JP4395651B2 - Authentication server, authentication system, authentication method, program, and recording medium - Google Patents

Description

  The present invention relates to authentication control in a system that authenticates a user via a predetermined network.

  There is a video camera system in which a camera server provided with a video camera is provided in various places in order to acquire video of a remote place via the Internet, and video shot by the video camera is transmitted to a user through the camera server.

  The user terminal connected to the camera server can acquire video shot by the video camera and can operate the video camera. In the case of a private image that does not want to be shown to others, such as a video inside, it is necessary to prevent a third person from peeping only to a specific user for connection to the camera server.

  Conventionally, as an authentication method from the user terminal to the camera server, a method using an ID and a password has been adopted.

  However, in the authentication method using the ID and password, if the ID and password are leaked, there is a fear that “spoofing” may be performed by a third party without connection authority. In particular, in a global network such as the Internet, ID and password may be leaked due to eavesdropping on communication by a third party.

  Therefore, in order to improve security, a method of periodically changing the ID and password can be considered. According to this method, even if the ID and password are leaked, it is possible to prevent “spoofing” by a third party outside the expiration date.

  By the way, when the system which changes regularly is employ | adopted, generally a user must change a password regularly. This is because if the update deadline has passed, the system cannot be used.

  Normally, a warning about the update deadline is given by the system, but if the user ignores or overlooks this warning, the password expires due to the expiration of the validity period, and it takes time to re-register. is there.

In order to solve this problem, Japanese Patent Laid-Open No. 2000-29836 (Patent Document 1) discloses a technique related to a user management system that can easily manage users.
JP 2000-29836 A

  However, the technique described in Patent Document 1 sets an expiration date for the password, and the remaining time until the expiration date of the password or the remaining time until the expiration of the period in which the login is not performed becomes a predetermined time or less. Sometimes, by notifying the user and the administrator of the remaining time, the burden on the user of the system administrator, such as changing the password to the user or issuing a notification to log in, is reduced. It does not reduce the burden on the user accompanying the password change.

  Therefore, in order to use the system, the user must change the password periodically and remember the changed password.

  That is, it is necessary to remember the password every time and to know which is the latest password. The shorter the renewal period, the greater the burden.

  Depending on the system, the password may be changed periodically on the system side. However, for the user, the burden of password management may be changed by the user or the system. It will not change.

  In some cases, the ID and password are periodically changed on the system side. In this case, since it is necessary to store the combination of the ID and the password, the management burden is limited to the password alone. It is not difficult to imagine that it will increase compared to

  However, in order to improve security, it is desirable that the update period is as short as possible.

  As described above, if the password update period is long, it is not so much a burden for the user to store the password (the user burden is reduced), but the security is lowered. On the other hand, there is a dilemma that if the password update period is shortened, the security is improved but the burden on the user is increased.

The present invention aims to improve security by periodically updating authentication information for the client terminal to access the server, and to update the authentication information to prevent the client terminal from accessing the server. The purpose is to control timing.

The present invention provides an authentication server that performs authentication processing between a client terminal and a server, and a first storage unit that stores address information for identifying the server in association with the first authentication information in a first table; Second storage means for storing second authentication information in a second table in association with address information for identifying the server, and acquiring the first authentication information input from the client terminal Using the acquisition unit and the first authentication information acquired by the acquisition unit, the address information for identifying the server is extracted from the first table, and the second information is associated with the address information. Extraction means for extracting second authentication information stored in the table, second authentication information extracted by the extraction means, address information for identifying the server, A transmission means for transmitting display screen data for displaying a screen used for accessing the server in the client terminal to the client terminal, and a last reference time for accessing the server by the client terminal A third storage means for updating, an update means for updating the second authentication information stored in the second table at a predetermined timing, and the update means from the second authentication information to the server. Change instruction means for giving a change instruction for changing to the second authentication information updated by the step, wherein the change instruction means gives the change instruction to the server at a predetermined timing, If it is determined that a predetermined time has not elapsed since the last reference time stored by the third storage means, the change instruction is issued. And said that no.

According to the present invention, in the authentication server according to claim 1, the change instruction unit performs the change instruction to the server at a predetermined timing, and the final reference stored in the third storage unit When it is determined that a predetermined time has not elapsed since the time, the change instruction is delayed.

According to the present invention, in the authentication server according to claim 1 or 2, the change instruction unit is configured to instruct the server to perform the change instruction at a predetermined timing, and is stored by the third storage unit. When it is determined that the predetermined time has not elapsed since the last reference time, the change instruction is performed after the predetermined time has elapsed.

The present invention provides the authentication server according to any one of claims 1 to 3, wherein the transmission means transmits the second authentication information and address information for identifying the server to the client terminal. The display screen data is embedded and transmitted so as not to be displayed on a screen used for accessing the server.

The present invention relates to an authentication system in which a client terminal, a server, and an authentication server that performs authentication processing with the client terminal and the server can communicate with each other via a network. First storage means for storing address information for identification in the first table, and second storage for storing second authentication information in the second table in association with the address information for identifying the server The server is identified from the first table using storage means, acquisition means for acquiring the first authentication information input from the client terminal, and first authentication information acquired by the acquisition means. Extracting means for extracting address information for extracting the second authentication information stored in the second table in association with the address information; Second client authentication information extracted by the extraction means, address information for identifying the server, and display screen data for displaying a screen used for accessing the server in the client terminal. Transmission means for transmitting to the terminal; third storage means for storing the last reference time for access to the server by the client terminal; and second authentication information stored in the second table at a predetermined timing Update means for performing update, and change instruction means for instructing the server to change from the second authentication information to the second authentication information updated by the update means, The change instruction means is configured to instruct the server to change the information at a predetermined timing, and the third storage means If it is determined from 憶 is the final reference time that the predetermined time has not elapsed is characterized in that it does not perform the change instruction.

The present invention is an authentication server for performing an authentication process between a client terminal and a server, and an authentication method in an authentication server having a first storage unit, a second storage unit, and a third storage unit, A first storage step in which the first storage means stores address information for identifying the server in association with first authentication information in a first table; A second storage step of storing second authentication information in a second table in association with address information for identifying a server; and an acquisition step of acquiring the first authentication information input from the client terminal And using the first authentication information acquired in the acquisition step, the address information for identifying the server is extracted from the first table and associated with the address information. In the extraction step for extracting the second authentication information stored in the second table, the second authentication information extracted in the extraction step, the address information for identifying the server, and the client terminal A transmission step of transmitting display screen data for displaying a screen used to access the server to the client terminal; and the third storage means includes a final step for accessing the server by the client terminal. A third storage step for storing a reference time; an update step for updating the second authentication information stored in the second table at a predetermined timing; and the second authentication information for the server. A change instruction step for giving a change instruction for changing to the second authentication information updated by the update step, And the change instruction step is for instructing the server to change at a predetermined timing, and has determined that a predetermined time has not elapsed since the last reference time stored in the third storage step. In this case, the change instruction is not performed.

