.

  State information is created according to a state information creation rule (for example, see FIG. 18) stored in a state information creation rule storage unit (for example, state information creation rule storage unit 503) that stores a state information creation rule used for creating state information. It may be configured to.

  The state information is, for example, information in which an item indicating a communication state related to a message is associated with an item content indicating the content of the item.

  The state information creation rule has a configuration in which, for example, the item of the state information is associated with the item content storage information indicating the storage location of the communication state related to the message indicating the item content of the state information (see, for example, FIG. 18). ), The state information may be created by substituting the communication state stored in the storage location indicated by the item content storage information for the item content.

  A simple constraint obtained by simplifying a plurality of constraints included in the processing decision policy decided to be used is generated according to a predetermined simple constraint generation rule (for example, step S205), and generated with the generated state information. The simple constraint is stored in the simple constraint cache unit (for example, step S1203), and when the newly created state information matches the state information stored in the simple constraint cache unit (for example, Y in step S1201). In accordance with the simple constraints stored in the simple constraint cache means, zero or more processing modules to be used for the processing applied to the message are determined from a plurality of processing modules prepared in advance (for example, steps S1202 and S206). The processing to be performed on the message may be determined.

Furthermore, the communication relay program according to the present invention receives a message via a communication network, the communication relay apparatus process of transmitting subjected to a treatment in the received message (e.g., a communication relay device 101,201,301,401 , 501, 601, 701, 801, 901, 1201), the communication relay device does not specify the communication destination in advance in response to receiving a message via the communication network. In addition, a plurality of processing decision policies (for example, policy 133, “encryption option, method A1, key A1” shown in FIG. 20) indicating processing restrictions on the received message in accordance with a predetermined processing decision policy decision rule. Policy for determining the processing to be performed on the received message (for example, “Must log”) The policy 111) and determining zero or more (for example, step S203, S204), and determines not to process when the determined processing decision for policy is zero to be used was determined to use A step of generating a simple constraint that is simplified so as to satisfy all of a plurality of constraints included in the determined process determination policy when the number of process determination policies is one or more according to a predetermined simple constraint generation rule In accordance with the generated simple constraints (for example, step S205), the processing to be performed on the received message is determined by determining zero or more processing modules to be used for processing on the message from a plurality of processing modules prepared in advance. Step (for example, step S206) is executed.

By the structure described above, can be easily set by the policy rules to determine the content of the message to the communication relay apparatus performs processing received via the communications network, is set when the communication of the message By acquiring the policy, it is possible to determine appropriate processing contents even when communicating with a communication destination that is not grasped in advance.

  The communication relay device further selects a processing decision policy to be used for deciding the processing to be applied to the message from a plurality of processing decision policies, and obtains the selected processing decision policy. It is good also as a structure which performs the step (For example, step S203, step S203) to determine.

  The communication relay apparatus may further execute a step of acquiring a part or all of the selected processing determination policy from the policy storage unit (for example, the policy storage unit 135) in which the processing determination policy is stored. Good.

  In addition, the processing determination policy stored in the communication relay device (eg, the server 171, the client 170, or another system) is stored inside the communication relay device (eg, the storage unit 110) via the communication network. It is good also as a structure which performs the step acquired by (3).

  The communication relay device may be configured to further execute a step of acquiring a processing determination policy included in the received message.

  The communication relay apparatus further determines a processing determination policy to be used from a plurality of processing determination policies including a processing determination policy (for example, policy 1222) stored in the transmission destination (for example, server 171) of the received message. It is good also as composition which performs a step.

  The communication relay apparatus further determines a processing determination policy to be used from a plurality of processing determination policies (for example, policy 1221) including the processing determination policy stored in the transmission source (for example, client 170) of the received message. It is good also as composition which performs a step.

  The policy determination rule for process determination includes, for example, a policy determination condition indicating a condition for setting a process determination policy used for determining a process to be applied to a received message, and a storage location of the process determination policy satisfying the policy determination condition. Are associated with each other (see, for example, FIG. 19).

  The communication relay device further includes a step (for example, step S801) of creating status information indicating the status of communication related to the message based on the received message, and a processing decision policy to be used based on the created status information. It is good also as a structure which performs the step (For example, step S203 shown in FIG. 8) to determine.

  The communication relay device further stores a state information creation rule (for example, FIG. 18) stored in a state information creation rule storage unit (for example, the state information creation rule storage unit 503) that stores a state information creation rule used for creating state information. The step of creating state information according to (see FIG.) May be executed.

  The state information is, for example, information in which an item indicating a communication state related to a message is associated with an item content indicating the content of the item.

  The state information creation rule has a configuration in which an item of state information is associated with item content storage information indicating a storage location of a communication state related to a message indicating the item content of the state information (see, for example, FIG. 18). The communication relay device may be configured to further execute a step of creating state information by substituting the communication state stored in the storage location indicated by the item content storage information for the item content.

  The communication relay device further generates a simple constraint obtained by simplifying a plurality of constraints included in the processing decision policy determined to be used according to a predetermined simple constraint generation rule (for example, step S205). The step of storing the created state information and the generated simple constraint in the simple constraint cache unit (for example, step S1203) and the newly created state information match the state information stored in the simple constraint cache unit In such a case (for example, Y in step S1201), in accordance with the simple constraint stored in the simple constraint cache unit, zero or more processing modules to be used for processing applied to the message are determined from a plurality of processing modules prepared in advance. The step of determining the processing to be performed on the received message (for example, the step Flop S1202, S206) and may be configured to be run.

  According to the present invention, a process determination policy to be used is determined according to a process determination policy determination rule in response to reception of a message, and a process to be performed on the received message is determined based on the determined process determination policy. Because it is configured, rules for determining the operation contents of communication relay devices used on open communication networks where communication destinations are not limited can be easily set by policy, and are set at the time of message communication By acquiring the existing policy, it is possible to determine appropriate processing contents even when communication is performed with a communication destination that is not grasped in advance.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
Embodiment 1 FIG.
FIG. 1 is a block diagram showing an example of the configuration of the communication relay apparatus 101 according to the first embodiment of the present invention.

  As shown in FIG. 1, the communication relay apparatus 101 includes a computer 100 that operates under program control, and includes a storage unit 110, a communication unit 120, a policy determination unit 130, a constraint calculation unit 140, and a module control unit 150. And a plurality of processing modules 160.

  The communication relay device 101 relays a message (message data) such as a request message issued from the client 170 to the server 171 or a response message issued from the server 171 to the client 170 in response to the request message. It has a function of performing some processing (for example, protocol conversion) on the communication message at the time of relay.

  The storage unit 110 is configured by a storage medium such as a RAM, for example, and stores various information such as a received message 112 to be processed and a message 112 to be transmitted after the processing is completed.

  The communication unit 120 is connected to a client 170 and a server 171 outside the computer 100 via a communication network.

  The communication unit 120 has a function of executing message reception processing and message transmission processing processed by the processing module 160. The communication unit 120 executes processing for saving the received communication message as the message 112 in the storage unit 110 and processing for transmitting the message 112 after the processing by the processing module 160 stored in the storage unit 110 is completed.

  Policy determination means 130 includes policy selection means 131 and policy acquisition means 132. The policy acquisition unit 132 has a function of acquiring a plurality of policies 133 held outside the computer 100 via a communication network.

  The policy selection unit 131 has a function of determining zero or more policies 133 to be used from among a plurality of policies 133 using the message 112 stored in the storage unit 110.

  The policy acquisition unit 132 has a function of acquiring the policy 133 determined by the policy selection unit 131 from the policy 133 held outside and storing it as the policy 111 in the storage unit 110.

  The constraint calculation unit 140 performs a process for simplifying a plurality of constraints included in the policy 111 stored in the storage unit 110 and stores the calculated simple constraint as the simple constraint 113 in the storage unit 110. Do.

