JP4683655B2 - Access relay device, access relay system, and access relay method - Google Patents

Description

  The present invention accepts an access from a terminal device that can be connected to a mobile phone network via two or more communication paths such as a wireless LAN, and relays the connection with a service providing device such as an Internet banking system. The present invention relates to an apparatus, an access relay system, and an access relay method.

  In the net banking service using the Internet, it is generally possible to conduct transactions using a mobile terminal such as a mobile phone or a PHS terminal. As a communication path for connecting a mobile terminal to the Internet, communication by packet communication using a mobile phone network or a PHS network has become the mainstream, but in recent years, a mobile phone having a wireless LAN communication function has been used. Terminals are also becoming popular.

  In a portable terminal having both a packet communication function using a mobile phone network and a PHS network and a wireless LAN communication function using a wireless LAN, a communication path that can be used in a place where the mobile terminal is used is selected, and a communication path is selected. What has the function to switch automatically is common. When using such a mobile terminal and using a net banking service that requires personal authentication to receive service provision, accepting access in the same session from multiple communication paths increases the risk of session ID being stolen, etc. This is not desirable for security reasons, and each time the communication path is switched, the session with the Internet banking system is disconnected, and each time a user authentication is required, it often takes time to input authentication information. .

  For access from the same user, management of access from different communication paths and terminals as the same session eliminates the trouble of inputting authentication information and improves user convenience, for example, different communication from different terminals. An invention that maintains communication through the same session on the premise of matching authentication for access from a route (see Patent Document 1), or an invention that establishes communication based on terminal-specific ID information such as a serial number (Patent Document 2) Reference).

JP 2004-157773 A No. 04-21086

  The invention described in Patent Document 1 manages accesses from different terminals as the same session, and when using a service that requires authentication as described above, a communication path is used while using the same terminal. It cannot be applied to cases that switch. In addition, the invention described in Patent Document 2 also manages sessions between terminals having different IDs, and thus is applied to the above-described case where it is assumed that the use of the same terminal is continued. I can't.

  In addition, when using a service that requires personal authentication using a mobile terminal, an authentication method with a relatively low security strength such as authentication by entering a user ID and a password is available due to restrictions on the function of the terminal. Although it is generally adopted, there is a case where an authentication method with higher security strength is required even when a mobile terminal is used.

  For example, when a PC is used as a terminal and the security policy requires that the terminal be specified by an electronic certificate, a similar authentication method can be used when using a portable terminal. It is preferable to adopt. However, it is difficult for a mobile terminal to adopt an electronic certificate method due to restrictions on the function of the terminal, and there is a problem that transactions that can be performed by the mobile terminal are limited only to the inquiry system.

  The present invention has been made to cope with such a problem, and in the case where the communication path is switched while using the same terminal when using a service requiring authentication, the communication path is switched. 2 or more, such as a mobile phone network and a wireless LAN, which can employ a high security strength authentication method using an electronic certificate even when a re-authentication is unnecessary and a mobile phone or the like is used as a terminal. It is an object to provide an access relay device, an access relay system, and an access relay method that accept access from a terminal device that can be connected via a communication path and relay the connection with a service providing device such as an Internet banking system. It is what.

  The present invention that solves such a problem is an access relay that accepts access from a terminal device that can be connected via two or more communication paths and relays the connection with the service providing device that the terminal device has requested to connect to. A connection means for receiving a connection request from the terminal device via a first communication path and establishing a connection with the terminal device; and when the connection means establishes a connection, Means for storing first session information for identifying a session to be started in a session information storage unit as a session in which connection is continued; and transmitting the first session information to the terminal device in the session A session information switching request is received via the first communication path from the transmitting means for transmitting and the terminal device connected to the connection station of the second communication path. When receiving the switching request and receiving means, and the first session information is attached to the switching request, start by a second connection with the terminal device via the second communication path Means for storing second session information for identifying a session to be stored in the session information storage unit as a session in which connection is continued, and the second session information via the first communication path. When receiving a request from the terminal device to the service providing device to which session information is attached, the session information is stored in the session information storage unit as a session in which connection is continued. Collating means for collating whether stored, and a session in which the session information is continuously connected by the collating means; If it is determined that the stored Te, an access relay apparatus characterized by comprising: a calling means for calling the relay module of the service providing device.

  In the present invention, an access relay device is provided between a terminal device such as a mobile phone and a service providing device that provides services such as Internet banking, and a session is also generated when a communication path from the terminal device is switched in the access relay device. By configuring so that it can be taken over, it is possible to use the service continuously.

  In the present invention, a terminal device that can be connected to a network such as the Internet via two or more communication paths, such as a mobile phone or a PHS terminal, is used as the terminal device. For the communication path to the access relay device, a cellular phone network, a PHS network, a wireless LAN, or the like is used. The service providing apparatus corresponds to a Web server, an application server, or the like used for services such as Internet banking that performs information distribution processing and transaction reception processing in response to a request from a terminal device.

