JP4748763B2 - Information processing apparatus, control method for information processing apparatus, program, and storage medium - Google Patents

Description

  The present invention relates to an authentication process performed for a user who requests a Web service in an information processing apparatus that provides a plurality of Web services via a network.

  In recent years, XML (extensible Markup Language), which is a structured language, has been used for business document management, messaging, database, and the like, and its application range has been expanding.

  A prominent example is the application to a Web service that is a distributed object model using XML-SOAP (Simple Object Access Protocol). With the advent of this Web service, a shift from a conventional object-oriented model to a service-oriented architecture (SOA) has been gradually advanced.

  A service-oriented architecture is an architecture that divides processes in units of Web services. Because existing Web services can be reused and reorganized, business solutions can be quickly delivered while maintaining high reliability and low cost. It has the merit that it can be constructed and provided.

  In providing business solutions, it is essential to build strong security. In particular, in business solutions built on a network, protection of user information and user data, and identification and authentication of identity are important issues. There is no exception in the service-oriented architecture based on Web services. Even if the same Web service is used, different authentication and authorization are required depending on various conditions such as the environment in which the Web service is used, security level, and system configuration. A flexible response such as providing processing is desired. For example, there are various authentication methods such as simple user authentication, PIN code authentication, IC card authentication, biometric authentication, etc., so it is important to take appropriate measures in consideration of various conditions. It is.

  On the other hand, in order to improve the convenience and simplicity of network solutions, demands such as single sign-on and federated identity (integrated authentication) are increasing. For example, when a plurality of Web services are integrated to construct and provide a new Web service, authentication and authorization processing executed for each Web service are integrated to provide an environment such as single sign-on. Establishment of a method is required. Therefore, there is a need for a solution that meets the contradicting demands of building strong security and building a highly convenient and simple network solution without compromising the efficiency and flexibility of the service-oriented architecture. It is coming.

Here, a description will be given of authentication and authorization processing in providing a conventional Web service. FIGS. 12A and 12B are diagrams showing examples of functional blocks in the conventional authentication and authorization processing, and FIG. 12A shows the authentication of individual Web services (service A and service B), respectively. A case is shown in which a processing unit, an authorization processing unit, and a database holding user authentication information are incorporated (see, for example, Patent Document 1). FIG. 12B shows a case in which each Web service is provided with a module for external authentication and authorization processing, and a database that holds user authentication information for authentication and authorization processing is shared. Respectively.
JP 2003-229978 A

  However, among the authentication and authorization processing shown in the background art, the configuration shown in FIG. 12A is used when the authentication and authorization processing required according to the use case of the applied Web service is different. There is a problem that it is necessary to modify the Web service according to the request, and the load of development cost and management cost is increased.

  On the other hand, according to the configuration shown in FIG. 12B, since the database holding user authentication information for authentication and authorization processing is shared, it is not necessary to modify the Web service according to the request. Although there is no database, each Web service has its own configuration, so if you combine developed Web services and provide new Web services, provide functions such as single sign-on and integrated authentication. Is extremely difficult to achieve, and there is a problem that the system becomes inconvenient for Web service users.

  Each Web service must implement an interface and protocol (protocol A, B) with a service (authentication service A, authorization service B) that performs authentication and authorization processing, and the web service to be applied. If the required authentication and authorization processing differs depending on the use case, the interface and protocol are modified according to the request, and multiple interfaces and protocols are implemented in each Web service. Since it is necessary, there is a problem in that development costs and management costs are incurred, and that it is impossible to provide a quick web service according to user requests.

  In addition, these problems hinder the introduction of the optimal security system at the optimal timing, and in turn cause damage due to unauthorized use.

The present invention has been made in view of the above-described problems. In providing a plurality of services via a network, a highly convenient and simple network solution is realized at low cost while maintaining strong security. The purpose is to do.

In order to achieve the above object, an information processing apparatus according to the present invention comprises the following arrangement. That is,
Storage means for storing information in which correspondence between a plurality of services and a plurality of authentication processing means for executing authentication processing of service requesters is described;
Service request accepting means for accepting a service request including identification information for identifying any of the plurality of services and attribute information indicating processing to be executed by the service from a service request source;
Selecting means for selecting an authentication processing means corresponding to a service identified by the identification information included in the service request based on information stored in the storage means;
When the service request accepting unit accepts the service request, the service request accepting unit notifies the selection unit of the identification information included in the service request while holding the attribute information included in the service request. Rukoto be required if the service requester is authenticated by the selected authentication processing means, the execution of the process in which the retained attribute information indicates, the service identified by the identification information contained in the service request by It is characterized by.

According to the present invention, when providing a plurality of services via a network, it is possible to realize a convenient and simple network solution at low cost while maintaining strong security.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings as necessary. The present invention can be implemented in various apparatuses that provide Web services via a network and can be applied to various systems. In the following description, the present invention is implemented in a network-compatible MFP (Multi Function Peripheral) and image processing is performed. A case of applying to a system will be described.