  In other words, the constraint calculation means 140 performs a process of deriving a simple constraint that includes all of the plurality of constraints indicated by the policy 133 to be used and in which the content of the constraint is simplified.

  The module control unit 150 determines zero or more processing modules 160 to be executed in accordance with the simple constraint 113 stored in the storage unit 110 and performs processing for determining the execution order of the processing modules 160.

  Note that the execution order is determined using, for example, a table in which a set of processing modules and an execution order are associated in advance, or based on the priority of the execution order for each processing module determined in advance. It may be determined in any way.

  Further, the module control unit 150 has a function of giving an execution instruction to each processing module 160 according to the execution order and causing each processing module 160 to execute processing.

  Each processing module 160 executes a process according to the control of the module control unit 150, whereby a process according to the simple constraint 113 on the storage unit 110 is executed for the message 112 to be processed. That is, a process that satisfies a plurality of constraints included in the policy 111 stored in the storage unit 110 is executed for the message 112 to be processed.

  Next, the operation of the communication relay device 101 according to the first embodiment of the present invention will be described. FIG. 2 is a flowchart illustrating an example of a communication relay process executed by the communication relay apparatus 101.

  In the communication relay process, first, the communication unit 120 waits for reception of a message from a communication destination (for example, the client 170 or the server 171) (step S201). When the message is received (Y in step S201), the communication unit 120 stores the received message in the storage unit 110 (step S202).

  Next, the policy selection unit 131 of the policy determination unit 130 examines the message stored in the storage unit 110 and determines zero or more policies 133 to be used from the contents (step S203).

  In step S203, for example, it is searched whether there is a specific description (see, for example, “PURCHASE” FIG. 19) in the contents of the structured document data included in the message. Processing for determining a policy that uses the policy associated with the description is executed.

  In step S203, the time when the message is received, the control load state of the server to which the message is sent (the actual load state may be confirmed, or even the load predicted by the time zone, etc. The policy that uses the policy associated with the information may be determined based on information (communication state) different from the content of the message indicating “good”.

  Note that the case where the policy 133 used by zero policies in step S203 means that there is no processing to be performed on the message to be processed.

  When the policy to be used is determined, the policy acquisition unit 132 acquires the policy 133 to be used determined in step S203 and stores it in the storage unit 110 (step S204).

  Next, the constraint calculation unit 140 takes out the constraints included in the policy stored in the storage unit 110, simplifies the constraints, and stores the obtained simple constraint 133 in the storage unit 110 (step S205).

  When the simple constraint 133 is generated and stored, the module control unit 150 extracts the simple constraint 113 stored in the storage unit 110, and includes zero or more processing modules 160 used for processing the received message, and the execution order thereof. And the execution instruction is given to the processing module 160 determined to be used in accordance with the determined execution order, and the processing module 160 executes the processing (step S206).

  Note that giving an execution instruction to a processing module may be referred to as “calling a processing module”.

  And the communication means 120 takes out a message from the memory | storage means 110, determines a transmission destination and a transmission method from the content of a message, and transmits a message (step S207).

  Note that the transmission destination is determined by using, for example, the destination URL included in the message as the transmission destination. The transmission method is determined by specifying a protocol used for message transmission from a communication protocol such as HTTP, HTTPS (HyperText Transfer Protocol Security), FTP (File Transfer Protocol), and SMTP (Simple Mail Transfer Protocol). Is done.

  As described above, in the first embodiment, when a message is received, a processing module that determines and acquires a policy to be used for determining processing contents for the message, and executes the processing according to the acquired policy. Therefore, even if the policy used for determining the processing module is not grasped in advance, it is possible to determine the necessary policy and determine the processing content to be applied to the message.

  In other words, even if the communication destination (message source, message destination) is not known in advance, it is possible to determine and execute an appropriate process for the received message and install it on an open communication network. The communication relay device can perform appropriate or relay processing.

  In addition, as described above, the policy determination unit 130 determines and acquires zero or more policies to be used according to the content of the message received, and the constraint calculation unit 140 generates a simple constraint using the acquired policy. Since the module control unit 150 determines the processing contents to be applied to the message based on the simple constraint and the determined processing is applied to the message, the processing content to be applied to the message received by the communication relay apparatus 101 is defined as a plurality of policies. Can be described by:

  Specifically, for example, describe multiple policies (constraints) with different levels of abstraction, such as “any method but encryption is required anyway” and “this method is optional if encryption is used, but this method is used”. Thus, it is possible to determine the processing content to be applied to the message received by the communication relay apparatus 101.

  Further, as described above, after the communication unit 120 receives the message, the policy determination unit 130 determines the content of the received message and the state at that time (communication state: specifically, the above-described time and destination load) The policy for determining the processing content is determined even when a message related to an unknown communication destination is received. It can be acquired, and the processing content to be applied to the received message can be determined.

  Note that a message related to an unknown communication destination means a message whose communication destination is not specified in advance, and specifically, is transmitted and received between a transmission source and a transmission destination that are not grasped in advance by the apparatus 101. Means a message.

  In addition, as described above, after the policy determining unit 130 determines the policy to be used for the received message, the constraint calculating unit 140 derives the simple constraint using only the policy determined to be used. Therefore, it is possible to eliminate the need to perform processing operations for deriving simple constraints using all existing policies. For this reason, even when there are a large number of policies, the operation determination process for determining the operation that the apparatus 101 performs on the message can be performed at high speed.

Embodiment 2. FIG.
Next, a second embodiment of the present invention will be described.
FIG. 3 is a block diagram showing an example of the configuration of the communication relay device 201 according to the second embodiment of the present invention. In FIG. 3, parts having the same configuration as the communication relay apparatus 101 shown in FIG. 1 described above are assigned the same reference numerals and detailed descriptions thereof are omitted.

  As shown in FIG. 3, the communication relay apparatus 201 includes a computer 200 that operates under program control, and includes a storage unit 110, a communication unit 120, a policy setting unit 202, a policy determination unit 230, and a constraint calculation unit 140. A module control unit 150 and a plurality of processing modules 160.

  The policy setting unit 202 has a function of setting a policy determination rule used when the policy determination unit 230 determines the policy in the apparatus 201.

  Specifically, when the policy setting unit 202 receives a policy decision rule registration request that presents a policy decision rule from outside the communication relay device 201, the policy setting unit 202 stores the presented policy decision rule in the policy decision rule storage unit 134. Do.

  When the policy setting unit 202 receives a policy registration request for presenting a policy from the outside of the communication relay apparatus 201, the policy setting unit 202 also stores the presented policy in the policy storage unit 135.

  The policy determination unit 230 includes a policy selection unit 131, a policy acquisition unit 132, a policy determination rule storage unit 134, and a policy storage unit 135.

  The policy determination rule storage means 134 is a storage medium that stores policy determination rules. The policy storage unit 135 is a storage medium that stores a plurality of policies.

  In this example, when the policy selection unit 131 determines a policy to be used, the policy selection unit 131 determines a policy to be used by using the policy determination rule stored in the policy determination rule storage unit 134.

  In this example, if the policy to be acquired is a policy stored in the policy storage unit 135, the policy acquisition unit 132 acquires the corresponding policy from the policy storage unit 135.

  A preferred embodiment of the policy setting unit 202 is, for example, a user interface. Another preferred embodiment of the policy setting unit 202 receives a setting request such as a policy determination rule registration request or a policy registration request through communication, and executes a policy determination rule or policy registration process in response to the reception. Communication mechanism.

  The “policy determination rule” is defined by policy determination conditions and policy acquisition information indicating a method for acquiring the corresponding policy. The “policy acquisition information” is information that is referred to when the policy determination condition is satisfied, and is information indicating a policy acquisition method that is used when the policy determination condition is satisfied.