  Further, according to the present invention, when the second session information is transmitted to the terminal device by a transmission unit, the first session information stored as a session in which connection is continued in the session information storage unit is invalidated. It is also possible to provide an update means for updating the status of the session that has become.

  With this configuration, it is possible to reduce the risk that the first session information is stolen by a third party and unauthorized access is performed.

  In addition, the present invention requests the terminal device to input authentication information when receiving a request for the service providing device from the terminal device and first storage means for storing authentication information of a user who operates the terminal device. Upon receipt of the authentication information input to the request means and the terminal device, the authentication information is compared with the authentication information stored in the first storage means, and is a request from a legitimate user having operation authority. Determining means for determining whether or not the connection means establishes a connection with the terminal device when the determination means determines that the request is from a legitimate user. You can also

  If comprised in this way, it will become possible to take over the authentication result performed when establishing the connection by the connection request via the first communication path as it is when switching to the connection via the second communication path. Become.

  In addition, the present invention provides a second storage means for storing an electronic certificate used by a user operating a terminal device for connection to the service providing device, and an execution of executing an application program for communicating with the service providing device And an application program executed by the execution unit is activated by a relay module called by the calling unit, and the application program uses an electronic certificate read from the second storage unit It is also possible to establish a connection with the service providing apparatus.

  With this configuration, it is possible to adopt an authentication method with a high security strength using an electronic certificate even in access using a terminal device with limited functions such as a mobile phone.

  Furthermore, the present invention can also be configured as an access relay system including an access relay device according to each of the above-described configurations and a program stored in the terminal device.

  In other words, the access relay system according to the present invention can accept a program stored in a terminal device connectable to a network and two or more communication paths from the terminal device. An access relay system comprising an access relay device that relays a connection with a service providing device that has requested a connection, wherein the access relay device receives a connection request from the terminal device via a first communication path. A connection means for establishing a connection with the terminal device; and when the connection means establishes a connection, first session information for identifying a session started by the connection is set as a session in which the connection is continued. Means for storing in a session information storage unit; and in the session, the first session information is stored in the terminal device. When receiving the switching request, transmitting means for transmitting, receiving means for receiving a session information switching request via the first communication path from the terminal device connected to the connection station of the second communication path, When the first session information is attached to the switching request, a second for identifying a session started by a second connection with the terminal device via the second communication path Means for storing session information in the session information storage unit as a session in which connection is continued; and transmission means for transmitting the second session information to the terminal device via the first communication path; When a request for the service providing apparatus with the session information attached is received from the terminal device, the session information is pre-determined as a session in which connection is continued. A collation unit that collates whether the session information is stored in the session information storage unit; and when the collation unit confirms that the session information is stored as a session in which connection is continued, relay to the service providing apparatus Calling means for calling a module, wherein the program detects that the terminal device is connected to the connection station of the second communication path, and the connection station of the second communication path. When the connection to the access relay apparatus via the first communication path is continued, the access relay apparatus is connected to the access relay apparatus via the first communication path. Transmitting the switching request with the first session information, receiving the second session information from the access relay device, Receiving the second session information, transmitting the request to the service providing apparatus to the access relay apparatus with the second session information via the second communication path. This is an access relay system that is characterized.

  In the access relay system according to the present invention, when the access relay device transmits the second session information to the terminal device by a transmission unit, the access relay device stores the second session information stored in the session information storage unit as a session that is continuously connected. It is also possible to provide update means for updating the status of one session information to a session whose connection is invalidated.

  In the access relay system according to the present invention, the access relay device receives the request for the service providing device from the first storage means for storing authentication information of a user who operates the terminal device, and the terminal device. When the request means for requesting the apparatus to input authentication information and the authentication information input to the terminal apparatus are received, the authentication information is collated with the authentication information stored in the first storage means, and the operation authority is obtained. Determining means for determining whether the request is from a legitimate user, and when the determination means determines that the request is from a legitimate user by the determination means, It can also be characterized by establishing a connection.

  In the access relay system according to the present invention, the access relay device communicates with the service providing device, second storage means for storing an electronic certificate used by the user operating the terminal device to connect to the service providing device. Execution means for executing an application program for executing, the application program executed by the execution means is started by a relay module called by the calling means, and the application program is stored in the second storage A connection with the service providing apparatus may be established using an electronic certificate read from the means.

  Furthermore, the present invention can also be specified as an access relay method executed by the access relay device and the terminal device according to each of the above-described configurations.