[First Embodiment]
<Overall configuration of image processing system>
FIG. 14 is a diagram showing an overall configuration of an image processing system including a network-compatible MFP (hereinafter simply referred to as “MFP”) according to an embodiment of the present invention. In FIG. 14, reference numeral 1400 denotes an MFP which provides various Web services such as a print service, a scan service, a storage service, and a FAX service to a computer terminal 1421 that can be connected via a network 1410. A computer terminal 1421 can use the MFP 1400 via the network 1410. Reference numeral 1422 denotes a computer terminal for managing the MFP 1400.

  The MFP 1400 includes hardware such as a communication device 1401, a CPU (Central Processing Unit) 1402, a memory 1403, an HDD (Hard Disk Drive) 1404, an image processing device 1407, a printer 1405, and a scanner 1406, and is a structured language. It is characterized in that it has a function of performing security processing such as authentication and authorization using XML (extensible Markup Language).

  The communication device 1401 performs communication via the network 1410. The CPU 1402 is a computer that executes programs for realizing various functions in the image processing apparatus 1407. Specifically, the CPU 1402 reads a program (application program or the like) for realizing various functions from the HDD 1404, and executes the read program using the memory 1403 as a work area.

<Functional Configuration of MFP 1400>
Next, a functional configuration of the MFP 1400 according to the present embodiment will be described with reference to FIG. FIG. 1 is a block diagram illustrating a functional configuration of the MFP 1400 according to the present embodiment.

  The MFP 1400 includes a TCP / IP / UDP protocol stack processing unit 101 that stacks TCP / IP / UDP protocols as a communication function, a SOAP processing unit 102 in the upper layer, and an arbitration service 103 and an XML script in the upper layer. Processing unit 104, authentication / authorization service A (107), authentication service B (108), authority service B (109), authentication / authorization service C (114), print service 110, scan service 111, storage service 112, FAX service 113 and provides these Web services (110 to 113) to the computer terminal 1421 via the network 1410.

  With respect to the MFP 1400, the system administrator can stop the function of the Web service, delete the Web service, reinstall the Web service, and install a new Web service via the computer terminal 1422. Note that the new Web service mentioned here includes, for example, a case where a plurality of already installed Web services are combined to provide a new function.

  The SOAP processing unit 102 analyzes the received SOAP request, transmits the description content of the SOAP header part to the arbitration service 103, generates a SOAP response based on the processing result returned from the arbitration service 103, and issues a SOAP request The description contents of the SOAP body are transmitted to the corresponding Web service based on the function of returning to the computer terminal 1421 and the processing result returned from the arbitration service 103, and the SOAP based on the processing result notified from the corresponding Web service. It has a function of generating a response and returning it to the computer terminal 1421 that issued the SOAP request.

  The arbitration service 103 analyzes the description content of the SOAP header part transmitted from the SOAP processing unit 102, acquires information about the Web service requested to be executed, and the memory device control unit via the XML script processing unit 104. 105 has a function of acquiring information related to the authentication / authorization service associated with the Web service requested to be executed from the XML script 106 registered on the memory (HDD 1404) managed by the computer 105.

  Further, the arbitration service 103 transmits the authentication information described in the SOAP header part to the authentication / authorization service (any one of 107 to 109) acquired from the XML script 106 based on the acquired information about the authentication / authorization service. And a function of generating a SOAP response based on the processing result notified from the authentication / authorization service (any one of 107 to 109) and notifying the SOAP processing unit 102.

  The MFP 1400 according to the present embodiment is configured to incorporate the authentication / authorization service A (107), the authentication service B (108), and the authority service B (109) as services for realizing the authentication / authorization function. However, the present invention is not limited to this, and as shown in the figure, the authentication / authorization service C (114) may be arranged outside the MFP 1400 so that it can be used via the network 1410.

  Each authentication / authorization service (107 to 109) has a function of processing the authentication information transmitted from the arbitration service 103 and returning the processing result to the arbitration service 103.

  Further, the MFP 1400 according to the present embodiment is provided with a print service 110, a scan service 111, a storage service 112, and a FAX service 113. These are Web services compatible with XML-SOAP, and these Web services can be stopped, restarted, deleted, and reinstalled from an external computer terminal 1422 managed by a system administrator. Similarly, a new Web service can be added, started, stopped, and deleted.

  The XML script processing unit 104, which is a lower layer of the arbitration service 103, has a function of accessing the memory (HDD 1404) via the memory device control unit 105. The memory device control unit 105 writes data to a memory (HDD 1404) that stores a Web service, information related to the authentication / authorization service for the Web service, and an XML script 106 that describes a processing procedure, and the memory (HDD 1404). Controls reading of data from.

