JP4748766B2 - Information processing apparatus, information processing system, information processing method, program, and storage medium - Google Patents

Description

  The present invention relates to an information processing technique in an information processing apparatus that provides a plurality of Web services via a network.

  In recent years, XML (extensible Markup Language), which is a structured language, has been used for business document management, messaging, database, and the like, and its application range has been expanding.

A prominent example is the application to a Web service that is a distributed object model using XML-SOAP (Simple Object Access Protocol). Then, with the advent of the Web services, service-oriented architecture from the traditional object-oriented model: conversion to (SOA Service Oriented Architecture) it has come to proceed gradually.

  A service-oriented architecture is an architecture that divides processes in units of Web services. Because existing Web services can be reused and reorganized, business solutions can be quickly delivered while maintaining high reliability and low cost. It has the merit that it can be constructed and provided.

  In providing business solutions, it is essential to build strong security. In particular, in business solutions built on a network, protection of user information and user data, and identification and authentication of identity are important issues. There is no exception in the service-oriented architecture based on Web services. Even if the same Web service is used, different authentication and authorization are required depending on various conditions such as the environment in which the Web service is used, security level, and system configuration. A flexible response such as providing processing is desired. For example, there are various authentication methods such as simple user authentication, PIN code authentication, IC card authentication, biometric authentication, etc., so it is important to take appropriate measures in consideration of various conditions. It is.

  On the other hand, in order to improve the convenience and simplicity of network solutions, demands such as single sign-on and federated identity (integrated authentication) are increasing. For example, when a plurality of Web services are integrated to construct and provide a new Web service, authentication and authorization processing executed for each Web service are integrated to provide an environment such as single sign-on. Is required. Therefore, there is a need for a solution that meets the contradicting demand to achieve strong security without compromising the efficiency and flexibility of the service-oriented architecture.

  In this background, in order to realize strong security with flexibility and usability using a service-oriented architecture (SOA) based on a web service, the applicant of the present application In the information processing apparatus to be provided, it is proposed to introduce a table (MAPPING TABLE) in which a correspondence between a Web service and a service that performs authentication and authority processing for the service is described.

  FIG. 10 is a model diagram of an information processing apparatus provided with the MAPPING TABLE proposed by the present applicant and capable of providing a Web service. The model will be briefly described below.

  As shown in the drawing, when the SOAP request for the Web service is received in the ENTRANCE 1001, the service name and authentication information of the request destination are notified to the ARBITRATOR 1002.

  The ARBITRATOR 1002 refers to the MAPPING TABLE 1005 and acquires information related to the authentication and authorization service associated with the requested Web service.

  The ARBITRATOR 1002 notifies the corresponding AUTHENTICATION / AUTHORIZATION SERVICE 1003 of the authentication information received from the ENTRANCE 1001 based on the acquired authentication and authorization information.

  The result of the authentication / authorization processing in the AUTHENTICATION / AUTHORIZATION SERVICE 1003 is returned to the ARBITRATOR 1002, and the ARBITRATOR 1002 transmits whether or not the Web service can be executed or access restriction information to the ENTRANANCE 1001 based on the processing result.

  The ENTRANCE 1001 calls the requested SERVICE 1004 based on the transmission contents from the ARBITRATOR 1002, or notifies the request issuer that the execution of the Web service has been rejected.

  According to such an information processing apparatus, when providing a Web service, a highly convenient and simple network solution can be realized at low cost while maintaining strong security.

  However, in the case of the information processing apparatus described above, the ARBITRATOR 1002 refers to the MAPPING TABLE 1005 to acquire information related to the authentication / authorization service for the requested Web service. On the other hand, there is a problem that the MAPPING TABLE 1005 must be updated sequentially.

  This can be dealt with by the administrator of the ARBITRATOR 1002 by manually updating the MAPPING TABLE 1005 sequentially, but the administrator must check the update information of the Web service and perform the update operation each time. In addition, since the operation is complicated, there is a problem that the management cost is high.