  In other words, the access relay method according to the present invention is capable of accepting access from a terminal device connectable to a network and two or more communication paths from the terminal device, and the service requested by the terminal device to be connected. An access relay method performed by an access relay device that relays a connection with a providing device, wherein the access relay device receives a connection request from the terminal device via a first communication path, and A step of establishing a connection with the terminal device, and when the access relay device establishes the connection in the step, the connection continues with first session information for identifying a session started by the connection Storing in the session information storage unit as a session, and the access relay device in the session, the 1 session information is transmitted to the terminal device, the terminal device is detected to be connected to a connection station of a second communication path, and the terminal device is connected to the second communication path. When it is detected that the access station is connected to the access station, if the connection with the access relay apparatus via the first communication path is continued, the access relay apparatus is connected via the first communication path. Transmitting a session information switching request with the first session information, the access relay device receiving the switching request from the terminal device via the first communication path; When the access relay apparatus receives the switching request, if the first session information is attached to the switching request, the access relay apparatus communicates with the terminal apparatus via the second communication path. Storing the second session information for identifying a session started by the connection in the session information storage unit as a session in which the connection is continued, and the access relay device includes the second session information. Is transmitted to the terminal device via the first communication path, the terminal device receives the second session information from the access relay device, and the terminal device When receiving the session information, a step of transmitting a request to the service providing apparatus to the access relay apparatus with the second session information via the second communication path, and the access relay apparatus includes the terminal When receiving a request for the service providing apparatus with the session information from the apparatus, Checking whether session information is stored in the session information storage unit as a session in which connection is continued, and the access relay device stores the session information as a session in which connection is continued in the step If it is confirmed, the access relay method includes a step of calling a relay module with the service providing apparatus.

  In the access relay method according to the present invention, when the access relay device transmits the second session information to the terminal device, the first session stored as a session in which connection is continued in the session information storage unit The information can also be characterized as having a step of updating the status to a session whose connection has become invalid.

  In the access relay method according to the present invention, the access relay device includes a first storage unit that stores authentication information of a user who operates the terminal device, and the access relay device provides the service from the terminal device. Receiving a request for the device, requesting the terminal device to input authentication information, transmitting the authentication information input to the terminal device to the access relay device, and the access relay device When the authentication information is received from the terminal device, the authentication information is compared with the authentication information stored in the first storage unit to determine whether the request is from a legitimate user having an operation authority. And the step of establishing a connection with the terminal device is a legitimate user based on the verification of the authentication information. It may also be characterized to establish a connection with the terminal device when it is determined that the request.

  In the access relay method according to the present invention, the access relay device includes a second storage unit that stores an electronic certificate used by a user operating a terminal device to connect to the service providing device, and the access relay device A device executing an application program for communicating with the service providing device, wherein the application program is activated by the relay module called in the step of calling the relay module, and the application program May establish a connection with the service providing apparatus using an electronic certificate read from the second storage unit.

  In the case where two or more communication paths such as a mobile phone network and a wireless LAN are switched using a terminal device such as a mobile phone when using a service such as Internet banking that requires personal authentication according to the present invention, communication is performed. It becomes possible to eliminate the need for re-authentication when the route is switched. In addition, even when a terminal device with limited functions such as a mobile phone is used, it is possible to adopt an authentication method with high security using an electronic certificate.

  The best mode for carrying out the present invention will be described below in detail with reference to the drawings. In the following description, an embodiment in which the access relay device according to the present invention is applied to access from a mobile phone that can be connected to the Internet via a mobile phone network and a wireless LAN will be described. It is an example for carrying out the invention, and the present invention is not limited to the following embodiment.

  FIG. 1 is a diagram showing an example of an embodiment of an access relay apparatus according to the present invention. FIG. 2 is a block diagram showing the configuration of the access relay apparatus according to the present invention. 3 to 9 are first to seventh diagrams showing examples of session takeover flow when the communication path is switched by the access relay apparatus according to the present invention, respectively. FIG. 10 is a flowchart showing a processing flow on the terminal side of the access relay system according to the present invention. FIG. 11 is a flowchart showing a processing flow on the access relay device side of the access relay system according to the present invention.

  The outline of the access relay apparatus according to the present invention will be described with reference to FIG. A user of a mobile phone can use these services by connecting to the Internet from a mobile phone network and accessing a service providing apparatus that provides services such as Internet banking and Internet shopping. In the present invention, the mobile phone has not only packet communication using the mobile phone network but also a function capable of connecting to the Internet by wireless LAN communication, and communication between the mobile phone and the service providing device is as follows. It is configured to be relayed by an access relay device. If a PHS terminal is used instead of the mobile phone, the PHS terminal has a function capable of connecting to the Internet through wireless LAN communication as well as packet communication using the PHS network.

  Connection from the mobile phone to the Internet is usually made through a mobile phone network with a wide coverage area. However, when a mobile phone is used in an area where connection to a wireless LAN is possible, the connection is made through the wireless LAN. Done. Therefore, when moving from an area where connection to a wireless LAN is impossible to an area where possible, or when moving from an area where connection to the wireless LAN is impossible, the communication path for connecting to the Internet is automatically switched. become.

  In the service providing apparatus, when a user who has performed authentication performs a service such as providing information or accepting a transaction after logging in, session management is performed with the mobile phone that has performed the login. When the communication is switched between the mobile phone and the service providing apparatus while the session is maintained, if the communication path is switched as described above, the session is disconnected for security reasons. In such a case, access from a new communication path is accepted as new access that has not been authenticated. Therefore, if a session with the service providing apparatus is established on the condition of user authentication, the user must perform authentication operation such as input of ID and password again when the communication path is switched. Become.