  The XML script 106 can be deleted, reinstalled, or updated from an external computer terminal 1422 managed by the system administrator. In accordance with the description content of the XML script 106, another XML script 106 can be used. Can be associated with the authentication / authorization service. In addition, it is possible to flexibly cope with security requirements such as newly associating an authentication / authorization service with a new Web service that functions by combining a plurality of Web services.

  When receiving the provision of the Web service, the XML script 106 in which information related to the authentication / authorization service associated with the Web service that is operating on the MFP 1400 is registered in the MFP 1400 in advance. is necessary.

  If this registration process is not executed and the XML script 106 does not exist on the memory (HDD 1404) of the MFP 1400, none of the Web services running on the MFP 1400 can be executed.

  The XML script 106 is stored in the memory (HDD 1404) controlled by the memory device control unit 105 when the system administrator performs registration processing for the MFP 1400 via the network 1410.

  The system administrator transmits, from the computer terminal 1422 managed by the system administrator, to the MFP 1400, an XML script 106 that describes information related to the authentication / authorization service associated with each Web service implemented in the MFP 1400. .

  The MFP 1400 according to the present embodiment includes an XML-SOAP RPC (Remote Procedure Call) shown below in order to register and delete the XML script 106. As a result, the XML script processing unit 104 can register and delete the XML script 106 and validate the XML script 106. Specifically, when sending and registering the XML script 106 to the MFP 1400, UploadScript (scriptName, account, password), which is a SOAP function, is used.

  Here, since the copying machine MFP 1400 has a configuration capable of registering a plurality of XML scripts 106, the scriptName is used as identification information thereof. In the present embodiment, an ASCII character string of up to 32 characters can be used. However, an ASCII character string of up to 32 characters is used for both account and password. Such identification information is assumed to be registered in advance in the MFP 1400, and the information is recorded on the memory (HDD 1404) managed by the memory device control unit 105, and is configured so that only the system administrator can know. It shall be. An XML script 106 that is XML data is transmitted to the MFP 1400 in the form of an attached file of a SOAP request describing the SOAP function.

  Further, when deleting the XML script 106 registered in the MFP 1400, DeleteScript (scriptName, account, password) which is a SOAP function is used. It is assumed that only a system administrator who can know account and password information can delete the XML script 106 registered on the memory (HDD 1404) of the MFP 1400. Since a plurality of XML scripts 106 can be registered in the MFP 1400, the XML script 106 to be deleted is designated by scriptName.

  In order to validate the XML script 106 specified by scriptName for a plurality of XML scripts 106 registered in the MFP 1400, EnableScript (scriptName, account, password), which is a SOAP function, is used. Also here, only the system administrator who can know the account and password information can designate and validate the XML script 106 registered in the memory (HDD 1404) of the MFP 1400.

<Registration, deletion, and activation processing of XML script>
Next, the flow of registration, deletion, and validation processing of the XML script 106 will be described with reference to FIG. FIG. 2 is a flowchart showing the flow of registration, deletion, and validation processing of the XML script 106 in the MFP 1400 according to the present embodiment.

  2 is assumed to be transmitted from the computer terminal 1422 as an external device to the MFP 1400.

  As shown in FIG. 2, first, the XML script processing unit 104 configuring the arbitration service 103 determines whether or not an UploadScript that is a SOAP request has been received via the SOAP processing unit 102 (step S <b> 201). If it is determined that UploadScript as a SOAP request has been received, the XML script processing unit 104 uses the memory (HDD 1404) via the memory device control unit 105 to check the contents of the arguments account and password. It is determined whether or not it matches the information recorded above (hereinafter referred to as account information) (step S202).

  If it is determined that the account information does not match (in the case of “no” in step S202), the XML script processing unit 104 returns an error response message to the computer terminal 1422 via the SOAP processing unit 102 (step S202). S203). On the other hand, when it is determined that the account information matches (in the case of “yes” in step S202), the XML script processing unit 104 determines whether or not the XML script 106 having the same scriptName has already been registered. (Step S204).

  If it is determined that it has already been registered (in the case of “yes” in step S204), the XML script processing unit 104 returns an error response message to the computer terminal 1422 via the SOAP processing unit 102 (step S204). S203), the process returns to step S201 in FIG. In this case, the system administrator cannot register an XML script having the same scriptName unless the already registered XML script is deleted using DeleteScript.

  When it is determined that there is no registered XML script (in the case of “no” in step S204), the XML script processing unit 104 transmits the XML script transmitted in the form of the attached file of the SOAP request. Recording is performed on the memory (HDD 1404) via the memory device control unit 105 (step S205).

  If it is determined in step S201 that UploadScript, which is a SOAP request, has not been received (in the case of “no” in step S201), the XML script processing unit 104 sends a SOAP request via the SOAP processing unit 102. It is determined whether or not DeleteScript is received (step S206). Here, when it is determined that DeleteScript which is a SOAP request has been received (in the case of “yes” in step S206), the XML script processing unit 104 checks the contents of the account and password as arguments. It is determined whether or not it matches the account information recorded on the memory (HDD 1404) via the memory device control unit 105 (step S207).