  Furthermore, since the update of the MAPPING TABLE 1005 by the administrator is performed at the convenience of the administrator, the reflection of the information on the new addition / deletion of the Web service is delayed, which hinders the introduction of the optimal security system at the optimal timing. As a result, it can cause damage from unauthorized use.

  The present invention has been made in view of the above-described problems. In an information processing apparatus that realizes flexible and strong security using a service-oriented architecture based on a Web service, the addition / deletion of the Web service is performed. The purpose is to speed up and simplify management work, including management costs, and to reduce management costs.

In order to achieve the above object, an information processing apparatus according to the present invention comprises the following arrangement. That is,
Storage means for storing predetermined information in which associations between a plurality of services and a plurality of authentication processing means for executing authentication processing of service requesters are described;
Service request accepting means for accepting a service request including identification information for identifying any of the plurality of services and attribute information indicating processing to be executed by the service from a service request source;
Selecting means for selecting an authentication processing means corresponding to a service identified by the identification information included in the service request based on predetermined information stored in the storage means;
An instruction means for instructing a service,
When the service request accepting unit accepts the service request, the service request accepting unit notifies the selection unit of the identification information included in the service request while holding the attribute information included in the service request. Requesting the service identified by the identification information included in the service request to execute the process indicated by the held attribute information when the service request source is authenticated by the authentication processing means selected by
The storage means, when an instruction about a service is given by the instruction means, the association between the service for which the instruction has been given and the authentication processing means corresponding to the service for which the instruction has been given. It is configured to update information.

  According to the present invention, in an information processing apparatus that realizes flexible and strong security using a service-oriented architecture based on a Web service, management operations including addition / deletion of the Web service are speeded up and simplified. And management costs can be reduced.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings as necessary. The present invention can be implemented in various apparatuses that provide Web services via a network and can be applied to various systems. Hereinafter, the present invention is implemented in a network-compatible MFP (Multi Function Peripheral) and the MFP. The case of applying to an information processing system comprising

[First Embodiment]
<Overall configuration of information processing system>
FIG. 11 is a diagram showing an overall configuration of an information processing system including a network-compatible MFP (hereinafter simply referred to as “MFP”), which is an information processing apparatus according to an embodiment of the present invention. In FIG. 11, reference numeral 1100 denotes an MFP, which provides various Web services such as a print service, a scan service, a storage service, and a FAX service to a computer terminal 1121 that can be connected via a network 1110. A computer terminal 1121 can use various Web services provided by the MFP 1100 via the network 1110.

  The MFP 1100 includes a communication device 1101, a CPU (central processing unit) 1102, a memory 1103, an HDD (hard disk drive) 1104, hardware such as an image processing device 1107, a printer 1105, and a scanner 1106, and is a structured language. It has a function of performing security processing such as authentication and authorization using XML (extensible Markup Language).

  The communication device 1101 performs communication via the network 1110. The CPU 1102 is a computer that executes programs for realizing various functions in the image processing apparatus 1107. Specifically, the CPU 1102 reads programs (application programs and the like) for realizing various functions from the HDD 1104, and executes the read programs using the memory 1103 as a work area.

<Functional Configuration of MFP 1100>
Next, a functional configuration of the MFP 1100 according to the present embodiment will be described with reference to FIG. FIG. 1 is a block diagram showing a functional configuration of the MFP 1100 according to the present embodiment.

  As shown in the figure, the MFP 1100 includes a TCP / IP / UDP protocol stack processing unit 101 that stacks TCP / IP / UDP protocols as a communication function, a SOAP processing unit 102 as an upper layer, and a higher layer. Mediation service 103, XML script processing unit 104, authentication / authorization service A (107), authentication service B (108), authority service B (109), print service 110, scan service 111, storage service 112, FAX service 113, A service management service (instruction means) 114 is provided, and these Web services (110 to 113) are provided to the computer terminal 1121 via the network 1110.

  For the MFP 1100, the system administrator performs the function stop of the Web service, the deletion of the Web service, the reinstallation of the Web service, and the installation of a new Web service via the computer terminal 1121 via the service management service 114 described later. Is possible. Note that the new Web service here includes, for example, a case where a plurality of already installed Web services are combined to provide a new function.