  Therefore, in the present invention, the communication between the mobile phone and the service providing device is relayed by the access relay device, and when the communication path from the mobile phone is switched, the access relay device manages to take over the session. This makes it possible to continue using the service without re-authentication. Further, the access relay device authenticates the user who accessed using the mobile phone, and stores the electronic certificate used for the user authentication when the user accesses the service providing device in the access relay device, thereby Even when the service providing apparatus is accessed using a telephone, it is possible to adopt an authentication method with high security using an electronic certificate.

  The communication path between the access relay device and the service providing device is not particularly limited. If the access relay device is used only for a specific service providing device, it may be connected by a dedicated line or physically. It may be attached to. On the other hand, when the access relay apparatus is configured to be shared by a wide range of service providing apparatuses, it is usually connected via the Internet.

  The configuration of the access relay apparatus according to the present invention, the mobile phone, and the service providing apparatus will be described with reference to FIG. The cellular phone 10 used in the present invention includes a message transmission / reception unit 11, a communication message control unit 12, an operation information input / output unit 13, a session management unit 14, and an authentication information management unit 15. Each of these units is functionally specified, and the physical configuration is not particularly limited. For example, a program for executing the function of each unit may be read out to the main memory of the mobile phone and the CPU may execute arithmetic processing, or a chip or a board for executing each function may be provided. There may be.

  The message transmission / reception unit 11 has a function of controlling packet communication with the mobile phone base station 20 and the wireless LAN connection station 30, detects a connectable communication path from a radio wave condition, and wireless LAN connection station 30. When connection to the network is possible, a wireless LAN is transmitted, and when connection is impossible, a message is transmitted / received via the cellular phone network. The communication message control unit 12 interprets a message received by the message transmission / reception unit 11 and executes various processes, and has a function of delivering a message to be transmitted to the service providing apparatus 50 to the message transmission / reception unit 11.

  The operation information input / output unit 13 has a function of displaying a screen generated from the received electronic message on the display of the mobile phone 10, receiving information such as an ID and a password input by operating the keyboard of the mobile phone 10, etc. have. The session management unit 14 is unique to the present invention and stores the session ID transmitted from the access relay device, a new session ID transmission request when the communication path is switched, and the service via the access relay device. It has a function of giving a session ID when transmitting a request to the providing apparatus. The authentication information management unit 15 is provided to improve the convenience of the user, stores authentication information necessary for accessing the service providing apparatus, and refers to it when inputting it or automatically inputs the authentication information. It has a function etc.

  As the access relay device 40 used in the present invention, a computer system having a data communication function via the Internet is used, and a message transmission / reception unit 41, a communication message control unit 42, an authentication management unit 43, a session management unit 44, a relay The module management unit 45 includes a session information storage unit 46, a client application execution unit 47, an authentication management unit 48, and an electronic certificate storage unit 49. These units are also functionally specified in the same manner as the mobile phone 10, and the physical configuration is not particularly limited. For example, the program for executing the function of each unit may be read into the main memory of the access relay device 40 and the CPU may execute the arithmetic processing, or a chip or board for executing each function may be provided. It may be a thing.

  The message transmission / reception unit 41 has a function of transmitting and receiving messages by controlling data communication via the Internet. The communication message control unit 42 interprets the message received by the message transmission / reception unit 41 and executes various processes, and also has a function of delivering the processing result returned to the mobile phone 10 to the message transmission / reception unit 11.

  The authentication management unit 43 has a function of executing processing for user authentication of the user who operates the mobile phone 10. The authentication method used here is not particularly limited. For example, in the case where user authentication is performed using a user ID and a password, the user ID and password of a legitimate user are stored in the authentication management unit 43, and the mobile Authentication processing is executed depending on whether the user ID and password received from the telephone 10 match those stored in advance.

  The session management unit 44 has a function of managing a session established with the mobile phone 10. When the authentication management unit 43 authenticates the user, a session between the mobile phone 10 and the access relay device 40 is established. A session ID for identifying the session is issued, and the session ID is stored in the session information storage unit 46 as a valid session in which connection is continued. Further, the session ID is delivered to the mobile phone 10, and the session ID is attached when the mobile phone 10 transmits a request to the service providing device via the access providing device.

  The method for delivering the session ID to the mobile phone 10 and assigning it when the request is sent from the mobile phone 10 is not particularly limited. When cookie can be used in the browser of the terminal operated by the user, cookie is generally used for session management. However, since cookie is usually not available for a mobile phone browser, URL rewriting Using a technique such as (a method of embedding a session ID in the form of a request parameter after the URL) or the like may be used instead of cookie.