  If it is determined in step S207 that the account information does not match, the XML script processing unit 104 returns an error response message to the computer terminal 1422 via the SOAP processing unit 102 (step S208). If it is determined that the account information matches (if “yes” in step S207), the XML script processing unit 104 determines whether an XML script having the same scriptName has already been registered (step S209). ).

  In step S209, if the XML script having the specified scriptName is not recorded on the memory 1403 (if not registered) (in the case of “no” in step S209), the XML script processing unit 104 An error response message is returned to the computer terminal 1422 via the SOAP processing unit 102 (step S208). If an XML script having the specified scriptName is recorded on the memory (HDD 1404) (if registered) (in the case of “yes” in step S209), the XML script processing unit 104 Then, the XML script recorded on the memory (HDD 1404) is deleted via the memory device control unit 105 (step S210).

  If it is determined in step S206 that DeleteScript that is a SOAP request has not been received, the XML script processing unit 104 determines whether or not EnableScript that is a SOAP request has been received via the SOAP processing unit 102. (Step S211). Here, when it is determined that EnableScript, which is a SOAP request, has been received (in the case of “yes” in step S211), the XML script processing unit 104 checks the contents of the accounts and passwords as arguments. It is determined whether the information (account information) recorded on the memory (HDD 1404) matches with the memory device control unit 105 (step S212).

  If it is determined in step S212 that the account information does not match, the XML script processing unit 104 returns an error response message to the computer terminal 1422 via the SOAP processing unit 102 (step S213). If it is determined that the account information matches (if “yes” in step S212), the XML script processing unit 104 determines whether or not an XML script having the designated scriptName has been registered (step S212). S214).

  In step S214, if the XML script having the specified scriptName is not recorded on the memory (HDD 1404) (not registered) (in the case of “no” in step S214), the XML script processing unit 104. Returns an error response message to the computer terminal 1422 via the SOAP processing unit 102 (step S213). If an XML script having the specified scriptName is recorded on the memory 1403 (if registered) (if “yes” in step S214), the XML script processing unit 104 specifies The XML script having the generated scriptName is validated (step S215), and the arbitration service 103 refers to the XML script thereafter.

  With the above processing, the XML script registration processing, deletion processing, and validation processing according to the application from the computer terminal 1422 to the MFP 1400 are completed. The system administrator can repeatedly execute registration, deletion, and validation processing of the XML script of the corresponding application as necessary. When the registration process of the XML script is completed, the arbitration service 103 in the MFP 1400 can be operated.

<Processing of each unit when a SOAP request for a Web service is received>
Hereinafter, processing of each unit when the MFP 1400 according to the present embodiment receives a SOAP request for a Web service from the computer terminal 1421 will be described. First, an outline of the process will be described. FIG. 13 is a conceptual diagram illustrating a processing flow in the MFP 1400 when a SOAP request for a Web service is received.

  As shown in the figure, when the ENTRANCE 1301 receives a SOAP request for a Web service from the computer terminal 1421, the service name and authentication information of the request destination are notified to the ARBITRATOR 1302. Note that the ENTRANCE 1301 corresponds to the SOAP processing unit 102 in FIG. 1, and FIG. 3A is a flowchart showing the control flow. Also, the ARBITRATOR 1302 corresponds to the arbitration service 103 in FIG. 1, and FIG. 3B is a flowchart showing the control flow.

  The ARBITRATOR 1302 refers to the MAPPING TABLE 1305 and acquires information related to the authentication and authorization service associated with the requested Web service. Note that the MAPPING TABLE 1305 corresponds to the XML script 106 in FIG.

  The ARBITRATOR 1302 notifies the AUTHENTICATION / AUTHORIZATION SERVICE 1303 corresponding to the authentication information received from the ENTRANCE 1301 based on the acquired information regarding the authentication and authorization service. The AUTHENTICATION / AUTHORIZATION SERVICE 1303 corresponds to the authentication / authorization service 107, 108, 109, 114 in FIG. 1, and FIG. 3C is a flowchart showing the control flow.

  The result of the authentication / authorization processing in the AUTHENTICATION / AUTHORIZATION SERVICE 1303 is returned to the ARBITRATOR 1302, and the ARBITRATOR 1302 transmits whether or not the Web service can be executed or access restriction information to the ENTRANANCE 1301.

  On the basis of the transmission content from the ARBITRATOR 1302, the ENTRANCE 1301 calls the requested SERVICE 1304 or notifies the computer terminal 1421 that is the request issuer that the execution of the Web service is rejected. The SERVICE 1304 corresponds to the print service 110, the scan service 111, the storage service 112, and the FAX service 113, which are the Web services in FIG. 1, and FIG. 3D is a flowchart showing the control flow. Hereinafter, the flow of control of each unit will be described in detail according to these flowcharts.