  The SOAP processing unit 102 analyzes the received SOAP request, transmits the description content of the SOAP header part to the arbitration service 103, generates a SOAP response based on the processing result returned from the arbitration service 103, and issues a SOAP request The description contents of the SOAP body are transmitted to the corresponding Web service based on the function for returning to the computer terminal 1121 and the processing result returned from the arbitration service 103, and the SOAP based on the processing result notified from the corresponding Web service. It has a function of generating a response and returning it to the computer terminal 1121 that issued the SOAP request.

  The arbitration service 103 analyzes the description content of the SOAP header part transmitted from the SOAP processing unit 102, acquires information about the Web service requested to be executed, and the memory device control unit via the XML script processing unit 104. 105 has a function of acquiring information related to the authentication / authorization service associated with the Web service requested to be executed from the XML script 106 registered on the memory (HDD 1104) managed by the computer 105.

  Further, the arbitration service 103 transmits the authentication information described in the SOAP header part to the authentication / authorization service (any one of 107 to 109) acquired from the XML script 106 based on the acquired information about the authentication / authorization service. And a function of generating a SOAP response based on the processing result notified from the authentication / authorization service (any one of 107 to 109) and notifying the SOAP processing unit 102.

  The MFP 1100 according to the present embodiment is configured to incorporate the authentication / authorization service A (107), the authentication service B (108), and the authority service B (109) as services for realizing the authentication / authorization function. The invention is not limited to this, and as shown in FIG. 1, the authentication / authorization service C (115) may be arranged outside the MFP 1100 so that it can be used via the network 1110.

  Each authentication / authorization service (107 to 109) has a function of processing the authentication information transmitted from the arbitration service 103 and returning the processing result to the arbitration service 103.

  The service management service 114 is a dedicated service for managing a web service, and has a function of controlling addition (installation) of a new web service, deletion (uninstallation) of an existing web service, stoppage, restart, and the like. In the present embodiment, the service management service 114 is depicted in FIG. 1 as being inherent in the MFP 1100, but is present in the computer terminal 1121 connected to the outside of the MFP 1100 via the network 1110. May be. Note that the service management service 114 is configured as a Web service compatible with XML-SOAP as with other services.

  Further, the MFP 1100 has a print service 110, a scan service 111, a storage service 112, and a FAX service 113. These are Web services compatible with XML-SOAP, and the Web services can be stopped, restarted, deleted, and reinstalled via the service management service 114. New Web services can be added, started, stopped, and deleted.

  The XML script processing unit 104, which is a lower layer of the arbitration service 103, has a function of accessing the memory (HDD 1104) via the memory device control unit 105. The memory device control unit 105 writes data to the memory (HDD 1104) storing the Web service, information related to the authentication / authorization service for the Web service, and the XML script 106 describing the processing procedure, and the memory (HDD 1104). Controls reading of data from.

  The XML script 106 is automatically registered together with the web service implementation module when the administrator installs the web service using the service management service 114. The XML script 106 describes Web service management information (stopped, running, etc.), and is checked when the user uses the Web service. When the administrator deletes the Web service using the service management service 114, the XML script 106 is automatically deleted.

  Note that the administrator can associate the same Web service with another authentication / authorization service by rewriting the description content of the XML script 106. In addition, it is possible to flexibly cope with security requirements such as newly associating an authentication / authorization service with a new Web service that functions by combining a plurality of Web services.

  However, in the MFP 1100 according to the present embodiment, if the XML script 106 does not exist on the memory (HDD 1104), none of the Web services running on the MFP 1100 can be executed.

  The system administrator can also install the Web service via the network 1110. In this case, the system administrator executes Web service installation processing on the computer terminal 1121 on which the above-described service management service 114 operates. The service management service 114 performs Web service installation processing and XML script 106 registration processing according to a service management processing flow described later. As a result, the XML script 106 is stored in the memory (HDD 1104) controlled by the memory device control unit 105.