  In the mobile phone 10, when the communication path is switched, if the access relay device 40 is accessed from a different communication path as it is, the same session ID is transmitted and received through the two communication paths. Will be stolen by a third party, increasing the risk of unauthorized access. Therefore, for security reasons, it is preferable to disconnect the session when the communication path is switched. However, in the present invention, it is possible to avoid the trouble of authentication again due to disconnection of the session. In addition, when it is detected that the communication path can be switched in the mobile phone 10, a request for issuing a new session ID is transmitted to the access relay device 40 via the original communication path. The session management unit 44 issues a new session ID, stores the session ID in the session information storage unit 46 as a valid session in which connection is continued, and the session ID is stored in the mobile phone 10 via the original communication path. Is handed over to At this time, for the session ID used in the original communication path, the status of the session ID stored when the connection is continued in the session information storage unit 46 is updated as the connection is invalidated. Is done. Thereafter, a request from the mobile phone 10 to the service providing device via the access providing device is transmitted via a new communication path, and a new session ID is attached to the request.

  When the communication telegram control unit 42 receives a request from the mobile phone 10, if a session ID is attached to the request, the session ID is stored in the session information storage unit 46 as a valid session in which the connection is continued. The session management unit 44 is inquired as to whether or not If the session ID is valid, the relay module management unit 45 calls the relay module in order to execute processing according to the request without requesting authentication as it is.

  The operation executed by the relay module called in the relay module management unit 45 is not particularly limited, but in order to make a request for information provision or transaction execution to the service providing device 50 via the access relay device 40 It is necessary to provide the access relay device 40 with a client application that is normally executed in a user terminal for communicating with a server application executed in the server application execution unit 51 of the service providing device 50. The client application execution unit 47 has a function of executing the client application, but a program for performing a process of delivering a request received from the mobile phone 10 by the access relay device 40 to the client application execution unit 47 is used as a relay module. It is done. The relay module is not particularly limited as long as it is generally used in an intermediate server. The session ID stored in the session information storage unit 46 as a valid session is connected to the corresponding relay module so that the request received from the mobile phone 10 can be delivered to the corresponding relay module. Information for specifying is associated and stored.

  The authentication management unit 48 has a function of executing processing for authentication required when accessing the service providing apparatus 50. By storing the electronic certificate used by the user of the access relay device 40 in the electronic certificate storage unit 49 in advance, when authentication using the electronic certificate is requested in the service providing device 50, the request The user's electronic certificate is read from the electronic certificate storage unit 49 and transmitted to the service providing apparatus 50. Since the electronic certificate is used only when the authentication management unit 43 of the access relay device 40 has already been authenticated, the same security as when the electronic certificate is stored in the terminal device at hand of the user is obtained. It is possible to secure.

  The service providing device 50 is a Web server or application server that provides services such as electronic commerce and information distribution via the Internet, and includes a server application execution unit 51, an authentication management unit 52, and an electronic certificate storage unit 53. It consists of Each of these units is also functionally specified, and the physical configuration is not particularly limited. For example, the program for executing the function of each unit may be read into the main memory of the service providing apparatus 50 and the CPU may execute arithmetic processing, or a chip or board for executing each function may be provided. It may be a thing.

  The server application execution unit 51 has a function of accepting a request from the client application execution unit 47 of the access relay device 40 and executing processing by various application programs necessary for providing the service. The authentication management unit 52 and the electronic certificate storage unit 53 are used for user authentication processing using an electronic certificate.

  The session takeover flow when the communication path is switched by the access relay apparatus according to the present invention will be described with reference to FIGS. In this example, a mobile phone can be connected to the Internet using a mobile phone network and a wireless LAN. When connection to the wireless LAN is possible, priority is given to the connection to the wireless LAN. If the connection cannot be established, the mobile phone network shall be connected to the Internet.

  First, a login request is transmitted to the service providing apparatus in an area where connection to the wireless LAN is not possible. When a login button is selected from a menu list displayed on the mobile phone, a URL for accessing the access relay device is embedded in this button, and a request is transmitted to the access relay device. The access relay apparatus that has received the request transmits a user ID and password input screen required for login, and as shown in FIG. 3, the user transmits the user ID and password input to the mobile phone to the access relay apparatus.

  Note that, as a password registered in advance in the access relay apparatus, it is preferable to use a password registered by the user for each service providing apparatus to be relayed in order to reduce the burden on the user by performing the authentication operation once. With such a configuration, authentication by a password at the service providing apparatus becomes unnecessary by performing authentication by a password at the access relay apparatus. When a user uses a plurality of service providing apparatuses by relaying an access relay apparatus, a user ID and a password are registered for each service providing apparatus for one user.

  When the access relay apparatus receives the user ID and password, the access relay apparatus checks the password corresponding to the user ID registered in advance in the access relay apparatus, and establishes a session if they match. For the established session, a session ID (001) for identifying the session is issued. As shown in FIG. 4, the session ID (001) is given to the access relay apparatus as a valid session ID for which connection is continued. Remembered.

  When access to the service providing apparatus is performed in this session, the relay module (101) is used to perform communication between the access relay apparatus and the service providing apparatus in the session. Information specifying the relay module (101) called in this communication is stored in association with the session ID (001) as shown in FIG. Since a session ID (001) is attached to a request transmitted from the mobile phone in this session, the access relay apparatus confirms that the session ID (001) is a valid session and associates it with the session ID (001). The relay module (101) is called, and the request is delivered to the service providing apparatus.