  As shown in FIG. 3A, while the MFP 1400 is operating, the SOAP processing unit 102 constantly monitors the reception of the SOAP request for the Web service transmitted from the external computer terminal 1421 via the TCP / IP / UDP protocol stack 101 (step When the reception of the SOAP request for the Web service is confirmed (in the case of “yes” in step S301A), the header part of the received SOAP request is transmitted to the arbitration service 103 (step S302A).

  As shown in FIG. 3B, the arbitration service 103 constantly monitors the reception of the header part of the SOAP request (step S301B), and receives the SOAP request header part from the SOAP processing unit 102 (“yes” in step S301B). ), The arbitration service 103 parses the description content of the header part of the SOAP request (step S302B).

  Here, FIG. 4 shows an example of description contents of the header part of the SOAP request. As shown in the figure, the header portion of the SOAP request is based on a WSAddressing specification that is jointly developed by Microsoft, BEA, IBM, etc. (for example, http://schemas.xmlsoap.org/ws/2003/03/ address / reference), and the service name of the Web service to be requested is described as the content of the <ACTION> tag. Also, authentication information is described as the content of the <UsernameToken> tag based on the WS-Security UsernameToken Profile 1.0 specification formulated by the standardization organization OASIS.

  The arbitration service 103 parses the header part of the SOAP request, and first checks the presence / absence of the <ACTION> tag and its contents (step S303B). If the <ACTION> tag is not described, or if the <ACTION> tag exists but the content does not exist, that is, if it is an empty tag (in the case of “no” in step S303B), it is an illegal request. The arbitration service 103 notifies the SOAP processing unit 102 of an error (step S304B).

  On the other hand, when the content of the <ACTION> tag exists (in the case of “yes” in step S303B), the arbitration service 103 reads the XML script 106 previously enabled by EnableScript via the memory device control unit 105, and It is searched whether or not the Web service described as the content of the <ACTION> tag is described in the XML script 106 (step S305B). If no registration corresponding to the Web service described in the <ACTION> tag is found as a result of the search (in the case of “no” in step S306B), the SOAP processing unit 102 determines that the request is invalid and notifies an error. (Step S307B).

  On the other hand, as a result of the search, if registration corresponding to the Web service described in the <ACTION> tag is found (in the case of “yes” in step S306B), the registration is continued to be associated with the specified Web service. The presence / absence of information related to the authentication and authorization service is searched (step S308B). As a result of the search, if information related to the authentication and authorization service associated with the Web service specified in the XML script is not found (in the case of “no” in step S308B), authentication processing and authorization processing for the Web service Is determined to be unnecessary, and the arbitration service 103 notifies execution permission (step S309B).

  On the other hand, as a result of the search, if information related to the authentication and authorization service associated with the Web service specified in the XML script is found (in the case of “yes” in step S308B), it is described in the XML script 106. The credential information, in this case UsernameToken information, is notified to the URL that has been sent (step S310B). As a communication protocol with the authentication and authorization service (107 to 109), in this embodiment, SAML (Security Assession Markup Language) 1.1 formulated by the standardization organization OASIS is used.

  As shown in FIG. 3C, in step S301C, the authentication / authorization service (any one of 107 to 109) that has received the credential information from the arbitration service 103 parses the description content of the SOAP request (step S302C), and UsernameToken information. , And performs authentication and authorization processing based on the information (step S303C), generates a SOAP request in accordance with SAML (Security Assession Markup Language) 1.1 based on the processing result, and arbitration service 103 Is replied to (step S304C). After completion of the reply process, the authentication / authorization service (107 to 109) shifts to waiting for reception of credential information from the arbitration service 103 (step S301C).

  Returning to FIG. 3B again. In step S311B, waiting for reception of the authentication result from the authentication / authorization service, the arbitration service 103 that has received the authentication result checks whether or not the XML script 106 continues to describe the calling procedure of the authentication / authorization service. (Step S312B) If there is a description, the processes from Step S310B to Step S312B are repeated.

  On the other hand, when the description of the XML script 106 has been completed (in the case of “no” in step S312B), the arbitration service 103 returns the authentication result to the SOAP processing unit 102 (step S313B). After the reply process is completed, the arbitration service 103 shifts to a state waiting for reception of a SOAP header from the SOAP processing unit 102 (step S301B).

  In this way, the arbitration service 103 executes a call to the authentication / authorization service (any one of 107 to 109) associated with the Web service designated to be executed from the computer terminal 1421 in accordance with the description of the XML script 106. Different authentication and authorization services can be implemented depending on the description content of the XML script 106. Therefore, the description content of the XML script 106 will be briefly described here.