  The MFP 1100 according to the present embodiment includes the following XML-SOAP RPC (Remote Procedure Call) in order to register, delete, validate, and invalidate the XML script 106. As a result, the XML script processing unit 104 can register and delete the XML script 106, and enable and disable the XML script 106. Specifically, when sending and registering the XML script 106 to the MFP 1100, UploadScript (scriptName, account, password) that is a SOAP function is used.

  Here, since the MFP 1100 has a configuration in which a plurality of XML scripts 106 can be registered, the scriptName is used as identification information thereof. In the present embodiment, an ASCII character string of up to 32 characters can be used. However, an ASCII character string of up to 32 characters is used for both account and password. It is assumed that such identification information is registered in advance in the MFP 1100, and the information is recorded on a memory (HDD 1104) managed by the memory device control unit 105, and is configured so that only the system administrator can know it. It shall be. An XML script 106 that is XML data is transmitted to the MFP 1100 in the form of an attached file of a SOAP request describing the SOAP function.

  Further, when deleting the XML script 106 registered in the MFP 1100, DeleteScript (scriptName, account, password) which is a SOAP function is used. In this case as well, only the system administrator who can know the account and password information can delete the XML script 106 registered in the memory (HDD 1104) of the MFP 1100. In the MFP 1100, since a plurality of XML scripts 106 can be registered, the XML script 106 to be deleted is designated by scriptName.

  In order to validate the XML script 106 specified by scriptName for a plurality of XML scripts 106 registered in the MFP 1100, EnableScript (scriptName, account, password) which is a SOAP function is used. Also here, only the system administrator who can know the account and password information can designate and validate the XML script 106 registered in the memory (HDD 1104) of the MFP 1100.

  Further, DisableScript (scriptName, account, password), which is a SOAP function, is used to invalidate the XML script 106 specified by scriptName for a plurality of XML scripts 106 registered in the MFP 1100. Also here, only the system administrator who can know the account and password information can designate and invalidate the XML script 106 registered in the memory (HDD 1104) of the MFP 1100.

<Registration, deletion, validation, and invalidation processing of XML script>
Next, the flow of registration, deletion, validation, and invalidation processing of the XML script 106 will be described with reference to FIG. FIG. 2 is a flowchart showing the flow of registration, deletion, validation, and invalidation processing of the XML script 106 in the MFP 1100 according to the present embodiment.

  2 is assumed to be transmitted to the MFP 1100 by the computer terminal 1121 which is an external device (that is, the service management service 114 is in the computer terminal 1121 here). As described).

  As shown in FIG. 2, first, the XML script processing unit 104 configuring the arbitration service 103 determines whether or not an UploadScript that is a SOAP request has been received via the SOAP processing unit 102 (step S <b> 201). If it is determined that UploadScript as a SOAP request has been received, the XML script processing unit 104 uses the memory (HDD 1404) via the memory device control unit 105 to check the contents of the arguments account and password. It is determined whether or not it matches the information recorded above (hereinafter referred to as account information) (step S202).

  If it is determined that the account information does not match (in the case of “no” in Step S202), the XML script processing unit 104 returns an error response message to the computer terminal 1121 via the SOAP processing unit 102 (Step S202). S203). On the other hand, when it is determined that the account information matches (in the case of “yes” in step S202), the XML script processing unit 104 determines whether or not the XML script 106 having the same scriptName has already been registered. (Step S204).

  If it is determined that it has already been registered (in the case of “yes” in step S204), the XML script processing unit 104 returns an error response message to the computer terminal 1121 via the SOAP processing unit 102 (step S204). S203), the process returns to step S201 in FIG. In this case, the system administrator cannot register an XML script having the same scriptName unless the already registered XML script is deleted using DeleteScript.

  When it is determined that there is no registered XML script (in the case of “no” in step S204), the XML script processing unit 104 transmits the XML script transmitted in the form of the attached file of the SOAP request. Recording is performed on the memory (HDD 1104) via the memory device control unit 105 (step S205).