The present invention is a program executable in an authentication server that performs authentication processing between a client terminal and a server, and stores address information for identifying the server in association with first authentication information in a first table. First storage means, second storage means for storing second authentication information in a second table in association with address information for identifying the server, and the first input from the client terminal Using the first authentication information acquired by the acquisition means for acquiring the authentication information, the address information for identifying the server is extracted from the first table, and is associated with the address information. The extraction means for extracting the second authentication information stored in the second table, the second authentication information extracted by the extraction means, and the server are identified. Transmitting means for transmitting to the client terminal address information and display screen data for displaying a screen used for accessing the server in the client terminal, and the final access to the server by the client terminal Third storage means for storing a reference time, update means for updating the second authentication information stored in the second table at a predetermined timing, and the server from the second authentication information to the server The authentication server functions as a change instruction unit that issues a change instruction for changing to the second authentication information updated by the update unit, and the change instruction unit sends the change instruction to the server at a predetermined timing. If a predetermined time has not elapsed since the last reference time stored by the third storage means If was boss is characterized in that it does not perform the change instruction.

The present invention is characterized in that the program according to claim 7 is stored so as to be readable by a computer.

  According to the present invention, user's burden such as frequently changing authentication information to a predetermined server to ensure higher security, and allowing the user to store authentication information to the predetermined server that is frequently changed every time. Both can be realized at the same time without burden on the administrator.

  In addition, the authentication information is changed before and after the predetermined server is used by the client, and the problem that occurs when the frequency of changing the authentication information that the client cannot access the predetermined server becomes high is also ensured. It can be avoided.

  Therefore, it is possible to eliminate the burden of frequently changing the authentication information to the predetermined server by the user and remembering the authentication information every time it is frequently changed, and to build an excellent authentication system that can ensure higher security. It is possible to achieve such an effect.

[First Embodiment]
FIG. 1 is a system configuration diagram showing a configuration of an authentication system to which the authentication apparatus according to the first embodiment of the present invention can be applied.

  In the figure, reference numeral 101 denotes an authentication server, which is connected to at least one camera server 103 (103a,..., 103b) and at least one user terminal 105 (105a, 105) via a predetermined network (for example, the Internet 100). .., 105b) are communicably connected to each other. In the present embodiment, the predetermined network will be described as the Internet 100. However, the predetermined network is not limited to the Internet, and any network including a telephone line, a dedicated line, or other telecommunication lines may be used. Applicable.

  The camera server 103 is connected to at least one video camera 104 (104-1,..., 104-2) in a controllable manner, and image data captured by the video camera 104 is transmitted via the router 102 and the Internet 100. It can be transmitted to the user terminal 105.

  The authentication server 101 and the user terminal 105 are connected to the Internet 100 by a global IP address.

  The router 102 is assigned a global IP address, and the camera server 103 is assigned a private IP address. When only one camera server 103 is connected to the internal network in the router 102, when accessing the router 102, the camera server 103 is transparently accessed by the NAT function of the router 102. Accordingly, if the global IP address of the router 102 is known, anyone can easily access the camera server 103 via the Internet 100. When one or a plurality of camera servers 103 are connected to the internal network in the router 102, there is one or a plurality of access to a specific port number from the outside by using the NAPT function of the router 102. It can be assigned to each camera server 103. In this case, if the global IP address and the specific port number of the router 102 are known, anyone can access the camera server 103 via the Internet 100. When one of the specific port numbers is 80, which is an HTTP well-known port number, anyone can easily access the camera server 103 from a Web browser as long as the global IP address of the router 102 is known. Become.

  When the camera server 103 is accessed, the camera server 103 is authenticated only by an ID and a password as an authentication unit. Therefore, when the ID and password as the authentication information are leaked, there is a possibility that the camera server 103 is connected to other than a legitimate user.

  In order to prevent such a situation, in this embodiment, the ID and password for connecting to the camera server 103 are frequently changed.

  In addition, when IPv6 comes into practical use, the number of IP addresses increases, so it is considered that more camera servers can be easily connected to the Internet.

  In that case, since it is considered that the number of camera servers intended for private use will also increase, there is a need to prevent access from third parties more than ever. Hereinafter, an authentication system for preventing such unauthorized access from a third party will be described in detail.

  FIG. 2 is a block diagram showing a hardware configuration of the authentication server 101 shown in FIG.

  As shown in the figure, the authentication server 101 includes a CPU 201, RAM 202, ROM 203, hard disk drive (HDD) 204, recording medium drive 205, network interface card (NIC) 206, pointing device (PD) 207, keyboard (K / B). 208, a video adapter 209, which are connected to each other via a system bus 210.

  The CPU 201 controls various operations such as four arithmetic operations and comparison operations and hardware based on an operating system (OS) program and application programs.

  The RAM 202 temporarily stores an OS, application programs, and the like recorded in a storage device such as a hard disk drive (HDD) 204, ROM 203, and recording medium (for example, CD-ROM, DVD, FD). The program stored in the RAM 202 is executed under the control of the CPU 201.

  The ROM 203 stores a so-called BIOS that manages input / output to / from an external storage device in cooperation with the OS. A hard disk drive (HDD) 204 stores an OS, a program for executing a customer service arrangement method, and the like.

  The recording medium drive 205 is used for reading data from an application program or the like recorded on a recording medium such as a CD-ROM, DVD-ROM, or CD-R.

  A network interface card (NIC) 206 performs communication with the outside via a network in cooperation with an OS communication program controlled by the CPU 201.

  A keyboard (K / B) 208 and a pointing device (for example, a mouse) 207 are used to input instructions to the information processing apparatus. The video adapter 209 is used to form an image to be displayed on the image display device.

  The camera server 103 and the user terminal 105 have the same hardware configuration as that of the authentication server 101 shown in FIG. 2, but the camera server 103 includes a video input / output terminal (analog interface) (not shown). Although it is connected to the video camera 104 at the output terminal, it may be connected by USB, IEEE1394 or the like (digital interface). When the camera server 103 and the video camera 104 are connected via an analog interface, the video camera 104 is an analog camera, and when connected via a digital interface, the video camera 104 is a digital camera.

  The user terminal 105 is connected to a monitor via a video adapter 209. Furthermore, the authentication server 101 and the camera server 103 may be configured without the keyboard 208 and the pointing device 207.

  Hereinafter, the data structure of the user management database held in the authentication server 101 shown in FIG. 1 will be described with reference to FIGS.

  FIG. 3 is a schematic diagram showing a data configuration of the user management database held in the authentication server 101 shown in FIG.

  In FIG. 3, reference numeral 300 denotes a user management database in the authentication server 101, which includes a member database 301 (FIG. 4) and an access control database 302 (FIG. 5). When the data of the authentication server 101 recorded in the user management database 300 is recorded in the HDD 204, the user management database 300 is read from the HDD 204 by the CPU 201.

  FIG. 4 is a schematic diagram showing a data configuration of the member database 301 shown in FIG.

  As shown in FIG. 4, the member database 301 includes a person name 401, ID1 (402), password 1 (403), camera server IP 404, and the like.