  In the XML script 106, a file name for identifying the XML script is described in the attribute name of the <xmlscript> tag. The file name is set by the scriptName specified by the UploadScript function described above. As a child tag of the <mapping> tag, information related to the target Web service is described in the URL format. <Service> tag, and information related to the authentication and authorization service associated with the Web service is described in the URL format < An AuthService> tag is defined.

  FIG. 5 shows a specific example of the XML script. In the case of the XML script shown in the figure, the file name is “Sample1”, the authentication / authority service A (107) for the print service 110, and the authentication service B (108) for the scan service 111. , The authority service B (109) is described in association with the storage service 112, and the authentication / authorization service C (114) is described in association with the FAX service 113, so that the arbitration service 103 is associated with each Web service. In contrast, different authentication and authorization services will be implemented. As a result, different authentication and authorization processing can be performed, for example, password authentication for the print service 110, PIN code authentication for the scan service 111, and IC card authentication for the FAX service 113.

  Further, according to the XML script as shown in FIG. 6, it is possible to execute different authentication and authorization processing for the same print service 110. The ad hoc print service (601) defined here is a Web service that provides a simple print function to the computer terminal 1421 connected to the network 1410, and is authenticated by the authentication / authority service A (107) installed in the MFP 1400. Execute the authorization process. The Web service defined as the charging print service (602) is subjected to authentication and authorization processing by the authentication / authorization service C (114) operating outside the MFP 1400 via the network 1410. .

  By describing in this way, for example, the authentication / authorization service A (107) is a simple authentication and authorization service using a department code, and the authentication / authorization service C (114) is a credit card number, a password, and a runtime. If it is an authentication / authorization service with a high secure level using a password, both can be used properly.

  Further, when the scan service 111 and the storage service 112 that function independently are combined to provide a scan-storage service that is a new Web service, as shown in FIG. 112 is associated with authentication / authorization service A (107) and authentication service B (108), respectively, and scan-storage service, which is a new Web service, is associated with authentication / authorization service C (114). be able to.

  The XML script shown in FIG. 8 is associated with the authentication / authorization service A (107) for both the print service 110 and the scan service 111, and both Web services are based on a database managed by the authentication / authorization service C (114). Therefore, the user who uses both Web services is authenticated and authorized based on the same credential information (that is, single sign-on is executed for the print service 110 and the scan service 111). Be possible).

  The XML script shown in FIG. 9 describes the authentication service B (108) and the authority service B (109) for the print service 110 and associates them. In this case, the arbitration service 103 is included in the XML script. Call each authentication and authorization service in the order described. Therefore, authentication processing is performed by the authentication service B (108), and the authority information is given by notifying the assertion given by the authentication service (108) to the authority service B (109) as the next processing. It becomes possible to receive. In other words, when it is necessary to execute authentication processing in multiple ways, or when it is necessary to separate authentication processing and authority processing and change the combination depending on the use case, an XML script as shown in FIG. Will be described and registered.

  In this embodiment, it is possible to register a plurality of XML scripts shown in the above example, and the association process between the Web service and the authentication / authorization service is performed in accordance with the description of the XML script specified by EnableScript. The Therefore, it is possible to change or update the authentication / authorization process to be executed according to the use case only by changing the description of the XML script.

  Returning to FIG. 3A again. As shown in the figure, the SOAP processing unit 102 that has received the processing result from the arbitration service 103 (step S303A) analyzes the processing result (step S304A), and if the authentication result is NG (in step S304A). In the case of “no”, a SOAP Fault is returned as an unauthorized request to the computer terminal 1421 (step S305A).

  On the other hand, if the authentication result is OK (in the case of “yes” in step S304A), the service attribute information described in the SOAP body part is parsed (step S306A), and the corresponding Web service (any of 110 to 113) is parsed. ), And notifies the Web service of the attribute information and requests execution of the Web service (step S307A).

  As shown in FIG. 3D, the web service (any one of 110 to 113) that has received the web service execution request from the SOAP processing unit 102 executes the web service process based on the notified attribute information (step S302D). The processing result is returned to the SOAP processing unit 102 (step S303D). After returning the processing result, the Web service shifts to waiting for reception of a Web service execution request from the SOAP processing unit 102 (step S301D).

  Returning to FIG. 3A again. The SOAP processing unit 102 that has received the processing result from the Web service (step S308A) generates a SOAP response based on the processing result (step S309A). At this time, if additional information such as assertion information has been received via the arbitration service 103 to be sent back to the computer terminal 1421 from the authentication / authorization service, the information is described in the SOAP header. When the generation of the SOAP response is completed, the SOAP processing unit 102 returns a SOAP response to the computer terminal 1421 (step S310A). After returning the SOAP response, the SOAP processing unit 102 shifts to waiting for reception of a SOAP request from the computer terminal 1421 (step S301A).