  Here, as shown in FIG. 6, it is assumed that the user of the mobile phone moves to an area where wireless LAN connection is possible. When the mobile phone monitors the radio wave condition and detects that the connection to the wireless LAN is possible, the mobile phone automatically issues a request to switch to a new session ID as shown in FIG. And transmitted in the session specified by the session ID (001).

  The access relay apparatus that has received the request for switching to a new session ID issues a new session ID for identifying a session via the wireless LAN, as shown in FIG. ) As a valid session ID for which the connection is continuing. The session ID (002) is stored in association with the relay module (101) corresponding to the session ID (001), so that the request received in the session specified by the session ID (002) is also the session ID (001). It can be delivered to the service providing device as a continuous one.

  The newly issued session ID (002) is delivered to the mobile phone in the session specified by the session ID (001). Here, the status of the session ID (001) stored as a valid session ID that is continuously connected to the access relay apparatus is updated to an invalid session ID. Thereafter, as shown in FIG. 9, the transmission of the request from the mobile phone is performed via the wireless LAN, and the session ID (002) is attached to the request. The access relay apparatus confirms that the session ID (002) is a valid session, calls the relay module (101) associated with the session ID (002), and delivers the request to the service providing apparatus.

  As described above with reference to FIGS. 3 to 9, even when the communication path from the mobile phone is switched, the session ID is taken over by the access relay device, so the user newly performs an authentication operation. Even if it is not, the operation after login can be continued as it is while ensuring the safety against theft of the session ID.

  With reference to the flowchart of FIG. 10, the processing flow for switching the communication path on the terminal side operated by the user in the access relay system according to the present invention will be described. A portable terminal that can be connected to the Internet, such as a mobile phone, monitors the radio wave condition (S01), and confirms whether a usable wireless LAN connection service exists nearby and can be connected ( S02).

  When it is possible to connect to the wireless LAN connection service, if it is already connected to the wireless LAN connection service (S03), the radio wave status is continuously monitored (S01), but not connected to the wireless LAN connection service. (S03), the wireless LAN connection service is used to connect to the Internet (S04). If it is not possible to connect to the wireless LAN connection service, the mobile phone network is checked to see if it can be used (S05), and if it cannot be used, a screen is displayed indicating that there is no available communication service. The user is notified by such as (S12). If the mobile phone network can be used, the mobile phone network is used to connect to the Internet (S06).

  When a wireless LAN connection service or a mobile phone network is used to connect to the Internet and a session is established with a wireless LAN connection station or a mobile phone base station (S07), in addition to the established session, an existing session is established at the terminal. It is confirmed whether it exists (S08). If there is no existing session, communication with the service providing apparatus is performed via the access relay apparatus by the established session.

  If there is an existing session, a request for switching to a session ID corresponding to the newly established session is transmitted to the access relay apparatus via the existing session (S09). When a new session ID is received from the access relay device (S10), the subsequent communication is performed via the new session, and the existing session is disconnected (S11).

  The process flow of session management on the access relay apparatus side of the access relay system according to the present invention will be described using the flowchart of FIG. The access relay apparatus interprets a message received from the mobile terminal via the Internet (S21), and checks whether authentication information such as a user ID or a password is included in the received message (S22).

  If the authentication information is included, it is confirmed whether the received authentication information matches the authentication information registered in advance in the access relay apparatus (S23). If the authentication information does not match, an error occurs and the process ends. When the authentication information is not included, or when it is confirmed that the authentication information is included and matches the registered authentication information, the session ID attached to the received message is extracted (S24).

  If the session ID exists (S25), it is checked whether the received message is a session ID switching request (S26). If it is a session ID switching request, a new session ID for identifying a session from a new communication path is generated and stored in association with the original session ID (S27). A session corresponding to the new session ID is generated (S28), and the relay module corresponding to the original session ID is called, and the relay module is connected to the new session ID by connection (S29). Information including a new session ID is returned to the portable terminal as a processing result (S30).

  If it is not a session ID switching request, a valid session that is continuously connected is searched using the session ID as a key (S31), and it is confirmed whether there is a valid session specified by the session ID (S32). ). If a session exists, the relay module corresponding to the session is called (S33), processing such as transmission of a request to the service providing device is executed, and a response from the service providing device is processed in the portable terminal. As a reply (S30). If there is no valid session, a session corresponding to the session ID is generated (S39), a relay module for communicating with the service providing apparatus is called (S40), a request is transmitted to the service providing apparatus, etc. This process is executed, and a response from the service providing apparatus is returned as a processing result to the portable terminal (S30).

  If the received message does not have a session ID (S25), the authentication process may not be performed, so the mobile terminal is requested to input authentication information (S34). It is confirmed whether the authentication information received from the portable terminal matches the authentication information registered in advance in the access relay device (S35). If they do not match, an error occurs and the process ends.

  When it is confirmed that the authentication information matches the pre-registered authentication information, the session ID stored in association with the authentication information such as the user ID of the authenticated user as a key is searched (S36). ), It is confirmed whether the session ID exists (S37). If the session ID exists, a valid session that is continuously connected is searched using the session ID as a key (S31), and thereafter, the processing of S32 to S33 and S30 is performed in the same manner as described above. Execute.