  A person name 401 indicates information such as the name of the member. ID 1 (402) and password 1 (403) indicate authentication information (user ID and password) used when the member logs in to the authentication server 101 from the user terminal 105. The camera server IP 404 indicates identification information (IP address) of the camera server 103 accessed by the member. Incidentally, as described above, since the IP address assigned to the camera server 103 is a private IP address, the user terminal 105 cannot directly access the camera server 103 via the Internet 100. However, since this embodiment is a case where only one camera server 103 is connected to the internal network in the router 102, if the router 102 is accessed, the NAT function of the router 102 makes it transparent to the camera server 103. Is in an environment that can be accessed. Therefore, for convenience, the global IP address of the router 102 is “camera server IP”. The same shall apply hereinafter. Even when the NAPT function of the router 102 is used, the global IP address of the router 102 can be set to “camera server IP”. In this case, the port number for connecting to each camera server is also managed. It will be.

  FIG. 5 is a schematic diagram showing a data configuration of the access control database 302 in the authentication server 101 shown in FIG.

  As shown in FIG. 5, the access control database 302 in the authentication server 101 includes camera server IP501, ID2 (502), password 2 (503), and the like.

  The camera server IP 501 indicates identification information (IP address) of the camera server 103. ID2 (502) and password 2 (503) indicate authentication information (user ID and password) used when logging into the camera server 103.

  Hereinafter, the data structure of the user management database held in the camera server 103 shown in FIG. 1 will be described with reference to FIGS.

  FIG. 6 is a schematic diagram showing a data configuration of a user management database constructed on the camera server 103 shown in FIG.

  In FIG. 6, 600 is a user management database in the camera server 103 and includes an access control database 601 (FIG. 7). When the camera server 103 data recorded in the user management database 600 is recorded in the HDD 204, the user management database 600 is read from the HDD 204 by the CPU 201.

  FIG. 7 is a schematic diagram showing a data configuration of the access control database 601 in the camera server 103 shown in FIG.

  As shown in FIG. 7, each camera server 103 (for example, camera server A, camera server B, camera server C) has an access control database 601.

  Each access control database 601 held by each camera server 103 includes ID2 (701), password 2 (702), and the like. ID 2 (701) and password 2 (702) indicate a user ID and password used when logging into the camera server 103.

  Hereinafter, an authentication procedure in the authentication system of the present invention will be described with reference to FIGS.

  First, the outline of the authentication procedure in the entire authentication system of the present invention will be described with reference to FIGS. 8 to 12, and then each of the user terminal 105, the authentication server 101, and the camera server 103 will be described with reference to FIGS. The processing procedure will be described.

  FIG. 8 is a schematic diagram for explaining an authentication procedure in the authentication system of the present invention.

  FIG. 9 is a flowchart for explaining an authentication procedure and an authentication information change processing procedure of the entire video camera system of the present invention. S101 to S109 indicate steps executed by the user terminal 105, S201 to S206 and S301 to S304 indicate steps executed by the authentication server 101, and S401 to S408 indicate steps executed by the camera server 103. Steps are shown.

  As shown in FIGS. 8 and 9, first, in step S101, authentication information (ID1 and password 1) for connecting from the user terminal 105 to the authentication server 101 is transmitted. A screen for transmitting this authentication information is shown in FIG.

  The user inputs ID1 and password 1 in the ID input field 1001 and password input field 1002 of the login screen 1000 (FIG. 10) displayed on the monitor of the user terminal 105, and indicates (clicks) the login button 1003 with a mouse or the like. ), The authentication information can be transmitted to the authentication server 101. When the cancel button 1004 is instructed (clicked), the authentication information is not transmitted and the login screen 1000 is closed. The login screen 1000 shown in FIG. 10 is stored in advance on the user terminal 105 even if it is transmitted from the authentication server 101 when accessing the authentication server 101 from the user terminal 105. There may be.

  When the authentication server 101 receives the authentication information from the user terminal 105 in step S201, the authentication server 101 performs user authentication in step S202. If it is determined that the user authentication has failed (impossible), the connection cannot be made in step S203. Is sent to the user terminal 105.

  On the other hand, if the authentication server 101 determines in step S202 that the user authentication was successful (possible), in step S204, based on the camera server IP 404 registered for the user in the member database 301, Connection information (camera server IP address 501) and authentication information (ID2 (502) and password 2 (503)) for connecting the authenticated user terminal 105 to the camera server 103 from the access control database 302 shown in FIG. To extract.

  Next, in step S205, a URL for connecting the authenticated user terminal 105 to the camera server 103 is created from the camera server IP address, ID2, and password 2 extracted in step S204. In step S206, the ID2 , Password 2, and display data (for example, HTML format file) in which the URL created from the IP address of the camera server is embedded.

  In step S207, the display data generated in step S206 (ID2 + password2 + data including the camera server IP address) is transmitted to the authenticated user terminal 105.

  When the display data transmitted from the authentication server 101 to the user terminal 105 is an HTML file, the connection information for accessing the camera server 103 embedded in the display data is the link destination to the camera server 103. The URL is described in the HTML file in the following format “ID2: password 2 @ camera server IP address /”. For example, “http: // gakkou: abc@172.16.10.1/top˜”.

  When receiving the display data from the authentication server 101 (step S102), the user terminal 105 displays the display data on the monitor. This display example is shown in a screen 1100 after login to the authentication server in FIG.

  The URL of the above format is associated as link destination information with the video relay button 1101 on the authentication server login screen 1100 shown in FIG. 11, and the video relay button 1101 (selected area) is indicated (clicked) by the user with a mouse or the like. ), The user terminal 105 accesses the IP address of the camera server. That is, the URL including authentication information for the camera server 103 embedded in the display screen is not directly displayed on the monitor of the user terminal 105. At this time, ID2 and password 2 are simultaneously transmitted from the user terminal 105 to the camera server 103 (step S104). Note that the URL including the authentication information for the camera server 103 only needs to be selectable by the user, so the selection format is not limited to the button format. For example, the URL may be directly displayed and selected by the user, and any format may be used as long as the URL is embedded in the selection area by the user. When the cancel button 1102 is instructed (clicked), the ID 2 and password 2 are not transmitted and the screen 1100 after login to the authentication server is closed.

  Upon receiving the authentication information (ID2 + password 2) from the user terminal 105, the camera server 103 performs user authentication in step S401. If it is determined that user authentication has failed (impossible), the camera server 103 in step S402 A message indicating that the authentication has failed is transmitted to the user terminal 105.

  On the other hand, if it is determined in step S402 that the user authentication is successful (possible), the video data captured by the video camera 104 is transmitted to the authenticated user terminal 105 in step S404.

  When the user terminal 105 receives the video data from the camera server 103, the user terminal 105 executes the plug-in program for reproducing audio and moving images to reproduce the received video data on the monitor in real time. This display example is shown in a screen 1200 after connection to the camera server in FIG.

  When the user clicks (instructs) the control start button 1201 on the screen 1200 after connection to the camera server shown in FIG. 12 with a mouse or the like, the camera provided in the currently connected camera server 103 can be operated.

  When the user terminal 105 detects that the control start button 1201 has been pressed, the user terminal 105 requests the camera server 103 to control the camera and tries to acquire the control right. At this time, if the video camera is operated by another user terminal, the control right cannot be acquired.

  After acquiring the control right, the user can operate the video camera by operating the scroll bars 1203 and 1204 on the screen 1200 after connecting to the camera server with a mouse or the like (steps S106, S406, and S407).