  If it is determined in step S201 that UploadScript, which is a SOAP request, has not been received (in the case of “no” in step S201), the XML script processing unit 104 sends a SOAP request via the SOAP processing unit 102. It is determined whether or not DeleteScript is received (step S206). Here, when it is determined that DeleteScript which is a SOAP request has been received (in the case of “yes” in step S206), the XML script processing unit 104 checks the contents of the account and password as arguments. It is determined whether or not it matches the account information recorded on the memory (HDD 1104) via the memory device control unit 105 (step S207).

  If it is determined in step S207 that the account information does not match, the XML script processing unit 104 returns an error response message to the computer terminal 1121 via the SOAP processing unit 102 (step S208). If it is determined that the account information matches (if “yes” in step S207), the XML script processing unit 104 determines whether an XML script having the same scriptName has already been registered (step S209). ).

  In step S209, if the XML script having the specified scriptName is not recorded on the memory (HDD 1104) (if not registered) (in the case of “no” in step S209), the XML script processing unit 104. Returns an error response message to the computer terminal 1121 via the SOAP processing unit 102 (step S208). If an XML script having the designated scriptName is recorded on the memory (HDD 1104) (if registered) (if “yes” in step S209), the XML script processing unit 104 Then, the XML script recorded on the memory (HDD 1104) is deleted via the memory device control unit 105 (step S210).

  If it is determined in step S206 that DeleteScript that is a SOAP request has not been received, the XML script processing unit 104 determines whether or not EnableScript that is a SOAP request has been received via the SOAP processing unit 102. (Step S211). Here, when it is determined that EnableScript, which is a SOAP request, has been received (in the case of “yes” in step S211), the XML script processing unit 104 checks the contents of the accounts and passwords as arguments. It is determined whether or not it matches the account information recorded on the memory (HDD 1104) via the memory device control unit 105 (step S212).

  If it is determined in step S212 that the account information does not match, the XML script processing unit 104 returns an error response message to the computer terminal 1121 via the SOAP processing unit 102 (step S213). If it is determined that the account information matches (if “yes” in step S212), the XML script processing unit 104 determines whether or not an XML script having the designated scriptName has been registered (step S212). S214).

  In step S214, if an XML script having the specified scriptName is not recorded on the memory (HDD 1104) (if not registered) (in the case of “no” in step S214), the XML script processing unit 104. Returns an error response message to the computer terminal 1121 via the SOAP processing unit 102 (step S213). If an XML script having the specified scriptName is recorded on the memory (HDD 1104) (if registered) (if “yes” in step S214), the XML script processing unit 104 Then, the XML script having the designated scriptName is validated (step S215), and the arbitration service 103 refers to the XML script thereafter.

  On the other hand, if it is determined in step S211 that EnableScript that is a SOAP request has not been received, the XML script processing unit 104 determines whether or not DisableScript that is a SOAP request has been received via the SOAP processing unit 102. (Step S216).

  If it is determined that DisableScript, which is a SOAP request, has been received, the XML script processing unit 104 checks the contents of arguments, account and password, on the memory (HDD 1104) via the memory device control unit 105. It is determined whether or not it matches the account information recorded in (step S217).

  If it is determined in step S217 that the account information does not match, the XML script processing unit 104 returns an error response message via the SOAP processing unit 102 (step S220). If it is determined that the account information matches, the XML script processing unit 104 determines whether or not an XML script having the designated scriptName has been registered (step S218).

  In step S218, when the XML script having the specified scriptName is not recorded on the memory (HDD 1104) (not registered), the XML script processing unit 104 sends an error response message via the SOAP processing unit 102. Is returned (step S220).

  If an XML script having the designated scriptName is recorded on the memory (HDD 1104) (if registered), the XML script processing unit 104 invalidates the XML script having the designated scriptName. (Step S219), the arbitration service 103 refers to the XML script thereafter.

  The above processing is processing when an XML script management command is issued from the service management service 114 in response to an instruction related to the Web service to the MFP 1100.