  If the session ID does not exist, a new session ID is generated and stored together with authentication information such as a user ID (S38). Further, a session corresponding to the session ID is generated (S39), a relay module for communicating with the service providing apparatus is called (S40), processing such as transmission of a request to the service providing apparatus is executed, and the portable terminal Returns a response from the service providing apparatus as a processing result (S30).

It is a figure which shows an example of embodiment of the access relay apparatus concerning this invention. It is a block diagram which shows the structure of the access relay apparatus concerning this invention. It is a 1st figure which shows an example of the takeover flow of the session at the time of the switching of the communication path by the access relay apparatus concerning this invention. It is a 2nd figure which shows an example of the takeover flow of the session at the time of the switching of the communication path by the access relay apparatus concerning this invention. It is a 3rd figure which shows an example of the session takeover flow at the time of the switching of the communication path by the access relay apparatus concerning this invention. It is a 4th figure which shows an example of the takeover flow of the session at the time of the switching of the communication path by the access relay apparatus concerning this invention. It is a 5th figure which shows an example of the takeover flow of the session at the time of the switching of the communication path by the access relay apparatus concerning this invention. It is a 6th figure which shows an example of the takeover flow of the session at the time of the switching of a communication path by the access relay apparatus concerning this invention. It is a 7th figure which shows an example of the takeover flow of the session at the time of the switching of the communication path by the access relay apparatus concerning this invention. It is a flowchart which shows the processing flow by the side of the terminal of the access relay system concerning this invention. It is a flowchart which shows the processing flow by the side of the access relay apparatus of the access relay system concerning this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Cellular phone 11 Message transmission / reception unit 12 Communication message control unit 13 Operation information input unit 14 Session management unit 15 Authentication information management unit 20 Mobile phone base station 30 Wireless LAN connection station 40 Access relay device 41 Message transmission / reception unit 42 Communication message control unit 43 Authentication management unit 44 Session management unit 45 Relay module management unit 46 Session information storage unit 47 Client application execution unit 48 Authentication management unit 49 Electronic certificate storage unit 50 Service providing device 51 Server application execution unit 52 Authentication management unit 53 Electronic certificate storage Part

Claims (12)