  The series of controls can be realized by using a technique such as Japanese Patent Application Laid-Open No. 07-015646. In the present embodiment, detailed description is omitted. When the end button 1202 is instructed (clicked) (step S108), a message to that effect is transmitted from the user terminal 105 to the camera server 103 (step S109), the camera server 103 is logged out, and the camera server connection screen 1200 is also displayed. It is closed (step S405).

  Also, as shown in steps S301 to S303, an instruction to change ID2 and password 2 for periodically connecting to the camera server 103 is issued from the authentication server 101. The change instruction is, for example, “SET new ID2 new password” 2 ”and the like.

  Note that the period for changing the ID2 and password 2 is managed, for example, once a week or once a month. A file (not shown) for time limit management is stored in the HDD 204 of the authentication server 101 or the like. Further, the administrator or the like can set a time limit (change period of ID2 and password 2) in a file for managing the time limit.

  When the camera server 103 receives the password change instruction from the authentication server 101, in step S408, the new ID2 and new password specified by the received password change instruction are added to the ID2 (701) of the access control database shown in FIG. ) And password 2 (702).

  In step S304, the authentication server 101 that has transmitted the password change instruction to the camera server 103 includes the ID2 (502) and the access control database ID2 (502) shown in FIG. Change password 2 (503).

  As described above, since ID2 and password 2 for connecting to the camera server 103 are periodically changed, even if ID2 and password 2 are intercepted via the Internet, unauthorized access outside the expiration date is prevented. can do. Further, for example, even if the user holds the authentication server login screen 1100 shown in FIG. 11 on the user terminal 105, after changing the ID 2 and password 2, the user connects to the camera server 103 from this screen 1100. Thus, unauthorized access to the camera server 103 without the authentication server 101 can be reliably prevented.

  Hereinafter, each processing procedure by the user terminal 105, the authentication server 101, and the camera server 103 will be individually described with reference to FIGS.

  FIG. 13 is a flowchart showing an example of a first control processing procedure in the authentication system of the present invention, and corresponds to the authentication processing procedure in the user terminal 105. Note that the processing in this flowchart is executed by the CPU in the user terminal 105 based on a program stored in the HDD or other recording medium. The same steps as those in FIG. 9 are given the same step numbers.

  First, the user terminal 105 waits until there is a connection instruction from the user to the authentication server 101 (clicking the login button 1003 of the login screen 1000 shown in FIG. 10 with a mouse or the like), and issues a connection instruction to the authentication server 101. Upon detection, in step S101, ID1 and password 1 entered on the login screen 1000 shown in FIG. 10 are transmitted to the authentication server 101 as authentication information for connecting to the authentication server 101.

  Then, the user terminal 105 waits for a response from the authentication server 101. If a connection failure response is received from the authentication server 101 in step S102, the user terminal 105 determines that connection is not possible and displays a message indicating that connection is not possible on the monitor. Then, the process returns to step S101.

  On the other hand, in step S102, when the display data (screen 1100 after login of authentication server in FIG. 11) is received from the authentication server 101, the user terminal 105 determines that connection is possible, and displays the screen 1100 after login of the authentication server in FIG. Is displayed on the monitor.

  Next, in step S103, the user terminal 105 stands by until there is an instruction to connect to the camera server from the user (such as clicking on the video relay button 1101), and if it is determined that there is an instruction to connect to the camera server, In step S104, the user terminal 105 transmits ID2 and password 2 to the IP address of the camera server 101 based on the URL embedded in the post-authentication server login screen 1100 shown in FIG.

  Next, in step S105, the user terminal 105 waits for a response from the camera server 103. If a connection impossible response is received from the authentication server 101 in step S105, the user terminal 105 determines that connection is not possible, and is shown in FIG. When the camera server authentication failure screen (login screen) 1700 is displayed on the monitor and the instruction of the “Yes” button 1701 is detected, the camera server re-input screen 1800 shown in FIG. 18 is displayed on the monitor and the processing returns to step S104. . Although not shown in the flowchart of FIG. 13, when the instruction of the “No” button 1702 is detected on the camera server authentication failure screen (login screen) 1700 shown in FIG. 17, the processing is ended as it is.

  On the other hand, if the user terminal 105 receives the video data from the camera server 103 in step S105, the user terminal 105 determines that the connection is possible and proceeds to step S106. Although not shown in the flowchart of FIG. 13, by executing a plug-in program for reproducing audio and moving images, the received video data is reproduced on the monitor in real time as shown in FIG. Although not shown in the flowchart of FIG. 13, when the user terminal 105 detects an instruction with a mouse or the like to the control start button 1201 of the screen 1200 after connection to the camera server shown in FIG. A request for camera control is sent to the server 103 to attempt to acquire control rights. At this time, if the video camera is operated by another user terminal, the control right cannot be acquired.

  After acquiring the control right, in step S106, the user terminal 105 determines whether or not a camera control instruction (operation with a mouse or the like on the scroll bars 1203 and 1204 on the screen 1200 after connection to the camera server) is detected. If it is determined that it has been detected, the process proceeds to step S107, and the user terminal 105 transmits a camera control instruction based on an operation with the mouse or the like to the scroll bars 1203 and 1204 to the camera server 103, and the process of step S106 is performed. Return.

  On the other hand, if it is determined in step S106 that the user terminal 105 has not detected a camera control instruction, the process proceeds to step S108.

  Next, in step S108, the user terminal 105 determines whether or not an end instruction (operation with the mouse or the like on the end button 1202 on the screen 1200 after connection to the camera server) is detected, and when it is determined that it has been detected. In step S109, the user terminal 105 transmits an end instruction to the camera server 103, and ends the process.

  On the other hand, if it is determined in step S108 that the user terminal 105 has not detected an end instruction, the process returns to step S106.

  FIG. 14 is a flowchart showing an example of a second control processing procedure in the authentication system of the present invention, and corresponds to the authentication processing procedure in the authentication server 101. Note that the processing in this flowchart is executed by the CPU in the authentication server 101 based on a program stored in the HDD or other recording medium. The same steps as those in FIG. 9 are given the same step numbers.

  First, in step S201, the authentication server 101 stands by until there is a connection request from the user terminal 105, and if it is determined that there is a connection request (authentication information including ID1 and password 1 has been received), In S202, it is determined whether the ID1 and password 1 received from the user terminal 105 are valid (corresponding to ID1 (402) and password 1 (403) in the member database 301 shown in FIG. 4). If it is determined that it is not, it is determined that the user authentication has failed, a connection failure response is transmitted to the user terminal 105 in step S203, and the process returns to step S201.

  On the other hand, if the authentication server 101 determines in step S202 that the ID1 and password 1 received from the user terminal 105 are valid, the user corresponding to the authenticated user is determined in step S204 as successful user authentication. Based on the server IP 404, connection information (camera server IP address 501) and authentication information (ID 2 (502) and access information) for the user terminal 105 authenticated from the access control database 302 shown in FIG. 5 to access the camera server 103. Password 2 (503)) is extracted.

  Next, in step S205, based on the camera server IP address, ID2, and password 2 extracted in step S204, a URL for the authenticated user terminal 105 to access the camera server 103 is created.

  Next, in step S206, the authentication server shown in FIG. 11 in which the display data (for example, ID2 + password2 + camera server IP address embedded URL is embedded) is created from the ID2, password 2, and URL created from the camera server IP. Create a post-login screen 1100).