  The “policy determination condition” includes, for example, a condition for a communication environment such as a communication source address, a communication destination address, a message content, a state of the communication relay device 201, a state of another device connected to the communication relay device 201, This is information associated with a policy to be used when a condition is met.

  The “policy acquisition information” is information for specifying the location where the policy to be acquired is stored. Specifically, for example, it is calculated by a fixed algorithm from an arbitrary fixed URL or communication environment. And information indicating the storage address of the policy to be acquired in the policy storage means 132.

  As described above, in the second embodiment, a policy determination rule for determining the policy to be used can be set, and a part of the policy to be used is registered in the communication relay device 201. Since the configuration is obtained, the policy used under the new policy determination condition can be freely set.

Embodiment 3 FIG.
Next, a third embodiment of the present invention will be described.
FIG. 4 is a block diagram showing an example of the configuration of the communication relay device 301 according to the third embodiment of the present invention. In FIG. 4, parts having the same configuration as that of the communication relay apparatus 201 shown in FIG. 3 described above are assigned the same reference numerals and detailed descriptions thereof are omitted.

  As shown in FIG. 4, the communication relay device 301 is configured by a computer 300 that operates under program control, and has the same configuration as the communication relay device 201 described above.

  However, the communication relay device 301 is different from the communication relay device 201 in that the policy setting unit 202 is connected to the communication unit 120.

  Next, the operation of the communication relay device 301 according to the third embodiment of the present invention will be described. FIG. 5 is a flowchart showing an example of communication relay processing executed by the communication relay device 301 in this example.

  In the communication relay process, after receiving the message in steps S201 to S202 and storing the message in the storage unit 110, the policy setting unit 202 checks whether the message is a setting request for the communication relay device 301 (step). S501).

  If the request is a setting request, the policy setting unit 202 executes setting processing based on the request (step S502). Specifically, if the setting request is a policy decision rule registration request, processing for storing the policy decision rule in the policy decision rule storage unit 134 is performed. If the setting request is a policy registration request, processing for storing the policy in the policy storage unit 135 is performed.

  If the request is not a setting request, the communication relay device 301 executes the processes of steps S203 to S207 described above.

  As described above, in the third embodiment, the policy setting unit 202 receives a setting request or the like by introducing a communication path that the communication relay device 301 uses for message relay. Therefore, the setting request can be received via the communication path used for relay by the communication relay device 301, and the setting process according to the setting request can be performed.

Embodiment 4 FIG.
Next, a fourth embodiment of the present invention will be described.
FIG. 6 is a block diagram illustrating an example of the configuration of the communication relay device 401 according to the fourth embodiment of the present invention. In FIG. 6, parts having the same configuration as the communication relay apparatus 201 shown in FIG. 3 described above are given the same reference numerals and detailed description thereof is omitted.

  As shown in FIG. 6, the communication relay device 401 is configured by a computer 400 that operates under program control, and has the same configuration as the communication relay device 201 described above.

  However, the communication relay device 401 is different from the communication relay device 201 in that the policy setting unit 202 is connected to the module control unit 150 and is handled as a kind of the processing module 160.

  In this example, when the policy setting unit 202 is called as the processing module 160, the policy setting unit 202 confirms the content of the message. If the message includes a policy determination rule registration request, the policy determination rule included in the message is included. Is set in the policy determination rule storage unit 134. In this case, the existing policy decision rule may be deleted, or a new policy decision rule may be added to the existing policy decision rule.

  As described above, in the fourth embodiment, since the policy setting unit 202 is called as a processing module, the policy determination rule registration request and the policy determination rule are included in the relayed message. By doing so, it is possible to cause the module control unit 150 to perform processing for setting the policy determination rule (calling of the policy setting unit 202).

  Further, as described above, since the policy setting unit 202 is called as a processing module, the policy setting unit 202 can be used in combination with another processing module such as a decryption module, for example. Policy decision rule setting processing using the above function can be performed.

Embodiment 5. FIG.
Next, a fifth embodiment of the present invention will be described.
FIG. 7 is a block diagram illustrating an example of the configuration of the communication relay device 501 according to the fifth embodiment of the present invention. In FIG. 7, parts having the same configuration as the communication relay apparatus 101 shown in FIG. 1 described above are assigned the same reference numerals and detailed description thereof is omitted.

  As shown in FIG. 7, the communication relay device 501 includes a computer 500 that operates under program control, and includes a storage unit 110, a communication unit 120, a policy determination unit 130, a constraint calculation unit 140, and a module control unit 150. A plurality of processing modules 160, a state information creation unit 502, and a state information creation rule setting unit 504.

  The state information creation unit 502 includes a state information creation rule storage unit 503, and performs processing for creating state information based on a message and the state of another system (for example, a predicted load of a message transmission destination system).

  The “status information” means information used for determining a policy among information indicating a communication status such as a message content and a status of another system. Specifically, the “status information” is, for example, information of one or more of a destination URL, a host name of a destination server, an IP address of a transmission source user, a top tag name of XML data in a message, and the like. Consists of.

  The state information creation rule storage unit 503 is a storage medium for storing state information creation rules. The “status information creation rule” is a rule determined in advance for creating status information, and includes an item name in the status information and position information indicating a storage location of information corresponding to each item. In accordance with this state information creation rule, information in which information corresponding to each item is substituted as item content is state information.

  The status information creation rule setting unit 504 receives a status information creation rule setting request from the outside of the computer 500 and changes the status information creation rule stored in the status information creation rule storage unit 503.

  The state information creation rule setting unit 504 is, for example, a user interface. Note that the state information creation rule setting unit 504 may be configured by a communication device that receives and executes a request for setting a state information creation rule by communication.

  In this example, status information 505 is stored in the storage unit 110 as shown in FIG.

  Next, the operation of the communication relay device 501 in the fifth embodiment of the present invention will be described. FIG. 8 is a flowchart illustrating an example of communication relay processing executed by the communication relay device 501 in this example.

  In the communication relay process, after receiving the message in steps S201 to S202 and storing the message in the storage unit 110, the state information creation unit 502 creates the state information using the state information creation rule, and creates the created state information. Is stored on the storage means 110 (step S801).

  State information is created by extracting information corresponding to each item that constitutes state information from the message and other system states based on the state information creation rules, and substituting the extracted information as item contents of each item Is done.

  Next, the policy selection unit 131 uses the state information stored in the storage unit 110 to determine a policy to be used (step S203).

  And the process of step S204-step S207 mentioned above is performed.

  As described above, in the fifth embodiment, the communication information used for determining the policy to be used is extracted from the communication state indicating the state of the message or other system, and is configured as the state information. Therefore, the communication state used for policy determination can be easily grasped, and policy determination processing can be easily performed.

Embodiment 6 FIG.
Next, a sixth embodiment of the present invention will be described.
FIG. 9 is a block diagram illustrating an example of the configuration of the communication relay device 601 according to the sixth embodiment of the present invention. In FIG. 9, parts having the same configuration as the communication relay apparatus 501 shown in FIG. 7 described above are assigned the same reference numerals and detailed description thereof is omitted.

  As shown in FIG. 9, the communication relay device 601 is configured by a computer 600 that operates by program control, and has the same configuration as the communication relay device 501 described above.

  However, the communication relay device 601 is different from the communication relay device 501 in that the state information creation rule setting unit 504 is connected to the communication unit 120.

  The operations and effects are the same as those in the third embodiment described above except that the setting target is a state information creation rule.

  As described above, in the sixth embodiment, the state information creation rule setting unit 504 receives the setting request by introducing the communication path used by the communication relay device 601 for relaying the message. Therefore, the communication relay device 301 can receive the setting request for the state information creation rule via the communication path used for the relay, and can perform the setting process according to the setting request. .