An access relay device that accepts access from a terminal device connectable via two or more communication paths and relays the connection with the service providing device that the terminal device requested to connect,
A connection means for receiving a connection request from the terminal device via a first communication path and establishing a connection with the terminal device;
Means for storing, in the session information storage unit, first session information for identifying a session started by the connection as a session in which the connection is continued when the connection means establishes a connection;
In the session, transmission means for transmitting the first session information to the terminal device;
Receiving means for receiving a session information switching request via the first communication path from the terminal device connected to the connection station of the second communication path;
When the switching request is received, if the first session information is attached to the switching request, a session started by a second connection with the terminal device via the second communication path is selected. Means for storing, in the session information storage unit, second session information for identification as a session in which connection is continued;
Transmitting means for transmitting the second session information to the terminal device via the first communication path;
When receiving a request from the terminal device for the service providing apparatus with session information attached thereto, a verification unit for verifying whether the session information is stored in the session information storage unit as a session for which connection is continued;
When it is confirmed that the session information is stored as a session in which the connection is continued by the verification unit, a calling unit that calls a relay module with the service providing device;
An access relay device comprising: When the second session information is transmitted to the terminal device by the transmission unit, the first session information stored as a session in which the connection is continued in the session information storage unit is changed to a session in which the connection is invalidated. The access relay apparatus according to claim 1, further comprising update means for updating the password. First storage means for storing authentication information of a user who operates the terminal device;
Upon receiving a request for the service providing device from the terminal device, request means for requesting the terminal device to input authentication information;
When the authentication information input to the terminal device is received, the authentication information is collated with the authentication information stored in the first storage means to determine whether the request is from a legitimate user having operation authority. Determination means, and
The access relay apparatus according to claim 1, wherein the connection unit establishes a connection with the terminal device when the determination unit determines that the request is from a legitimate user. A second storage means for storing an electronic certificate used by the user operating the terminal device to connect to the service providing device;
Execution means for executing an application program for communicating with the service providing device,
The application program executed by the execution means is activated by the relay module called by the calling means,
4. The access relay apparatus according to claim 1, wherein the application program establishes a connection with the service providing apparatus using an electronic certificate read from the second storage unit. A program stored in a terminal device connectable to a network and access from the terminal device via two or more communication paths can be received, and a connection between the terminal device and a service providing device requested for connection is established. An access relay system comprising an access relay device for relaying,
The access relay device
A connection means for receiving a connection request from the terminal device via a first communication path and establishing a connection with the terminal device;
Means for storing, in the session information storage unit, first session information for identifying a session started by the connection as a session in which the connection is continued when the connection means establishes a connection;
In the session, transmission means for transmitting the first session information to the terminal device;
Receiving means for receiving a session information switching request via the first communication path from the terminal device connected to the connection station of the second communication path;
When the switching request is received, if the first session information is attached to the switching request, a session started by a second connection with the terminal device via the second communication path is selected. Means for storing, in the session information storage unit, second session information for identification as a session in which connection is continued;
Transmitting means for transmitting the second session information to the terminal device via the first communication path;
When receiving a request from the terminal device for the service providing apparatus with session information attached thereto, a verification unit for verifying whether the session information is stored in the session information storage unit as a session for which connection is continued;
When it is confirmed by the verification means that the session information is stored as a session in which connection is continued, a calling means for calling a relay module with the service providing device is provided,
The program is stored in the terminal device.
Detecting that the connection station of the second communication path is connected;
When it is detected that the connection station is connected to the connection station of the second communication path, the first communication is performed when the connection with the access relay apparatus is continued through the first communication path. Transmitting the switching request with the first session information to the access relay apparatus via a route;
Receiving the second session information from the access relay device;
Receiving the second session information, transmitting a request to the service providing apparatus with the second session information to the access relay apparatus via the second communication path; An access relay system characterized by that. The access relay device
When the second session information is transmitted to the terminal device by the transmission unit, the first session information stored as a session in which the connection is continued in the session information storage unit is changed to a session in which the connection is invalidated. 6. The access relay system according to claim 5, further comprising update means for updating. The access relay device
First storage means for storing authentication information of a user who operates the terminal device;
Upon receiving a request for the service providing device from the terminal device, request means for requesting the terminal device to input authentication information;
When the authentication information input to the terminal device is received, the authentication information is collated with the authentication information stored in the first storage means to determine whether the request is from a legitimate user having operation authority. Determination means, and
7. The access relay system according to claim 5, wherein the connection unit establishes a connection with the terminal device when the determination unit determines that the request is from a legitimate user. The access relay device
A second storage means for storing an electronic certificate used by the user operating the terminal device to connect to the service providing device;
Execution means for executing an application program for communicating with the service providing device,
The application program executed by the execution means is activated by the relay module called by the calling means,
8. The access relay system according to claim 5, wherein the application program establishes a connection with the service providing apparatus using an electronic certificate read from the second storage unit. A terminal device connectable to a network and an access relay device capable of accepting access from the terminal device via two or more communication paths and relaying the connection between the terminal device and a service providing device requested to connect And an access relay method executed by
The access relay device receiving a connection request from the terminal device via a first communication path and establishing a connection with the terminal device;
When the access relay apparatus establishes a connection in the step, the first session information for identifying a session started by the connection is stored in a session information storage unit as a session in which the connection is continued; ,
The access relay device transmitting the first session information to the terminal device in the session;
Detecting that the terminal device is connected to a connection station of a second communication path;
When it is detected that the terminal device is connected to the connection station on the second communication path, the connection with the access relay device via the first communication path is continued. Transmitting a session information switching request with the first session information to the access relay device via one communication path;
The access relay device receiving the switching request from the terminal device via the first communication path;
When the access relay apparatus receives the switching request, if the first session information is attached to the switching request, a second connection with the terminal apparatus via the second communication path Storing second session information for identifying a session started by the session information storage unit as a session in which connection is continued;
The access relay device transmitting the second session information to the terminal device via the first communication path;
The terminal device receiving the second session information from the access relay device;
When the terminal device receives the second session information, a step of transmitting a request to the service providing device to the access relay device with the second session information via the second communication path. When,
When the access relay apparatus receives a request for the service providing apparatus to which session information is attached from the terminal apparatus, whether the session information is stored in the session information storage unit as a session in which connection is continued. A matching step;
When the access relay device confirms that the session information is stored as a session in which connection is continued in the step, a step of calling a relay module with the service providing device;
An access relay method comprising: When the access relay device transmits the second session information to the terminal device, the connection becomes invalid for the first session information stored as a session in which connection is continued in the session information storage unit. The access relay method according to claim 9, further comprising a step of updating a status in the session. The access relay device includes a first storage unit that stores authentication information of a user who operates the terminal device,
When the access relay apparatus receives a request for the service providing apparatus from a terminal apparatus, the terminal apparatus requests input of authentication information to the terminal apparatus;
The terminal device transmitting authentication information input to the terminal device to the access relay device;
When the access relay apparatus receives the authentication information from the terminal apparatus, the access relay apparatus checks the authentication information against the authentication information stored in the first storage unit, and is a request from a legitimate user having an operation authority. Determining whether or not
10. The step of establishing a connection with the terminal device establishes a connection with the terminal device when it is determined that the request is from a legitimate user by the verification of the authentication information. 10. The access relay method according to 10. The access relay device includes a second storage unit that stores an electronic certificate used by the user operating the terminal device to connect to the service providing device,
The access relay device has a step of executing an application program for communicating with the service providing device;
The application program is started by the relay module called in the step of calling the relay module,
The access relay method according to claim 9, wherein the application program establishes a connection with the service providing apparatus using an electronic certificate read from the second storage unit.