  Then, in step S207, the display data created in step S206 (for example, the authentication server login screen 1100 shown in FIG. 11 in which the URL including the ID2 + password2 + camera server IP address is embedded) is used as the authenticated user terminal 105. And return to the process of step S201.

  FIG. 15 is a flowchart showing an example of a third control processing procedure in the authentication system of the present invention, and corresponds to the authentication information change processing procedure in the authentication server 101. Note that the processing in this flowchart is executed by the CPU in the authentication server 101 based on a program stored in the HDD or other recording medium. The same steps as those in FIG. 9 are given the same step numbers.

  First, in step S301, the authentication server 101 waits until a predetermined time (the change period described in the file for managing the time limit (change period) stored in the HDD 204 or the like of the authentication server 101) elapses. When it is determined that has passed, the process proceeds to step S302.

  In step S302, a set of new ID2 and new password 2 is generated for each camera server based on a predetermined algorithm, and the process proceeds to step S303.

  Next, in step S303, the authentication server 101 uses the ID2 (701) and password 2 (702) stored in the access control database 601 of each camera server as the new ID2 and new password 2 generated in step S302. A change instruction (command) is transmitted to each camera server so as to change.

  In step S304, the authentication server 101 sets each ID2 (502) and password 2 (503) in the access control database 302 shown in FIG. The password is changed to a new password, and the process returns to step S301.

  Each camera server that has received the change instruction from the authentication server 101 uses the ID2 (701) and password 2 (702) of the access control database 601 shown in FIG. 7 in step S408 shown in FIG. The new ID 2 and the new password 2 specified by the received password change instruction are changed. Note that the flowchart of the individual authentication information change process in the camera server 103 is omitted.

  In S302, the authentication server 101 generates a set of new ID2 and new password 2, and in S303, issues a change instruction (command) so as to change to each of the generated new ID2 and new password 2. Although it is transmitted to each camera server, only the change instruction may be transmitted to each camera server, and the new ID 2 and the new password 2 may be generated by each camera server. In this case, the authentication server 101 changes ID2 (502) and password 2 (503) in the access control database 302 to the new ID2 and new password 2 transmitted from each camera server.

  FIG. 16 is a flowchart showing an example of a fourth control processing procedure in the authentication system of the present invention, and corresponds to the authentication processing procedure in the camera server 103. Note that the processing in this flowchart is executed by a CPU in the camera server 103 based on a program stored in an HDD or other recording medium. The same steps as those in FIG. 9 are given the same step numbers.

  First, in step S401, the camera server 103 waits until a connection request is received from the user terminal 105, and if it is determined that there is a connection request (receives authentication information including ID2 and password 2), In S402, it is determined whether the ID2 and password 2 received from the user terminal 105 are valid (corresponding to ID2 (701) and password 2 (702) in the access control database 601 shown in FIG. 7). If it is determined not to be valid, it is determined that the user authentication has failed, and in step S403, a connection failure response is transmitted to the user terminal 105, and the process returns to step S401.

  On the other hand, if the camera server 103 determines in step S402 that the ID2 and password 2 received from the user terminal 105 are valid, the video data photographed by the video camera 104 in step S404 as successful user authentication. Is transmitted to the authenticated user terminal 105.

  Next, in step S405, the camera server 103 determines whether an end instruction has been received from the user terminal 105. If it is determined that the end instruction has been received, the camera server 103 logs out the user terminal 105, and in step S401. Return to processing.

  On the other hand, if it is determined in step S405 that the camera server 103 has not received an end instruction from the user terminal 105, it is determined in step S406 whether a control instruction has been received from the user terminal 105, and control is performed. If it is determined that the instruction has been received, camera control based on the control instruction from the user terminal 105 is executed in step S407, and the process returns to step S404.

  On the other hand, if it is determined in step S406 that the camera server 103 has not received a control instruction from the user terminal 105, the process returns to step S404.

  Through the above processing, the user can change the ID and password to the camera server 103 frequently to ensure higher security, and the user can store the frequently changed ID and password to the camera server 103 each time. Both of removing the burden can be realized at the same time.

  In the authentication system shown in FIG. 1, the camera server 103 is connected to at least one video camera 104. However, the configuration is not limited to the video camera, and at least one camera that captures a still image. The digital camera or the like may be connected to the camera server 103.

  Further, the video data transmitted from the camera server 103 to the user terminal 105 may include audio, may not include audio, may be moving image data, or may be still image data. Also good.

[Second Embodiment]
In the first embodiment, the authentication server 101 periodically changes the ID2 and password 2 to the camera server 103 by transmitting an instruction to the camera server 103 to change the ID2 and password 2 to the camera server 103. However, the camera server 103 itself may periodically change ID2 and password 2, and the camera server 103 may notify the authentication server 101 of the changed ID2 and password 2. Good. The embodiment will be described below.

  The change period of the ID2 and the password 2 is managed in the same way as in the first embodiment, for example, once every week, once every month, etc. A file (not shown) for managing the time limit is stored in the HDD 204 of the camera server 103 or the like. Further, the administrator or the like can set a time limit (change period of ID2 and password 2) in a file for managing the time limit.

  FIG. 19 is a flowchart for explaining an authentication procedure and an authentication information change processing procedure of the entire video camera system of the present invention. S501 indicates steps executed by the authentication server 101, and S601 to S604 indicate steps executed by the camera server 103.

  FIG. 20 is a flowchart showing an example of a fifth control processing procedure in the authentication system of the present invention, and corresponds to the authentication information change processing procedure in the camera server 103. Note that the processing in this flowchart is executed by a CPU in the camera server 103 based on a program stored in an HDD or other recording medium. The same steps as those in FIG. 19 are given the same step numbers.

  First, in step S601, the camera server 103 waits until a predetermined time (a change period described in a file for managing a time limit (change period) stored in the HDD 204 or the like of the camera server 103) elapses. If it is determined that elapses, the process proceeds to step S602.

  In step S602, a set of new ID2 and new password 2 is generated based on a predetermined algorithm, and the process proceeds to step S603.

  In step S603, the camera server 103 uses the ID2 (701) and password 2 (702) stored in the access control database 601 of the camera server 103 shown in FIG. 7 as the new ID2 and new password 2 generated in step S602. , Notification of change (including new ID 2 and new password 2) is transmitted to the authentication server 101.

  In step S604, the camera server 103 changes ID2 (701) and password 2 (702) in the access control database 601 shown in FIG. 7 to the new ID2 and new password generated in step S603, and the process in step S601. Return to.

  In step S501, the authentication server 101 that has received the change notification from the camera server 103 stores the ID2 (502) and password 2 (503) corresponding to the camera server in the access control database shown in FIG. The new ID 2 and the new password 2 notified from 103 are changed. Note that a flowchart showing the individual authentication information change processing procedure in the authentication server 101 is omitted.

  In S602, each camera server generates a set of a new ID 2 and a new password 2, and notifies the authentication server 101 of the generated new ID 2 and new password 2 in S603. The authentication server 101 may be requested to generate its own new ID 2 and new password 2. In this case, each camera server changes ID2 (701) and password 2 (702) of its own access control database 601 to new ID2 and new password 2 notified from the authentication server 101.