  By repeating the above series of processes, it is possible to perform authentication and authorization processing for the requested Web service.

  As is clear from the above description, according to the present embodiment, by simply changing the description content of the XML script that is MAPPING TABLE, the same Web service can be associated with other authentication and authorization services, In addition, a new Web service that functions by combining a plurality of Web services can be newly associated with an authentication / authorization service, which can flexibly meet security requirements. In other words, even if the authentication and authority processing required according to the use case of the Web service to be applied is different as in the conventional case, it is not necessary to modify the Web service itself according to the request. Since it is possible to cope with this by simply changing the description content of the script of the script, it is possible to realize strong security equivalent to the conventional one at a lower cost than the conventional one.

  Also, by changing the description content of the XML script that is a MAPPING TABLE, single sign-on can be performed for a plurality of Web services. According to this embodiment, convenience and simplicity are achieved. Network solution can be provided.

[Second Embodiment]
In the first embodiment, when registering an XML script describing the correspondence between a Web service and an authentication / authorization service, an external device, that is, a computer terminal 1421 managed by a system administrator via the network 1410 is used. Although the XML script is transmitted and registered to the XML script processing unit 104, the present invention is not limited to this.

  For example, a URL of a server in which an XML script is registered is transmitted and registered to an XML script processing unit via a network from a computer terminal managed by a system administrator, and the XML script processing unit holds the URL. The XML script may be downloaded from a server that performs the registration and registered on a memory managed by the server.

  Alternatively, the computer terminal and the MFP may be connected via a local interface such as USB or IEEE 1394, and may be registered with the XML script processing unit via the interface.

  The XML script may be recorded on a recording medium such as a CD-ROM, compact flash (registered trademark), or memory stick, and the MFP may be configured such that the XML script processing unit reads the XML script via the recording medium. .

  The XML script may be input by an authorized system administrator via an operation unit provided in the MFP.

  In the first embodiment, the information about the Web service and the information related to the authentication and authorization service associated with the Web service are described in the format of the XML script, but other script description languages or You may make it describe with simple text data.

  Furthermore, in the first embodiment, a case has been described in which a plurality of XML scripts are managed by the XML script processing unit, and the description of the specified XML script is validated. However, a plurality of patterns are used for one XML script. And the same effect may be realized by designating which pattern is used.

  Further, as shown in FIG. 10, the authentication service and the authorization service may be associated with the print service by changing the security level. As a result, the authorized administrator switches the security level via the operation unit of the MFP, for example, to change a print service that does not require authentication processing to a print service that requires authentication using an IC card. Or change to a print service to which different usage restrictions are assigned for each user.

  Further, in the first embodiment, the mode in which the arbitration service 103 is implemented in the MFP node has been described. However, as shown in FIG. 11, a logical unit that realizes the arbitration service function is connected to the network 1410. For example, it may be configured to be independently mounted on a server (1101) using a PC. In this case, communication between the logical unit that realizes the arbitration service function and the network-compatible device (1100) uses the means such as SSL (Secure Socket Layer), and the processing result by the authentication and authorization service is Need to be protected from being tampered with by a third party.

  In the first embodiment, the arbitration service and the authentication / authorization service communicate with each other using the SAML protocol. However, this protocol is a protocol unique to each authentication / authorization service. The arbitration service communicates based on a protocol corresponding to each authentication and authorization service. Even in this case, the Web service can execute the optimum authentication and authorization process in each use case without being aware of the existence of the authentication and authorization service.

  In the first embodiment, an example in which the description of the service name of the Web service to be requested is described based on the WSAddressing specification. However, when the <Action> tag cannot be detected in the arbitration service, The SOAP body part may be parsed and the service name described there may be obtained.

  In the first embodiment, the example in which the authentication information is described based on the provisions of the OASIS WS-Security Username Profile is shown. However, the present invention is not limited to this and is defined in these standard specifications. Even if there is no credential information, it can be dealt with. In this case, it can be dealt with by describing which tag corresponds to the credential information in the XML script.

[Other Embodiments]
Note that the present invention can be applied to a system including a plurality of devices (for example, a host computer, an interface device, a reader, and a printer), and a device (for example, a copying machine and a facsimile device) including a single device. You may apply to.

  Another object of the present invention is to supply a storage medium storing software program codes for implementing the functions of the above-described embodiments to a system or apparatus, and the computer (or CPU or MPU) of the system or apparatus stores the storage medium. Needless to say, this can also be achieved by reading and executing the program code stored in the.

  In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the storage medium storing the program code constitutes the present invention.

  As a storage medium for supplying the program code, for example, a floppy (registered trademark) disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, magnetic tape, nonvolatile memory card, ROM, or the like is used. be able to.

  Further, by executing the program code read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on the instruction of the program code. It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the actual processing and the processing is included.