<Flow of processing in service management service 114>
Next, a service management processing flow by the system administrator will be described with reference to FIG. In the present embodiment, it is assumed that the service management service 114 is implemented as a Web service management screen in the system management screen in the computer terminal 1121. The system administrator executes the service management service 114 from the Web service management screen of the MFP 1100 and performs a series of management operations such as registration (installation), deletion (uninstallation), validation, and invalidation of the web service.

  Incidentally, Web service management operations are configured in a SOAP envelope format. In the SOAP command, a type of operation action and a security token related to the authentication authority of the command issuer are stored in the SOAP header part. In addition, when adding a Web service, an XML script describing the location information of the authentication service required by the Web service is attached to the SOAP body part.

  FIG. 12 starts when the system administrator appropriately performs user authentication on the Web service management screen described above, is given authority as an administrator, and designates a management operation for the Web service. In step S1201, it is determined whether or not the operator has the right management authority as a result of the user authentication performed before performing the management operation of the designated Web service. This determination is made using the security token in the SOAP header.

  If it is determined in step S1201 that the user does not have an appropriate management authority, an authentication error response is returned, and the screen again transitions to a screen requesting user authentication (step S1202). On the other hand, when it is determined that the user has an appropriate operation authority, a management operation for the Web service is accepted.

  Next, it is determined whether the type of management operation and the XML script are correctly included as information necessary for the SOAP command form (step S1203). If the SOAP command does not form an appropriate form, such as when the SOAP command is an addition of a Web service but the XML script is not included, a command error response is generated as a SOAP response (step S1204). .

  If the SOAP command is correctly configured, it is determined in step S1205 whether the action type of the SOAP command is addition of a web service. In the case of adding a Web service, it is determined in step S1206 whether an XML script is attached to the SOPA envelope. The XML script is a MAPPING TABLE that associates the location of the Web service to be added and the authentication / authorization service required by the Web service. If this MAPPING TABLE does not exist in the process of adding the Web service, the Web service is added. However, this cannot be used. Therefore, the presence or absence of the XML script is determined in step S1206.

  If there is an XML script, in step S1207, the SOAP envelope is parsed to extract the XML script in the SOAP body part. Next, in step S1208, an UploadScript command is issued to the XML script processing unit 104. Note that the SOAP envelope parsing and the form confirmation sequence are performed in the SOAP processing unit 102 of FIG. On the other hand, if there is no XML script, an error response is made (step S1209).

  If it is determined in step S1205 that the action field of the SOAP command is not addition of a web service, it is determined in the determination sequence in step S1210 whether the web service is to be resumed. If the Web service is to be resumed, the process proceeds to step S1211, and an EnableScript command is issued to the XML script processing unit 4.

  If it is determined in step S1210 that the action field of the SOAP command is not resuming the web service, it is determined in the determination sequence in step S1212 whether the web service is to be stopped (invalidated). If the Web service is stopped, the process proceeds to step S1213, and a DisableScript command is issued to the XML script processing unit 104.

  If the action field of the SOAP command is not stop (invalidation) of the Web service in step S1214, it is determined in the determination sequence of step S1212 whether the Web service is to be deleted (uninstalled). If the Web service is to be deleted, the process proceeds to step S1215, and a DeleteScript command is issued to the XML script processing unit 104.

  If the action field of the SOAP command is not Web service deletion in step S1214, a command error is returned because the action is not a scheduled management operation but an unscheduled action (step S1204).

  The commands issued in FIG. 12, that is, UploadScript, EnableScript, DisableScript, DeleteScript, are issued by the SOAP processing unit 102, processed by the XML script processing unit 104, and registered, deleted, and updated according to the type of action. The

<Processing of each unit when a SOAP request for a Web service is received>
Next, processing of each unit when the MFP 1100 according to the present embodiment receives a SOAP request for a Web service from the computer terminal 1121 will be described. First, an outline of the process will be described. FIG. 10 is a conceptual diagram illustrating a processing flow in the MFP 1100 when a SOAP request for a Web service is received.