  Through the above processing, the user can change the ID and password to the camera server 103 frequently to ensure higher security, and the user can store the frequently changed ID and password to the camera server 103 each time. Both of removing the burden can be realized at the same time.

[Third Embodiment]
In the first and second embodiments, when the new ID 2 and the password 2 are changed immediately after the authentication server 101 notifies the user terminal 105 of the ID 2 and the password 2 for the camera server 103 before the change, the user terminal 105 The camera server 103 cannot be accessed from the camera.

  In addition, the higher the change frequency of the authentication information, the higher the possibility that this problem will occur.

  Therefore, in the present embodiment, the last reference time to the camera server 103 is held on the authentication server 101 side, and the camera server 103 that has been accessed from the user terminal 105 immediately before the authentication information change procedure is performed. Since the possibility that the above problem will occur is very high, the authentication server 101 is configured to shift the change procedure by a predetermined time for the camera server 103 accessed immediately before.

  FIG. 21 is a schematic diagram showing a data configuration of the access control database 302 according to the third embodiment of the present invention. The same components as those in FIG. 5 are denoted by the same reference numerals.

  As shown in FIG. 21, the access control database 302 includes camera server IP501, ID2 (502), password 2 (503) user last reference time 2101, check time 2102, and the like.

  The user last reference time 2101 indicates the last reference time to the camera server 103. (1) The actual last time from the user terminal 105 notified to the authentication server 101 from the camera server 103 to the camera server 103. It may be a reference time, or (2) a time when the authentication server 101 transmits display data in which authentication information for the camera server 103 is embedded to the user terminal 105.

  In the case of the configuration (1), the authentication server 101 stores a user last reference time 2101 of the camera server 103 when receiving a notification from the camera server 103.

  In the case of the configuration (2), when the authentication server 101 transmits display data in which the authentication information for the camera server 103 is embedded to the user terminal 105, the authentication server 101 stores the display data in the user last reference time 2101 of the camera server 103. It shall be.

  The check time 2102 indicates the time when the authentication information change procedure is skipped because a predetermined time has not elapsed since the user last reference time 2101.

  FIG. 22 is a flowchart showing an example of a sixth control processing procedure in the authentication system of the present invention, and corresponds to the authentication information change processing procedure in the authentication server 101. Note that the processing in this flowchart is executed by the CPU in the authentication server 101 based on a program stored in the HDD or other recording medium. S701 to S719 indicate each step.

  First, in step S701, the authentication server 101 waits until a predetermined time (the change period described in the file for managing the time limit (change period) stored in the HDD 204 of the authentication server 101) elapses, and the predetermined time. If it is determined that has passed, the process proceeds to step S702.

  In step S702, the authentication server 101 extracts the user last reference time 2101 of any one camera server 103 from the access control database 302 shown in FIG. 21, and in step S703, the current time and the extracted user last reference. In contrast to the time 2101, in step S <b> 704, it is determined whether or not a predetermined time (for example, 10 minutes) has elapsed from the user last reference time 2101.

  If it is determined in step S704 that the current time has passed a predetermined time from the user last reference time 2101, a new ID 2 and a new password 2 for the camera server 103 are generated in step S705, and the process proceeds to step S706.

  In step S706, the authentication server 101 uses the ID2 (701) and password 2 (702) stored in the access control database 601 of the camera server 103 shown in FIG. 7 as the new ID2 and new password 2 generated in step S705. Then, a change instruction (command) is transmitted to the camera server 103 so as to be changed. For example, a command such as “SET new ID 2 new password 2” is transmitted.

  In step S707, the authentication server 101 instructs the camera server 103 to change ID2 (502) and password 2 (503) corresponding to the camera server in the access control database 302 shown in FIG. 21 in step S706. ID2 is changed to the new password, and the process proceeds to step S709.

  On the other hand, if it is determined in step S704 that the current time has not yet passed the predetermined time from the user last reference time 2101, the authentication server 101 sets the current time as the check time 2102 of the camera server 103 in step S708. Record and proceed to step S709.

  In step S709, the authentication server 101 determines whether or not the extraction processing in steps S702 to S708 has been completed for all the camera servers 103 registered in the access control database 302 illustrated in FIG. If it is determined that the extraction process has not ended for the camera server 103, the process returns to step S702, and the extraction process for the next camera server is performed.

  On the other hand, if the authentication server 101 determines in step S709 that the extraction processing in steps S702 to S708 has been completed for all the camera servers 103 registered in the access control database 302 illustrated in FIG. The access control database 302 shown in FIG. 21 determines whether there is data of the camera server 103 having a record at the check time 2102, and determines that there is data of the camera server 103 having a record at the check time 2102. If so, the process proceeds to step S711.

  In step S711, the authentication server 101 extracts the user last reference time 2101 of any one camera server 103 recorded at the check time 2102 from the access control database 302 shown in FIG. 21, and in step S712, the current time And the extracted user last reference time 2101, and in step S 713, it is determined whether or not the current time has passed a predetermined time from the user last reference time 2101.

  If it is determined in step S713 that the current time has passed the predetermined time from the user last reference time 2101, a new ID 2 and a new password 2 of the camera server 103 are generated in step S714, and the process proceeds to step S715.

  In step S715, the authentication server 101 uses the ID2 (701) and password 2 (702) stored in the access control database 601 of the camera server 103 shown in FIG. 7 as the new ID2 and new password 2 generated in step S717. Then, a change instruction (command) is transmitted to the camera server 103 so as to be changed.

  In step S716, the authentication server 101 changes the ID2 (502) and password 2 (503) of the access control database 302 shown in FIG. 21 to the new ID2 and new password 2 instructed to change to the camera server 103 in step S706. In step S717, the record of the check time 2102 of the camera server 103 is deleted, and the process proceeds to step S719.

  On the other hand, if it is determined in step S713 that the current time has not yet elapsed from the user final reference time 2101, the authentication server 101 determines the check time 2102 of the camera server 103 based on the current time in step S718. Update, and go to step S719.

  In step S719, the authentication server 101 determines whether or not the extraction processing in steps S711 to S718 has been completed for all the camera servers 103 recorded at the check time 2102 from the access control database 302 illustrated in FIG. If it is determined that the extraction process has not been completed for all the camera servers 103 recorded at the check time 2102, the process returns to step S711, and the extraction process for the camera server 103 recorded at the next check time 2102 is performed. I do.

  On the other hand, if the authentication server 101 determines in step S719 that the extraction processing in steps S711 to S718 has been completed for all camera servers 103 recorded at the check time 2102 from the access control database 302 shown in FIG. The process returns to step S701 and waits until a predetermined time elapses.

  In S705 and 714, the authentication server 101 generates a pair of a new ID2 and a new password 2 respectively, and in S706 and 715, the authentication server 101 changes to each of the generated new ID2 and new password 2. Command) is transmitted to each camera server, but only a change instruction is transmitted to each camera server, and the new ID 2 and the new password 2 may be generated by each camera server. In this case, the authentication server 101 changes ID2 (502) and password 2 (503) in the access control database 302 to the new ID2 and new password 2 transmitted from each camera server.

  If the frequency of changing ID2 and password 2 to the camera server 103 is increased by the above processing, the ID and password may be changed before and after the camera server is used from the user terminal. In this case, the problem that the user terminal cannot access the camera server can be reliably avoided.