  Further, after the program code read from the storage medium is written into a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer, the function expansion is performed based on the instruction of the program code. It goes without saying that the CPU or the like provided in the board or the function expansion unit performs part or all of the actual processing, and the functions of the above-described embodiments are realized by the processing.

2 is a block diagram illustrating a functional configuration of the MFP according to the embodiment of the present invention. FIG. 6 is a flowchart showing a flow of XML script registration, deletion, and validation processing in the MFP according to the embodiment of the present invention. It is a figure which shows the control flow of a SOAP process part. It is a figure which shows the control flow of mediation service. It is a figure which shows the control flow of an authentication and authorization service. It is a figure which shows the control flow of Web service. It is a figure which shows an example of the description content of the header part of a SOAP request. It is a figure which shows the example of a description of an XML script. It is a figure which shows the example of a description of an XML script. It is a figure which shows the example of a description of an XML script. It is a figure which shows the example of a description of an XML script. It is a figure which shows the example of a description of an XML script. It is a figure which shows the example of a description of an XML script. It is a block diagram which shows the function structure when the mediation service is distribute | arranged with the independent form on the network. It is a figure which shows the structure of the web service in an existing technique, and an authentication and authorization process. FIG. 6 is a conceptual diagram illustrating a processing flow in an MFP when a SOAP request for a Web service is received. 1 is a diagram illustrating an overall configuration of an image processing system including an MFP according to an embodiment of the present invention.

Explanation of symbols

101 TCP / IPUDP Protocol Stack Processing Unit 102 SOAP Processing Unit 103 Arbitration Service 104 XML Script Processing Unit 105 Memory Device Control Unit 106 XML Script 107 Authentication / Authorization Service A
108 Authentication service B
109 Authority service B
110 Print Service 111 Scan Service 112 Storage Service 113 FAX Service 114 Authentication / Authority Service C
1401 Communication device 1402 CPU
1403 Memory 1404 HDD
1405 Printer 1406 Scanner 1407 Image processing apparatus 1400 MFP
1410 network 1421, 1422 computer terminal

Claims (10)

Storage means for storing information in which correspondence between a plurality of services and a plurality of authentication processing means for executing authentication processing of service requesters is described;
Service request accepting means for accepting a service request including identification information for identifying any of the plurality of services and attribute information indicating processing to be executed by the service from a service request source;
Selecting means for selecting an authentication processing means corresponding to a service identified by the identification information included in the service request based on information stored in the storage means;
When the service request accepting unit accepts the service request, the service request accepting unit notifies the selection unit of the identification information included in the service request while holding the attribute information included in the service request. Rukoto be required if the service requester is authenticated by the selected authentication processing means, the execution of the process in which the retained attribute information indicates, the service identified by the identification information contained in the service request by An information processing apparatus characterized by the above. The plurality of authentication processing means is included in the information processing apparatus,
The service request accepting unit executes the process indicated by the held attribute information when the service request source is authenticated by the authentication processing unit selected by the selection unit among the plurality of authentication processing units. the information processing apparatus according to claim 1, characterized that you request a service identified by the identification information included in the service request.   The information processing apparatus according to claim 1, wherein the information stored in the storage unit is described in a structured language.   The storage means stores a plurality of the information, and executes registration of new information, update of existing information, or deletion of existing information based on an instruction from a user. The information processing apparatus according to claim 1. A method for controlling an information processing apparatus,
A storage step of storing, in the storage unit, information describing a correspondence between a plurality of services and a plurality of authentication processing means for executing authentication processing of service requesters;
A service request accepting step of accepting, via a service request accepting unit, a service request including identification information for identifying any of the plurality of services and attribute information indicating processing to be executed by the service from a service request source;
A selection step in which a selection unit selects an authentication processing unit corresponding to a service identified by the identification information included in the service request based on information stored in the storage unit, and
In the service request receiving step, when the service request is received, the selection information is notified to the selection unit while holding the attribute information included in the service request, and the selection unit Rukoto be required if the service requester is authenticated by the selected authentication processing means, the execution of the process in which the retained attribute information indicates, the service identified by the identification information contained in the service request by A method for controlling an information processing apparatus. The plurality of authentication processing means is included in the information processing apparatus,
In the service request reception step, when the service request source is authenticated by the authentication processing unit selected by the selection unit among the plurality of authentication processing units , execution of the process indicated by the held attribute information is performed . control method according to claim 5, characterized that you request a service identified by the identification information included in the service request.   7. The information processing apparatus control method according to claim 5, wherein the information stored in the storage unit is described in a structured language.   A plurality of the information is stored in the storage step, and registration of new information, update of existing information, or deletion of existing information is executed based on an instruction from a user. The control method of the information processing apparatus of any one of Claims.   A storage medium storing a control program for causing a computer to execute the control method of the information processing apparatus according to any one of claims 5 to 8.   A control program for causing a computer to execute the control method of the information processing apparatus according to claim 5.

Images