  As shown in the figure, when the ENTRANCE 1001 receives a SOAP request for a Web service from the computer terminal 1121, the service name and authentication information of the request destination are notified to the ARBITRATOR 1002. The ENTRANCE 1001 corresponds to the SOAP processing unit 102 in FIG. 1, and FIG. 3A is a flowchart showing the control flow. Also, the ARBITRATOR 1002 corresponds to the arbitration service 103 in FIG. 1, and FIG. 3B is a flowchart showing the control flow.

  The ARBITRATOR 1002 refers to the MAPPING TABLE 1005 and acquires information related to the authentication and authorization service associated with the requested Web service. Note that the MAPPING TABLE 1005 corresponds to the XML script 106 in FIG.

  The ARBITRATOR 1002 notifies the corresponding AUTHENTICATION / AUTHORIZATION SERVICE 1003 of the authentication information received from the ENTRANCE 1001 based on the acquired authentication and authorization information. The AUTHENTICATION / AUTHORIZATION SERVICE 1003 corresponds to the authentication / authorization service 107, 108, 109, 115 in FIG. 1, and FIG. 3C is a flowchart showing the control flow.

  The result of the authentication / authorization processing in the AUTHENTICATION / AUTHORIZATION SERVICE 1003 is returned to the ARBITRATOR 1002, and the ARBITRATOR 1002 transmits whether or not the Web service can be executed or access restriction information to the ENTRANANCE 1001 based on the processing result.

  On the basis of the transmission content from the ARBITRATOR 1002, the ENTRANCE 1001 calls the requested SERVICE 1004 or notifies the computer terminal 1121 that is the request issuer that the execution of the Web service has been rejected. Note that the SERVICE 1004 corresponds to each of the Web services in FIG. 1, ie, the print service 110, the scan service 111, the storage service 112, and the FAX service 113, and FIG. 3D is a flowchart showing the control flow. Hereinafter, the flow of control of each unit will be described in detail according to these flowcharts.

  As shown in FIG. 3A, while the MFP 1100 is operating, the SOAP processing unit 102 constantly monitors the reception of the SOAP request for the Web service transmitted from the external computer terminal 1121 via the TCP / IP / UDP protocol stack 101 (step When the reception of the SOAP request for the Web service is confirmed (in the case of “yes” in step S301A), the header part of the received SOAP request is transmitted to the arbitration service 103 (step S302A).

  As shown in FIG. 3B, the arbitration service 103 constantly monitors the reception of the header part of the SOAP request (step S301B), and receives the SOAP request header part from the SOAP processing unit 102 (“yes” in step S301B). ), The arbitration service 103 parses the description content of the header part of the SOAP request (step S302B).

  Here, FIG. 4 shows an example of description contents of the header part of the SOAP request. As shown in the figure, the header portion of the SOAP request is based on a WSAddressing specification that is jointly developed by Microsoft, BEA, IBM, etc. (for example, http://schemas.xmlsoap.org/ws/2003/03/ address / reference), and the service name of the Web service to be requested is described as the content of the <ACTION> tag. Also, authentication information is described as the content of the <UsernameToken> tag based on the WS-Security UsernameToken Profile 1.0 specification formulated by the standardization organization OASIS.

  The arbitration service 103 parses the header part of the SOAP request, and first checks the presence / absence of the <ACTION> tag and its contents (step S303B). If the <ACTION> tag is not described, or if the <ACTION> tag exists but the content does not exist, that is, if it is an empty tag (in the case of “no” in step S303B), it is an illegal request. The arbitration service 103 notifies the SOAP processing unit 102 of an error (step S304B).

  On the other hand, when the content of the <ACTION> tag exists (in the case of “yes” in step S303B), the arbitration service 103 reads the XML script 106 previously enabled by EnableScript via the memory device control unit 105, and It is searched whether or not the Web service described as the content of the <ACTION> tag is described in the XML script 106 (step S305B). If no registration corresponding to the Web service described in the <ACTION> tag is found as a result of the search (in the case of “no” in step S306B), the SOAP processing unit 102 determines that the request is invalid and notifies an error. (Step S307B).