Embodiment 7 FIG.
Next, a seventh embodiment of the present invention will be described.
FIG. 10 is a block diagram illustrating an example of the configuration of the communication relay device 701 according to the seventh embodiment of the present invention. 10, parts having the same configuration as the communication relay apparatus 501 shown in FIG. 7 described above are given the same reference numerals and detailed description thereof is omitted.

  As shown in FIG. 10, the communication relay device 701 is configured by a computer 700 that operates by program control, and has the same configuration as the communication relay device 501 described above.

  However, the communication relay apparatus 701 is different from the communication relay apparatus 501 in that the state information creation rule setting unit 504 is connected to the module control unit 150 and is handled as a kind of the processing module 160.

  The operations and effects are the same as those in the fourth embodiment described above except that the setting target is a state information creation rule.

  As described above, in the seventh embodiment, since the state information creation rule setting unit 504 is called as a processing module, the registration request for the state information creation rule and the state information are included in the relayed message. By including the creation rule, it is possible to cause the module control unit 150 to perform processing for setting the state information creation rule (calling the state information creation rule setting unit 504).

  Further, as described above, since the state information creation rule setting unit 504 is called as a processing module, it is possible to use another processing module such as a decryption module and the state information creation rule setting unit 504 in combination. The state information creation rule setting process using the functions of other processing modules can be performed.

Embodiment 8 FIG.
Next, an eighth embodiment of the present invention will be described.
FIG. 11 is a block diagram illustrating an example of the configuration of the communication relay device 801 according to the eighth embodiment of the present invention. In FIG. 11, parts having the same configuration as the communication relay apparatus 501 shown in FIG. 7 described above are assigned the same reference numerals and detailed description thereof is omitted.

  As shown in FIG. 11, the communication relay device 801 includes a computer 800 that operates under program control, and includes a storage unit 110, a communication unit 120, a policy determination unit 130, a constraint calculation unit 140, and a module control unit 150. A plurality of processing modules 160, a state information creation unit 502, a state information creation rule setting unit 504, and a simple constraint cache unit 802.

  That is, the communication relay device 801 is configured to include a simple constraint cache unit 802 in addition to the configuration of the communication relay device 501 described above.

  The simple constraint cache unit 802 performs processing for caching already created simple constraints based on certain state information.

  As shown in FIG. 12, the simple constraint cache unit 802 has a simple constraint cache table 803 in which state information and simple constraints are associated with each other.

  As shown in FIG. 12, the simple constraint cache table 803 associates simple constraints generated in the past with state information used in determining the policy used to generate the simple constraints. Stored.

  Next, the operation of the communication relay device 801 in the eighth embodiment of the present invention will be described. FIG. 13 is a flowchart showing an example of communication relay processing executed by the communication relay device 801 in this example.

  In the communication relay process, the message is received in steps S201 to S202 and stored in the storage unit 110. After the state information is generated and stored in the storage unit 110 in step S801, the simple constraint cache unit 802 Whether or not the simple constraint cache exists is confirmed by confirming whether or not the simple constraint is stored in the simple constraint cache table 803 with the same state information as the created state information (step S1201).

  If a simple constraint cache exists, the simple constraint is stored in the storage means 110 (step S1202), and the steps are executed without executing the policy determination processing, policy acquisition processing, and simple constraint derivation processing. The process proceeds to S206.

  If a simple constraint cache does not exist, policy determination processing (step S203), policy acquisition processing (step S204), and simple constraint derivation processing (step S205) are performed, and the derived simple constraint is converted to state information. And added to the simple constraint cache table 803 (step S1203). Thereafter, the process proceeds to step S206.

  And the process of step S206-step S207 mentioned above is performed.

  As described above, in the eighth embodiment, the derived simple constraint is cached in association with the state information, so that it is generated in the past when a message that creates the same state information is received. Can be used, and policy processing, policy acquisition, and simple constraint calculation processing can be omitted, so that processing contents to be applied to received messages can be determined at high speed. it can.

Embodiment 9 FIG.
Next, a ninth embodiment of the present invention will be described.
FIG. 14 is a block diagram showing an example of the configuration of the communication relay device 901 according to the ninth embodiment of the present invention. In FIG. 14, parts having the same configurations as those of the communication relay apparatus 101 shown in FIG. 1 described above are assigned the same reference numerals and detailed descriptions thereof are omitted.

  As illustrated in FIG. 14, the communication relay device 901 includes a computer 900 that operates under program control, and has the same configuration as the communication relay device 101.

  However, the communication relay apparatus 901 is such that part or all of the processing module 160 is installed outside the communication relay apparatus 901 and the module control unit 150 calls the external processing module 161 by calling an external module. And different.

  As a preferred embodiment of the external module call, an external module call in the same computer such as a DLL (Dynamic Link Library) call, a process call on another computer by an RPC (Remote Procedure Call), a distributed object, or the like can be considered.

  As described above, in the ninth embodiment, since the processing module 161 installed outside the communication relay device is executed, a processing module provided by another device can be used. At the same time, the load related to the execution of the processing module can be distributed.

Embodiment 10 FIG.
Next, a tenth embodiment of the present invention will be described.
FIG. 15 is a block diagram illustrating an example of a configuration of a communication relay device according to the tenth embodiment of the present invention.

  As illustrated in FIG. 15, the communication relay device of this example includes a communication device 1001, a data processing device 1002, a communication relay program 1003, and a storage device 1004.

  The data processing device 1002 collectively indicates means for executing each process described above in each of the first to ninth embodiments.

  The communication relay program 1003 is a control program that is read into the data processing device 1002 and causes the data processing device 1002 to execute various operations.

  That is, the communication relay program 1003 is a control program for causing the data processing device 1002 to execute various processes in the above-described embodiments.

  The communication device 1001 corresponds to the communication unit 120 in each of the first to ninth embodiments, and executes the same processing as that of the communication unit 120 described above.

  The storage device 1004 corresponds to the storage unit 110 in each of the first to ninth embodiments, and stores the same information as the storage unit 110 described above.

  As described above, in the tenth embodiment, since the data processing apparatus 1002 is configured to operate according to the communication relay program 1003, each of the above-described embodiments is added to the data processing apparatus 1002 by the communication relay program 1003. Various processes in the embodiment can be executed, and the same effects as those of the above-described embodiments can be obtained.

Next, specific examples of the present invention will be described.
Examples described below correspond to the first, second, fifth, and eighth embodiments described above.

  The communication relay device according to the present embodiment receives communication from a client and transmits it to a server in communication using HTTP (HyperText Transfer Protocol) as a transfer protocol and XML (eXtensible Markup Language) as a message format. .

  As shown in FIG. 16, the communication relay device 1201 according to the present embodiment is configured by a computer 1200, an HTTP Proxy 1220 that is a specific example of the communication unit 120, a memory 1210 that is a specific example of the storage unit 110, and a policy setting unit. 202, a setting GUI 1202, which is a specific example of the state information creation rule setting unit 504, a state information creation unit 502, a simple constraint cache unit 802, a policy determination unit 230, a constraint calculation unit 140, and a module control unit 150. Including.

  In this example, as a specific example of the processing module 160, an encryption module 1601 that performs encryption / decryption processing, a log module 1601 that performs log reading processing, and a destination change module 1603 that performs communication destination change processing are used.

  The communication relay device 1201 is connected to the client 170 and the server 171 via a communication network such as the Internet.

  As shown in FIG. 16, in this example, policies 1221 and 1222 are held in the client 170 and the server 171, respectively, and can be acquired by HTTP.

  FIG. 17 is an explanatory diagram illustrating an example of information stored in the memory 1210. As illustrated in FIG. 17, the information stored in the memory 1210 includes a policy 111, a message 112, a simple constraint 113, and state information 505.

  The message 112 includes a communication state such as a communication destination URL and a communication source IP address, an HTTP header, and XML data. The state information 505 is configured by information in which a plurality of combinations of variable names and values are collected.