[Fourth Embodiment]
In the third embodiment, the last reference time to the camera server 103 is held on the authentication server 101 side, and the camera server 103 that has been accessed from the user terminal 105 immediately before the authentication information change procedure is performed. The configuration in which the authentication server 101 performs the above-described change procedure while shifting the predetermined time has been described. However, the user immediately holds the last reference time for the camera server 103 on the camera server 103 side and performs the authentication information change procedure. For the camera server 103 accessed from the terminal 105, the camera server 103 may be configured to perform the change procedure with a predetermined time shift. The embodiment will be described below.

  FIG. 23 is a schematic diagram illustrating a data configuration of the access control database 601 in the camera server 103 according to the fourth embodiment of this invention.

  As shown in the figure, access control databases 601 held by each camera server 103 (for example, camera server A, camera server B, camera server C) are ID2 (701), password 2 (702), and final reference, respectively. Time 2301 etc. are included.

  The last reference time 2301 indicates the actual last reference time from the user terminal 105 to the camera server 103.

  FIG. 24 is a flowchart showing an example of a seventh control processing procedure in the authentication system of the present invention, and corresponds to the authentication information change processing procedure in the camera server 103. Note that the processing in this flowchart is executed by a CPU in the camera server 103 based on a program stored in an HDD or other recording medium. S801 to S807 indicate each step.

  First, in step S801, the camera server 103 waits until a predetermined time (the change period described in the file for managing the time limit (change period) stored in the HDD 204 of the camera server 103) elapses, and the predetermined time. If it is determined that elapses, the process proceeds to step S802.

  In step S802, the camera server 103 extracts the last reference time 2301 from the access control database 601 shown in FIG. 23, compares the current time with the extracted last reference time 2301 in step S803, and in step S804. It is determined whether or not the current time has passed a predetermined time from the last reference time 2301.

  If it is determined in step S804 that the current time has not yet elapsed from the last reference time 2301, the process returns to step S802.

  On the other hand, if it is determined in step S804 that the current time has passed a predetermined time from the last reference time 2301, a set of new ID2 and new password 2 is generated based on a predetermined algorithm in step S805, The process proceeds to step S806.

  In step S806, the camera server 103 uses the ID2 (701) and password 2 (702) stored in the access control database 601 of the camera server 103 shown in FIG. 23 as the new ID2 and new password 2 generated in step S805. , A notification of change is transmitted to the authentication server 101.

  In step S807, the camera server 103 changes ID2 (701) and password 2 (702) in the access control database 601 shown in FIG. 7 to the new ID2 and new password generated in step S805, and the processing in step S801 is performed. Return to.

  In S805, each camera server generates a set of new ID2 and new password 2, and in S806, notifies the generated new ID2 and new password 2 to the authentication server 101. The authentication server 101 may be requested to generate its own new ID 2 and new password 2. In this case, each camera server changes ID2 (502) and password 2 (503) of its own access control database 601 to new ID2 and new password 2 notified from the authentication server 101.

  If the frequency of changing ID2 and password 2 to the camera server 103 is increased by the above processing, the ID and password may be changed before and after the camera server is used from the user terminal. In this case, the problem that the user terminal cannot access the camera server can be reliably avoided.

  In each of the above embodiments, the authentication system for the camera server has been described as an example. However, the present invention is applicable not only to the authentication system for the camera server but also to the authentication system for all servers. For example, a server other than the camera server (for example, a server that distributes various contents) is replaced, and the ID and password for connecting to the server are frequently changed to prevent unauthorized access. It is possible to simultaneously achieve both high security and the elimination of the burden of the user, such as having the user memorize frequently changed server IDs and passwords. In this way, the present invention can be applied to any server that permits connection only to limited users such as members.

  In addition, all the structures which combined all or one of each said embodiment are also included in this invention.

  Further, the processing in the flowchart shown in FIG. 13, that is, the processing of the user terminal 105 that is processing on the client side, simply displays an HTML file in the Web browser application, and the event is sent from the client to the authentication server 101, camera By transmitting to the server 103, the server side can be realized in the form of performing processing for realizing each step using CGI or servlet, or in the form of an applet downloaded from the authentication server 101 or the camera server 103, or the user terminal It can also be realized in the form of a dedicated application installed in 105.

  In the present embodiment, the configurations and contents of the various data shown in FIGS. 4, 5, 7, 21, and 23 described above are not limited to this, and may vary depending on the application and purpose. Needless to say, it is composed of composition and contents.

  Although one embodiment has been described above, the present invention can take an embodiment as, for example, a system, apparatus, method, program, or recording medium, and specifically includes a plurality of devices. The present invention may be applied to a system including a single device.

  The configuration of a data processing program that can be read by the authentication system according to the present invention will be described below with reference to the memory map shown in FIG.

  FIG. 25 is a diagram for explaining a memory map of a recording medium (storage medium) for storing various data processing programs readable by the authentication system according to the present invention.

  Although not specifically shown, information for managing a program group stored in the recording medium, for example, version information, creator, etc. is also stored, and information depending on the OS on the program reading side, for example, a program is identified and displayed. Icons may also be stored.

  Further, data depending on various programs is also managed in the directory. In addition, when a program or data to be installed is compressed, a program to be decompressed may be stored.

  The functions shown in FIGS. 13, 14, 15, 16, 20, 22, and 24 in this embodiment may be performed by a host computer by a program installed from the outside. In this case, the present invention is applied even when an information group including a program is supplied to the output device from a recording medium such as a CD-ROM, a flash memory, or an FD, or from an external recording medium via a network. Is.

  As described above, a recording medium recording software program codes for realizing the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the recording medium in the recording medium. It goes without saying that the object of the present invention can also be achieved by reading and executing the programmed program code.

  In this case, the program code itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program code constitutes the present invention.

  As a recording medium for supplying the program code, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, A silicon disk or the like can be used.

  Further, by executing the program code read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) or the like running on the computer based on the instruction of the program code. It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the actual processing and the processing is included.

  Furthermore, after the program code read from the recording medium is written in a memory provided in a function expansion board inserted in the computer or a function expansion unit connected to the computer, the function expansion is performed based on the instruction of the program code. It goes without saying that the case where the CPU or the like provided in the board or the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Further, the present invention may be applied to a system composed of a plurality of devices or an apparatus composed of a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program represented by software for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention. .

  Furthermore, by downloading a program represented by software for achieving the present invention from a server, database, etc. on a network using a communication program and reading it, the system or apparatus can enjoy the effects of the present invention. It becomes.

  The camera server 103 is replaced with a server other than the camera server (for example, a server that distributes various contents), and the ID and password for connecting to the server are frequently changed to prevent unauthorized access. It is possible to achieve both high security for the server and to eliminate the burden of the user such as storing the user ID and password of the server that are frequently changed every time, The present invention can be applied to any server that allows connection only to a limited number of users.