  The policy 111 and the simple constraint 113 are constraint description languages (for example, WS-Policy: Web Services Policy Framework) that can be processed by the constraint calculation unit 140, the module control unit 150, and the processing modules 1601, 1602, and 1603, respectively. Described by.

  FIG. 18 is an explanatory diagram showing a specific example of the state information creation rule stored in the state information creation rule storage unit 503 in the state information creation unit 502.

  The status information creation rule includes a variable name such as “URL” or “SERVER” and a method for extracting the status from the information message that is the value to be set (information indicating the location in the message where the value to be set exists) Consists of combinations.

In this embodiment, as shown in FIG.
"URL = destination URL"
"SERVER = host name part of destination URL"
"CLIENT = source IP address"
"CONTENT = XML data top tag name"
It is assumed that the four state information creation rules are set in the state information creation rule storage unit 503 by the setting GUI 1202.

  FIG. 19 is an explanatory diagram showing a specific configuration example of the policy determination unit 230. In this example, as shown in FIG. 19, one policy is stored in the policy storage unit 135, and three policy determination rules are stored in the policy determination rule storage unit 134.

  As illustrated in FIG. 19, the policy determination rule is configured by a combination of a policy determination condition using a variable and an expression (a specific example of policy acquisition information) representing a policy URL. Note that “*” means an arbitrary message.

  Each of the two policy determination rules whose policy determination condition is “*” shown in FIG. 19 uses the policy specified by the URL “http: //$SERVER/policy.xml” for all messages. And the policy specified by the URL “http: //$CLIENT/policy.xml” is defined.

  Also, the policy decision rule whose policy decision condition shown in FIG. 19 is “IF ($ CONTENT = PURCHASE)” is “local: /policy.xml” only for messages whose XML top tag is named “PURCHASE”. It specifies that the specified policy should be used. Note that ““ $ ”+ variable name” is replaced with the set value of the variable.

  Further, as shown in FIG. 19, it is assumed that the policy is registered in the policy storage unit 135 through the setting GUI 1202 in a format that can be acquired with a URL “local: //policy.xml”. That is, the policy is registered in the policy acquisition information format of URL “local: //policy.xml”.

  In this embodiment, as shown in FIG. 20, two clients (client 1, client 2) and three servers (server 1, server 2, server 3) are connected to a communication relay apparatus 1200 via a communication network. Suppose that

  As shown in FIG. 20, it is assumed that the servers 1, 2, and 3 can each receive a message with the URL “http: // [hostname] / message_receiver”.

  Further, as shown in FIG. 20, it is assumed that policies are set for the client 1 and the servers 1, 2 and 3, respectively. Each of these policies is set so that the communication relay apparatus 2101 can acquire the URL by the URL “http: // [hostname] /policy.xml”.

  Here, [hostname] is the host name or IP address of each server 1, 2, 3 or client 1, 2.

  As shown in FIG. 20, each policy describes the necessity of encryption and log, and restrictions on encryption methods and keys used when using encryption.

  In this embodiment, it is assumed that the policy, the policy determination rule, and the state information creation rule are set as described above.

  Next, processing when the client 1 transmits XML data D1 as shown in FIG. 21 to the server 1 to the communication relay apparatus 1201 will be described.

  When the communication relay device 1201 receives the XML data D1, first, the HTTP Proxy 1220 stores the XML data D1 in the memory 1210 as a message M1 together with a communication state and an HTTP header.

Next, the status information creation unit 502 recognizes the message M1,
"URL = http: // sever1 / message_receiver"
"SERVER = server1"
"CLIENT = 192.168.0.1"
"CONTENT = PURCHASE"
Are stored in the memory 1210 as state information 505.

  Next, the simple constraint cache unit 802 checks whether or not the simple constraint corresponding to the state information 704 is stored in the cache. If the simple constraint is not stored, the policy determination unit 230 determines and acquires the policy. Do.

In this case, the policy selection unit 131 determines from the registered policy decision rule (see FIG. 19) and the value of the state information 505 on the memory 1210.
"http: //server1/policy.xml"
"http://192.168.0.1/policy.xml"
"local: /policy.xml"
The three policies acquired using the three policy acquisition information are determined to be used.

  And the policy acquisition means 132 performs the process which acquires three policies, respectively, based on said three policy acquisition information.

  In this example, the policy acquisition unit 132 acquires the policy “any encryption, method A1, key B1” from the server 1 using the URL “http: //server1/policy.xml” via the communication network. Using “http://192.168.0.1/policy.xml”, the policy “any encryption” is acquired from the client 1 via the communication network. Further, the policy acquisition unit 132 acquires the policy “encryption mandatory, log essential” from the policy storage unit 135 using the URL “local: /policy.xml”.

  Each policy acquired by the policy acquisition unit 132 is stored as the policy 111 in the memory 1210.

  Next, the constraint calculation means 140 calculates the constraints included in the three policies 111 stored in the memory 1210.

  Here, the constraint calculation means 140 determines that “encryption is mandatory and scheme A1 and key are based on the three constraints (policy)” “any encryption, scheme A1, key B1”, “any encryption”, and “encryption is required. The simple constraint “B1.

  The simple constraint is calculated (derived) by simplifying (simplifying) so as to satisfy all of the plurality of constraints. For example, when “encryption optional” and “encryption required” are mixed, a process of simplifying to one constraint “encryption required” is performed. The constraint calculation means 140 performs a simple constraint derivation process using a calculation formula set in advance to perform such processing. Note that the simple constraint means a simplified policy in which a plurality of policies are simplified.

  The derived simple constraint is stored as the simple constraint 113 in the memory 1210. At the same time, the state information 505 on the memory 1210 and the simple constraint 113 are stored in the simple constraint cache unit 802.

  Next, the module control unit 150 determines a processing module to be used based on the simple constraint 113 on the memory 1210. In this example, since the simple constraint is “encryption is required and method A1, key B1. Log is required.”, The encryption module 1601 for performing encryption processing and the log for performing processing for recording the content of the message in the log It is decided to use the module 1602.

  When the processing module to be used is determined, the module control unit 150 gives execution instructions to the cryptographic module 1601 and the log module 1602 that have been determined to be used, and causes the processing modules 1601 and 1602 to execute processing.

  Here, after the log module 1602 executes processing for recording the contents of the message M1 in the log, the encryption module 1601 executes encryption processing of the message M1 with “method A1, key B1”, and the message on the memory 1210 M1 is replaced with the encrypted message M2.

  Finally, the HTTP Proxy 1220 transmits the message M2 on the memory 1210 to the server 1 via the communication network.

  As described above, the communication relay device 1201 receives the message M1 from the client 1, and sends the message M2 applied to the message M1 received based on the processing module determined to be used according to the policy to the server 1. The transmission process is executed.

  When the XML data D1 (message M1) is sent again from the client 1 to the server 1 after executing the above processing, the status information 505 is the same as the XML data D1 sent for the first time, and is used. The same policy is applied. For this reason, the simple constraint cached in the simple constraint cache unit 802 is stored and used in the memory 1210 when the XML data D1 is processed for the first time, so that the processing by the policy determination unit 230 and the constraint calculation unit 140 is performed. Can be omitted.

Next, a case where XML data D1 (message M1) is sent from the client 1 to the server 2 will be described. In this case, the state information 505 is
"URL = http: // sever2 / message_receiver"
"SERVER = server2"
"CLIENT = 192.168.0.1"
"CONTENT = PURCHASE"
Compared with the case where a message is sent to the server 1, the policy acquisition information for acquiring the policy 111 is the URL "" http: "instead of the URL""http://server1/policy.xml"". //server2/policy.xml "" and others are the same.

  As a result, the simple constraint is “encryption is required and method A2, key B2. Log is required.” Therefore, XML data encrypted by “method A2 and key B2” is transmitted to server 2. .

Next, the case where the XML data D3 (message M3) shown in FIG. 22 is sent from the client 1 to the server 1 will be described. In this case, the state information 505 is
"URL = http: // sever1 / message_receiver"
"SERVER = server1"
"CLIENT = 192.168.0.1"
"CONTENT = CATALOG"
It becomes.

  Further, the policy selection unit 131 determines the URL “http: //server1/policy.xml” and the URL from the registered policy decision rule (see FIG. 19) and the value of the status information 505 on the memory 1210. It is decided to use two policies acquired respectively using two policy acquisition information “http://192.168.0.1/policy.xml”. Here, the policy acquired by the URL ““ local: /policy.xml ”” is not used.

  And the policy acquisition means 132 performs the process which acquires two policies, respectively, based on said two policy acquisition information.

  In this example, the policy acquisition unit 132 acquires the policy “any encryption, method A1, key B1” from the server 1 using the URL “http: //server1/policy.xml” via the communication network. Using “http://192.168.0.1/policy.xml”, the policy “any encryption” is acquired from the client 1 via the communication network.

  As a result, the simple restriction 113 becomes “encryption method A1, key B1”. Therefore, the module control unit 150 determines a processing module that uses only the cryptographic module 1601 and calls the cryptographic module 1601. Then, the XML data encrypted with “scheme A1, key B1” is transmitted to the server 1.

  Note that the encryption module 1601 may not be encrypted because encryption is arbitrarily used. In this case, the module control unit 150 decides not to use the processing module (determines 0 processing modules to be used), and the server 1 transmits the same message M3 transmitted by the client 1 as it is.

  Next, the case where the XML data D3 (message M3) shown in FIG. 22 is sent from the client 1 to the server 3 will be described.

  In this case, the policy selecting unit 131 uses the URL ““ http: //server3/policy.xml ”” based on the registered policy decision rule (see FIG. 19) and the value of the status information 505 on the memory 1210, It is decided to use two policies respectively acquired using two policy acquisition information of URL “http://192.168.0.1/policy.xml”. Note that the policy acquired by the URL ““ local: /policy.xml ”” is not used.

  And the policy acquisition means 132 performs the process which acquires two policies, respectively, based on said two policy acquisition information.

  In this example, the policy acquisition unit 132 acquires the policy “encryption required, method A1, key B1” from the server 3 using the URL “http: //server3/policy.xml” via the communication network. Using “http://192.168.0.1/policy.xml”, the policy “any encryption” is acquired from the client 1 via the communication network.

  As a result, the simple constraint 113 is “encryption is essential and method A1, key B1”. Therefore, the module control unit 150 determines a processing module that uses only the cryptographic module 1601 and calls the cryptographic module 1601. Then, the XML data encrypted with “scheme A1, key B1” is transmitted to the server 1.

  In this example, since the policy acquired from the server 3 is the policy “encryption required, method A1, key B1”, the simple constraint 113 is “encryption required and method A1, key B1”, and the message M3 is always encrypted. Sent to the server 3. That is, since it is not “any encryption”, the encryption processing of the message M3 is always executed. Logs are not recorded.

  Next, the case where the XML data D1 (message M1) shown in FIG. 21 is sent from the client 2 to the server 1 will be described.

  In this case, the policy selection unit 131 uses the URL “http: //server1/policy.xml” and the URL “from the value of the status information 505 on the memory 1210 and the registered policy determination rule (see FIG. 19). It is decided to use three policies acquired using three policy acquisition information of “http://192.168.0.2/policy.xml” and URL [local: /policy.xml].

  And the policy acquisition means 132 tries acquisition of three policies based on said three policy acquisition information. However, no policy that can be acquired by the URL “http://192.168.0.2/policy.xml” is arranged in the client 2.

  In such a case, the policy acquisition unit 132 ignores the policy that does not exist, and uses the URL “http: //server1/policy.xml” to obtain the policy “any encryption, method A1, key B1” from the server 1. Obtained via the communication network, and obtains the policy “encryption mandatory, log mandatory” from the policy storage means 135 using the URL “local: /policy.xml”. Note that if there is no server-side policy, it is ignored as described above.

  As a result, the simple constraint 113 is “encryption is essential, method A1, key B1, and log is essential”. Accordingly, the module control unit 150 determines a processing module that uses the log module 1602 and the cryptographic module 1601 and sequentially calls the log module 1602 and the cryptographic module 1601.

  Therefore, after the log module 1602 executes processing for recording the content of the message M1 in the log, the encryption module 1601 executes encryption processing of the message M1 with “method A1, key B1”, and the message M1 on the memory 1210 Is replaced by the encrypted message M2.

  Then, XML data (message M2) encrypted with “scheme A1, key B1” is transmitted to the server 1.

  In the above-described embodiment, the policy storage location acquired by the policy determination unit 230 is on the remote machine (server or client) that communicates or in the policy storage unit 135. However, the policy storage location and policy acquisition method Is not limited to this. Further, the number of policies to be acquired is not limited to the above-described embodiment.

  For example, in a system including a plurality of communication relay apparatuses having the same configuration as the communication relay apparatus 1201 described above, a policy server that centrally manages policies is installed outside the computer 1200, and each communication relay apparatus acquires a policy from the policy server. You may make it do. If comprised in this way, the management of the policy used with a some communication relay apparatus can be unified, and the policy used with a some communication relay apparatus can be managed easily.

  Further, in the above-described embodiment, a certain position in the XML data of the message 112 stored in the memory 1210 may be specified by the URL that is the policy acquisition information, and the policy stored at the position may be acquired. With this configuration, the policy held by the client can be included in the message and transmitted to the communication relay apparatus 1201. Further, even for the same client, the policy can be changed by a message to be communicated.

  Further, in the above-described embodiment, various people and systems related to communication between the client and the server describe their requests and restrictions as policies, and flexibly combine them according to policy decision rules. The operation may be determined and executed.

  In the above-described embodiment, the setting GUI 1202 is used as a specific example of the policy setting unit 202. However, as a specific example of the policy setting unit 202, a communication device that receives a policy setting request from a remote server is used. A control device that collectively controls a plurality of communication relay devices may be provided outside the plurality of communication relay devices. If comprised in this way, management can be facilitated similarly to the policy server mentioned above.

  In the above-described embodiment, every time the communication relay device 1201 receives a message, the policy used by the policy determination unit 230 is acquired. However, the policy once acquired is cached in the communication relay device 1201. From the next time, the cached policy may be used. With this configuration, the operation speed of the device 1201 can be increased and unnecessary communication can be reduced.

  Further, in the above-described embodiments, functions related to encryption and logs are described as examples of policy descriptions and processing modules. However, these are examples, and the object of the present invention is limited to those related to functions of encryption and logs. Of course, it is not a thing. For example, the present invention can be applied to various functions provided by a communication relay device, such as changing a transmission destination, adding a signature, access control, and content conversion.

  In the above-described embodiment, only one communication relay device 1201 is installed between the client and the server, and the installation location is not particularly mentioned, but a plurality of configurations similar to the communication relay device 1201 are provided. The communication relay device is installed between the client and the server, and the installation location is also set in the client side network, server side network, independent network, etc. It is good also as a structure changed according to a place.

  FIG. 23 is a block diagram illustrating an example of a system including a plurality of communication relay devices. The system shown in FIG. 23 includes a plurality of communication relay apparatuses in the system, and a plurality of networks exist in the system, and some of them can be sub-networks of a certain network.

  In addition, “one network” is an area managed by one policy, an area having a common domain name, an area where access control or protocol conversion is performed for communication with the outside, etc. Various units are possible.

  In the system shown in FIG. 23, zero or more communication relay devices are arranged in each network, and each is connected to a client, a server, or another communication relay device. This connection form does not necessarily match the network configuration.