1 is a system configuration diagram illustrating a configuration of an authentication system to which an authentication apparatus according to a first embodiment of the present invention can be applied. It is a block diagram which shows the hardware constitutions of the authentication server shown in FIG. It is a schematic diagram which shows the data structure of the user management database hold | maintained on the authentication server shown in FIG. It is a schematic diagram which shows the data structure of the member database in the authentication server shown in FIG. It is a schematic diagram which shows the data structure of the access control database in the authentication server shown in FIG. It is a schematic diagram which shows the data structure of the user management database hold | maintained on the camera server shown in FIG. It is a schematic diagram which shows the data structure of the access control database in the camera server shown in FIG. It is a schematic diagram explaining the authentication procedure in the authentication system of this invention. It is a flowchart for demonstrating the authentication procedure of the whole video camera system of this invention, and an authentication information change process sequence. It is a schematic diagram which shows an example of the login screen for logging in to an authentication server from a user terminal. It is a schematic diagram which shows an example of the screen after authentication server login displayed on the monitor of a user terminal after authentication server login. It is a schematic diagram which shows an example of the screen after camera server connection displayed on the monitor of a user terminal after camera server login. It is a flowchart which shows an example of the 1st control processing procedure in the authentication system of this invention. It is a flowchart which shows an example of the 2nd control processing procedure in the authentication system of this invention. It is a flowchart which shows an example of the 3rd control processing procedure in the authentication system of this invention. It is a flowchart which shows an example of the 4th control processing procedure in the authentication system of this invention. It is a schematic diagram which shows an example of the camera server authentication failure screen (login screen) displayed on the monitor of a user terminal at the time of camera server authentication failure. It is a schematic diagram which shows an example of the camera server re-input screen for logging in to a camera server again at the time of the authentication failure of a camera server. It is a flowchart for demonstrating the authentication information change process sequence of the whole video camera system of this invention. It is a flowchart which shows an example of the 5th control processing procedure in the authentication system of this invention. It is a schematic diagram which shows the data structure of the access control database in the authentication server of 3rd Embodiment of this invention. It is a flowchart which shows an example of the 6th control processing procedure in the authentication system of this invention. It is a schematic diagram which shows the data structure of the access control database in the camera server of 4th Embodiment of this invention. It is a flowchart which shows an example of the 7th control processing procedure in the authentication system of this invention. It is a figure explaining the memory map of the recording medium (storage medium) which stores the various data processing program which can be read by the authentication system which concerns on this invention.

Explanation of symbols

100 Internet 101 Authentication Server 102 Router 103 Camera Server 104 Video Camera 105 User Terminal

Claims (8)

In the authentication server that performs the authentication process between the client terminal and the server,
First storage means for storing address information for identifying the server in association with first authentication information in the first table;
Second storage means for storing second authentication information in a second table in association with address information for identifying the server;
Obtaining means for obtaining the first authentication information input from the client terminal;
Using the first authentication information acquired by the acquisition means, the address information for identifying the server is extracted from the first table and stored in the second table in association with the address information. Extraction means for extracting the second authentication information;
Second authentication information extracted by the extraction means; address information for identifying the server; and display screen data for displaying a screen used for accessing the server in the client terminal. A transmission means for transmitting to the client terminal;
Third storage means for storing a last reference time for access to the server by the client terminal;
Updating means for updating the second authentication information stored in the second table at a predetermined timing;
Change instruction means for instructing the server to change from the second authentication information to the second authentication information updated by the update means;
The change instruction means instructs the server to change at a predetermined timing, and when it is determined that a predetermined time has not elapsed since the last reference time stored by the third storage means. An authentication server characterized by not performing the change instruction. The change instruction means instructs the server to change at a predetermined timing, and when it is determined that a predetermined time has not elapsed since the last reference time stored by the third storage means. The authentication server according to claim 1, wherein the change instruction is delayed. The change instruction means instructs the server to change at a predetermined timing, and when it is determined that a predetermined time has not elapsed since the last reference time stored by the third storage means. The authentication server according to claim 1, wherein the change instruction is issued after a predetermined time has elapsed. The transmission means transmits the second authentication information and address information for identifying the server to the display screen data so that the client terminal does not display the screen used for accessing the server. The authentication server according to claim 1, wherein the authentication server is embedded and transmitted. In an authentication system in which a client terminal, a server, and an authentication server that performs authentication processing with the client terminal and the server can communicate via a network,
First storage means for storing address information for identifying the server in association with first authentication information in the first table;
Second storage means for storing second authentication information in a second table in association with address information for identifying the server;
Obtaining means for obtaining the first authentication information input from the client terminal;
Using the first authentication information acquired by the acquisition means, address information for identifying the server is extracted from the first table, and stored in the second table in association with the address information. Extraction means for extracting the second authentication information;
Second authentication information extracted by the extraction means; address information for identifying the server; and display screen data for displaying a screen used for accessing the server in the client terminal. A transmission means for transmitting to the client terminal;
Third storage means for storing a last reference time for access to the server by the client terminal;
Updating means for updating the second authentication information stored in the second table at a predetermined timing;
Change instruction means for instructing the server to change from the second authentication information to the second authentication information updated by the update means;
The change instruction means instructs the server to change at a predetermined timing, and when it is determined that a predetermined time has not elapsed since the last reference time stored by the third storage means. An authentication system characterized by not performing the change instruction. An authentication server that performs authentication processing between a client terminal and a server, wherein the authentication method in the authentication server includes a first storage unit, a second storage unit, and a third storage unit.
A first storage step in which the first storage means stores address information for identifying the server in association with first authentication information in a first table;
A second storage step in which the second storage means stores second authentication information in a second table in association with address information for identifying the server;
An acquisition step of acquiring the first authentication information input from the client terminal;
Using the first authentication information acquired in the acquisition step, address information for identifying the server is extracted from the first table, and stored in the second table in association with the address information. An extraction step for extracting second authentication information;
Second authentication information extracted by the extraction step, address information for identifying the server, and display screen data for displaying a screen used for accessing the server in the client terminal A transmission step of transmitting to the client terminal;
A third storage step in which the third storage means stores a last reference time for access to the server by the client terminal;
An update step for updating the second authentication information stored in the second table at a predetermined timing;
A change instruction step for instructing the server to change from the second authentication information to the second authentication information updated by the update step;
In the change instruction step, the change instruction is issued to the server at a predetermined timing, and when it is determined that a predetermined time has not elapsed since the last reference time stored in the third storage step. An authentication method characterized by not performing the change instruction. A program executable in an authentication server that performs authentication processing between a client terminal and a server,
First storage means for storing address information for identifying the server in association with first authentication information in the first table;
Second storage means for storing second authentication information in a second table in association with address information for identifying the server;
Obtaining means for obtaining the first authentication information input from the client terminal;
Using the first authentication information acquired by the acquisition means, the address information for identifying the server is extracted from the first table and stored in the second table in association with the address information. Extraction means for extracting the second authentication information;
Second authentication information extracted by the extraction means; address information for identifying the server; and display screen data for displaying a screen used for accessing the server in the client terminal. Means for transmitting to the client terminal;
Third storage means for storing a last reference time for access to the server by the client terminal;
Updating means for updating the second authentication information stored in the second table at a predetermined timing;
Causing the server to function as a change instruction unit for instructing the server to change from the second authentication information to the second authentication information updated by the update unit;
The change instruction means instructs the server to change at a predetermined timing, and when it is determined that a predetermined time has not elapsed since the last reference time stored by the third storage means. A program characterized by not giving the change instruction. A recording medium storing the program according to claim 7 in a computer-readable manner.

Images