  With the above configuration, each communication relay device uses not only the client and server but also the communication destination relay device, the network to which the communication belongs, the higher level network, the communication destination network, etc. The message can be processed by determining the action.

  INDUSTRIAL APPLICABILITY According to the present invention, in an open environment in which a client and a server that communicate with each other are not specified in advance, the present invention is useful for application to a communication relay device that monitors communication contents or performs access control based on various requests. .

  Further, the present invention is useful for application to a communication relay apparatus that provides various controls and functions such as message encryption, signature addition, and transmission destination change.

It is a block diagram which shows the example of a structure of the communication relay apparatus in the 1st Embodiment of this invention. It is a flowchart which shows the example of the communication relay process in the 1st Embodiment of this invention. It is a block diagram which shows the example of a structure of the communication relay apparatus in the 2nd Embodiment of this invention. It is a block diagram which shows the example of a structure of the communication relay apparatus in the 3rd Embodiment of this invention. It is a flowchart which shows the example of the communication relay process in the 3rd Embodiment of this invention. It is a block diagram which shows the example of a structure of the communication relay apparatus in the 4th Embodiment of this invention. It is a block diagram which shows the example of a structure of the communication relay apparatus in the 5th Embodiment of this invention. It is a flowchart which shows the example of the communication relay process in the 5th Embodiment of this invention. It is a block diagram which shows the example of a structure of the communication relay apparatus in the 6th Embodiment of this invention. It is a block diagram which shows the example of a structure of the communication relay apparatus in the 7th Embodiment of this invention. It is a block diagram which shows the example of a structure of the communication relay apparatus in the 8th Embodiment of this invention. It is explanatory drawing which shows the example of a structure of a simple restrictions cache means. It is a flowchart which shows the example of the communication relay process in the 8th Embodiment of this invention. It is a block diagram which shows the example of a structure of the communication relay apparatus in the 9th Embodiment of this invention. It is a block diagram which shows the example of a structure of the communication relay apparatus in the 10th Embodiment of this invention. It is a block diagram which shows the example of a specific structure of a communication relay apparatus. It is explanatory drawing which shows the specific example of the information stored in memory. It is explanatory drawing which shows the specific example of the status information creation rule stored in a status information creation rule storage means. It is explanatory drawing which shows the specific structural example of a policy determination means. It is a block diagram which shows the example of the setting state of the policy in a communication relay apparatus, a server, and a client. It is explanatory drawing which shows the specific example of the structured document data contained in a message. It is explanatory drawing which shows the other specific example of the structured document data contained in a message. It is explanatory drawing which shows the example of a system provided with a some communication relay apparatus. It is explanatory drawing which shows the example of the conventional communication relay apparatus. It is a flowchart which shows the example of operation | movement of the conventional communication relay apparatus.

Explanation of symbols

100, 200, 300, 400, 500, 600, 700, 800, 900, 1200 Computer 101, 201, 301, 401, 501, 601, 701, 801, 901, 1201 Communication relay device 202 Policy setting means 110 Storage means 111 Policy 112 Message 113 Simple constraint 120 Communication means 130, 230 Policy decision means 131 Policy selection means 132 Policy acquisition means 133 Policy 134 Policy decision rule storage means 135 Policy storage means 140 Constraint calculation means 150 Module control means 160 Processing module 170 Client 171 Server 502 State information creation means 503 State information creation rule storage means 504 State information creation rule setting means 505 Status information 802 Simple constraint cache means 803 Simple Constraint cache table 1202 Setting GUI
1210 Memory 1220 HTTP Proxy
1601 Cryptographic module 1602 Log module 1603 Address change module

Claims (45)

Receiving a message via a communication network, a communication relay device for transmitting subjected to a treatment in the received message, communication means for sending and receiving messages, in response to said communication means receives the message, Used to determine the processing to be performed on a received message out of a plurality of processing determination policies indicating restrictions on the processing to be performed on the received message according to a predetermined processing determination policy determination rule without specifying the communication destination in advance. A policy determining means for determining zero or more processing determination policies to be performed; and a process determined by the policy determining means for determining that no processing is to be performed when the number of processing determining policies determined by the policy determining means is zero. determine the processing to be performed on messages received based on the policy for treatment decisions is the determined when determination policy of one or more And the processing contents decision means that,
When there are one or more processing decision policies determined by the policy determining means, a simple constraint simplified to satisfy all of the plurality of constraints included in the determined processing determination policy is determined in advance. Simple constraint generation means for generating according to the simple constraint generation rule ,
The processing content determination means determines the received message by determining zero or more processing modules to be used for processing from a plurality of processing modules prepared in advance according to the simple constraint generated by the simple constraint generation means. A communication relay device characterized by determining a process to be performed . The policy determination means includes a policy selection means for selecting a process determination policy to be used for determining a process to be applied to the message from a plurality of process determination policies, and a policy acquisition for acquiring the process determination policy selected by the policy selection means. communication relay apparatus of claim 1 further comprising a means. Policy setting means for setting processing decision policy is provided,
The policy determination means includes policy storage means for storing the processing determination policy set by the policy setting means,
The communication relay device according to claim 2 , wherein the policy acquisition unit acquires a part or all of the processing determination policy selected by the policy selection unit from the policy storage unit. The communication relay device according to claim 2 or 3 , wherein the policy acquisition means acquires a processing determination policy stored outside the communication relay device via a communication network. The communication relay device according to any one of claims 2 to 4 , wherein the policy acquisition unit acquires a processing decision policy included in the received message. A policy decision rule setting means for newly setting a policy decision rule for processing decision;
Policy decision means, the communication relay according to any one of claims 1 to 5 comprising a treatment decision for policy decision rule storage means for storing the policy decision rule setting set processing determination policy decision rule by means apparatus. Policy decision means, to any one of claims 1 to 6 for determining the processing determination policy to be used from among a plurality of processing determination policy comprising processing determination policy that is stored in the destination of the received message The communication relay device described. Policy decision means, to any one of claims 1 to 7 for determining the processing determination policy to be used from among a plurality of processing determination policy comprising processing determination policy stored in the transmission source of the message received The communication relay device described. The policy decision rule for process decision corresponds to the policy decision condition indicating the condition for setting the policy for process decision used for decision of the process to be applied to the received message, and the storage location of the policy for policy decision satisfying the policy decision condition. communication relay apparatus according to any one of claims 8 composed claim 1 is attached. A status information creating means for creating status information indicating a status of communication related to the message based on the received message;
Policy decision means, the communication relay apparatus according to any one of claims 1 to 9 for determining the processing determination policy to use based on the status information generated by said status information generating unit. Comprising state information creation rule storage means for storing state information creation rules used for creating state information;
The communication relay device according to claim 10 , wherein the state information creation unit creates state information according to a state information creation rule stored in the state information creation rule storage unit. The communication relay device according to claim 11 , wherein the state information is information in which an item indicating a communication state related to a message is associated with an item content indicating the content of the item. The state information creation rule has a configuration in which an item of state information is associated with item content storage information indicating a storage location of a communication state related to a message indicating the item content of the state information.
The communication relay device according to claim 12 , wherein the state information creation unit creates the state information by substituting the communication state stored in the storage location indicated by the item content storage information for the item content. The communication relay apparatus according to claim 13 , wherein the communication state stored in the storage location indicated by the item content storage information is specific information included in the message. The message contains structured text data,
The communication relay device according to claim 14, wherein the specific information included in the message is a description content of structured document data. Simple constraint generation means for generating a simple constraint obtained by simplifying a plurality of constraints included in the processing determination policy determined by the policy determination means according to a predetermined simple constraint generation rule;
Simple constraint cache means for storing the state information created by the state information creating means and the simple constraints generated by the simple constraint generating means,
If the newly created state information matches the state information stored in the simple constraint cache unit, the processing content determination unit is prepared in advance according to the simple constraint stored in the simple constraint cache unit. The communication relay device according to any one of claims 10 to 15 , wherein processing to be performed on a received message is determined by determining zero or more processing modules to be used for processing performed on the message from a plurality of processing modules. . The communication relay device according to claim 3 , wherein the policy setting means is configured by a user interface. Policy setting means receives a policy registration request and process determination policy via a communication network, in response to the policy registration request, according to claim 3, wherein constituted by a communication mechanism for setting the processing determination policy received Communication relay device. The policy setting means checks whether or not the message received by the communication means is a policy registration request message including a policy registration request and a processing decision policy. If the message is a policy registration request message, the policy setting request message is included in the policy registration request message. The communication relay device according to claim 3, wherein a processing decision policy is set. Receiving a message via a communication network, a communication relay method for transmitting subjected to a treatment in the received message,
A plurality of processes indicating processing restrictions on the received message in accordance with a predetermined policy decision rule for processing determination without specifying a communication destination in advance in response to receiving the message via the communication network Determine zero or more process determination policies to be used for determining the process to be performed on the received message among the determination policies,
When the determined processing decision policy is zero, it is determined that no processing is performed, and when the determined processing determination policy is one or more, a plurality of processing decision policies included in the determined processing determination policy A simple constraint that is simplified so as to satisfy all of the constraints is generated according to a predetermined simple constraint generation rule, and is used for processing applied to a message from a plurality of processing modules prepared in advance according to the generated simple constraint. A communication relay method characterized by determining processing to be performed on a received message by determining the processing module . The processing determination policy used to determine the processing to be performed on the message selected from a plurality of processing determination policy of claim 20, wherein determining the processing determination policy used by acquiring the selected process determined for policy Communication relay method. The communication relay method according to claim 21, wherein a part or all of the selected processing decision policy is acquired from a policy storage means in which the processing decision policy is stored. 23. The communication according to claim 21 or claim 22, wherein a processing determination policy stored outside the communication relay device that processes and transmits the received message is acquired inside the communication relay device via a communication network. Relay method. The communication relay method according to any one of claims 21 to 23, wherein a processing decision policy included in a received message is acquired. The communication relay method according to any one of claims 20 to 24 , wherein a processing determination policy to be used is determined from a plurality of processing determination policies including a processing determination policy stored in a transmission destination of a received message. . The communication relay method according to any one of claims 20 to 25 , wherein a process determination policy to be used is determined from a plurality of process determination policies including a process determination policy stored in a transmission source of a received message. . The policy decision rule for process decision corresponds to the policy decision condition indicating the condition for setting the policy for process decision used for decision of the process to be applied to the received message, and the storage location of the policy for policy decision satisfying the policy decision condition. The communication relay method according to any one of claims 20 to 26 , wherein the communication relay method is provided. Based on the received message, create status information indicating the status of communication related to the message,
The communication relay method according to any one of claims 20 to 27 , wherein a processing determination policy to be used is determined based on the created state information. The communication relay method according to claim 28, wherein the state information is created according to the state information creation rule stored in the state information creation rule storage means for storing the state information creation rule used for creating the state information. 30. The communication relay method according to claim 29 , wherein the status information is information in which an item indicating a communication status related to a message is associated with an item content indicating the content of the item. The state information creation rule has a configuration in which an item of state information is associated with item content storage information indicating a storage location of a communication state related to a message indicating the item content of the state information.
The communication relay method according to claim 30 , wherein status information is created by substituting the communication status stored in the storage location indicated by the item content storage information for the item content. A simple constraint obtained by simplifying a plurality of constraints included in the processing decision policy determined to be used is generated according to a predetermined simple constraint generation rule.
Store the created state information and the generated simple constraint in the simple constraint cache,
If the newly created state information matches the state information stored in the simple constraint cache unit, a plurality of processing modules prepared in advance are used in accordance with the simple constraint stored in the simple constraint cache unit. The communication relay method according to any one of claims 20 to 31 , wherein a process to be performed on a received message is determined by determining zero or more processing modules to be used for a process to be performed on the message. Receiving a message via a communication network, a communication relay program for executing a process of transmitting subjected to a treatment in the received message to the communication relay device,
In the communication relay device,
A plurality of processes indicating processing restrictions on the received message in accordance with a predetermined policy decision rule for processing determination without specifying a communication destination in advance in response to receiving the message via the communication network Determining zero or more process determination policies to be used for determining a process to be performed on a received message among the determination policies;
When the determined processing decision policy is 0, it is determined that no processing is performed, and when the determined processing determination policy is one or more, a plurality of processing determination policies included in the determined processing determination policy Used to generate a simple constraint that is simplified to satisfy all of the constraints according to a predetermined simple constraint generation rule, and to process a message from multiple prepared processing modules according to the generated simple constraint A communication relay program for executing a step of determining processing to be performed on a received message by determining zero or more processing modules to be executed. In communication relay device,
In addition, a process decision policy to be used for deciding the process to be applied to the message is selected from a plurality of process decision policies, and the process decision policy to be used is determined by acquiring the selected process decision policy. 34. The communication relay program according to claim 33, for causing the program to occur. In communication relay device,
35. The communication relay program according to claim 34, further causing a step of acquiring a part or all of the selected processing decision policy from the policy storage means in which the processing decision policy is stored. In communication relay device,
36. The communication relay according to claim 34 or 35, further comprising a step of acquiring a processing determination policy stored outside the communication relay device to the inside of the communication relay device via a communication network. program. In communication relay device,
Furthermore, the communication relay program according to any one of claims 36 to claim 34, for executing the step of obtaining the processing determination policy contained in the received message. In communication relay device,
Further, among the steps 34 to 37 for executing a step of determining a processing decision policy to be used from a plurality of processing decision policies including a processing decision policy stored in a destination of the received message The communication relay program according to any one of the above. In communication relay device,
Further, of the steps 34 to 38 , for executing a step of determining a process decision policy to be used from a plurality of process decision policies including the process decision policy stored in the transmission source of the received message. The communication relay program according to any one of the above. The policy decision rule for process decision corresponds to the policy decision condition indicating the condition for setting the policy for process decision used for decision of the process to be applied to the received message, and the storage location of the policy for policy decision satisfying the policy decision condition. The communication relay program according to any one of claims 33 to 39 . In communication relay device,
Further, based on the received message, creating status information indicating the status of communication related to the message;
The communication relay program according to any one of claims 33 to 40 , for executing a step of determining a processing decision policy to be used based on the created state information. In communication relay device,
42. The communication relay according to claim 41, further comprising executing a step of creating state information in accordance with a state information creation rule stored in a state information creation rule storage means for storing a state information creation rule used for creating state information. program. The communication relay program according to claim 42 , wherein the state information is information in which an item indicating a communication state related to a message is associated with an item content indicating the content of the item. The state information creation rule has a configuration in which an item of state information is associated with item content storage information indicating a storage location of a communication state related to a message indicating the item content of the state information.
In communication relay device,
44. The communication relay program according to claim 43, further comprising the step of creating status information by substituting the communication status stored in the storage location indicated by the item content storage information for the item content. In communication relay device,
A step of generating a simple constraint obtained by simplifying a plurality of constraints included in the processing decision policy determined to be used according to a predetermined simple constraint generation rule;
Storing the created state information and the generated simple constraint in a simple constraint cache means;
If the newly created state information matches the state information stored in the simple constraint cache unit, a plurality of processing modules prepared in advance are used in accordance with the simple constraint stored in the simple constraint cache unit. 45. The communication relay according to any one of claims 33 to 44 , wherein the step of determining the processing to be applied to the received message is executed by determining zero or more processing modules to be used for the processing to be performed on the message. program.

Images