  On the other hand, as a result of the search, if registration corresponding to the Web service described in the <ACTION> tag is found (in the case of “yes” in step S306B), the registration is continued to be associated with the specified Web service. The presence / absence of information related to the authentication and authorization service is searched (step S308B). As a result of the search, if information related to the authentication and authorization service associated with the Web service specified in the XML script is not found (in the case of “no” in step S308B), authentication processing and authorization processing for the Web service Is determined to be unnecessary, and the arbitration service 103 notifies execution permission (step S309B).

  On the other hand, as a result of the search, if information related to the authentication and authorization service associated with the Web service specified in the XML script is found (in the case of “yes” in step S308B), it is described in the XML script 106. The credential information, in this case UsernameToken information, is notified to the URL that has been sent (step S310B). As a communication protocol with the authentication and authorization service (107 to 109), in this embodiment, SAML (Security Assession Markup Language) 1.1 formulated by the standardization organization OASIS is used.

  As shown in FIG. 3C, in step S301C, the authentication / authorization service (any one of 107 to 109) that has received the credential information from the arbitration service 103 parses the description content of the SOAP request (step S302C), and UsernameToken information. , And performs authentication and authorization processing based on the information (step S303C), generates a SOAP request in accordance with SAML (Security Assession Markup Language) 1.1 based on the processing result, and arbitration service 103 Is replied to (step S304C). After completion of the reply process, the authentication / authorization service (107 to 109) shifts to waiting for reception of credential information from the arbitration service 103 (step S301C).

  Returning to FIG. 3B again. In step S311B, waiting for reception of the authentication result from the authentication / authorization service, the arbitration service 103 that has received the authentication result checks whether or not the XML script 106 continues to describe the calling procedure of the authentication / authorization service. (Step S312B) If there is a description, the processes from Step S310B to Step S312B are repeated.

  On the other hand, when the description of the XML script 106 has been completed (in the case of “no” in step S312B), the arbitration service 103 returns the authentication result to the SOAP processing unit 102 (step S313B). After the reply process is completed, the arbitration service 103 shifts to a state waiting for reception of a SOAP header from the SOAP processing unit 102 (step S301B).

  In this way, the arbitration service 103 executes a call to the authentication / authorization service (any one of 107 to 109) associated with the Web service designated to be executed from the computer terminal 1121 in accordance with the description of the XML script 106. Different authentication and authorization services can be implemented depending on the description content of the XML script 106. Therefore, the description content of the XML script 106 will be briefly described here.

  In the XML script 106, a file name for identifying the XML script is described in the attribute name of the <xmlscript> tag. The file name is set by the scriptName specified by the UploadScript function described above. As a child tag of the <mapping> tag, information related to the target Web service is described in the URL format. <Service> tag, and information related to the authentication and authorization service associated with the Web service is described in the URL format < An AuthService> tag is defined.

  FIG. 5 shows a specific example of the XML script. In the case of the XML script shown in the figure, the file name is “Sample1”, the authentication / authority service A (107) for the print service 110, and the authentication service B (108) for the scan service 111. , The authority service B (109) is described in association with the storage service 112, and the authentication / authorization service C (115) is described in association with the FAX service 113, whereby the arbitration service 103 is associated with each Web service. In contrast, different authentication and authorization services will be implemented. As a result, different authentication and authorization processing can be performed, for example, password authentication for the print service 110, PIN code authentication for the scan service 111, and IC card authentication for the FAX service 113.

  Further, according to the XML script as shown in FIG. 6, it is possible to execute different authentication and authorization processing for the same print service 110. The ad hoc print service (501) defined here is a Web service that provides a simple print function to the computer terminal 1121 connected to the network 1110, and is authenticated by the authentication / authority service A (107) installed in the MFP 1100. Execute the authorization process. In addition, the Web service defined as the charging print service (502) is subjected to authentication and authorization processing by the authentication / authorization service C (115) operating outside the MFP 1100 via the network 1110. .

  By describing in this way, for example, the authentication / authorization service A (107) is a simple authentication and authorization service using a department code, and the authentication / authorization service C (114) is a credit card number, a password, and a runtime. If it is an authentication / authorization service with a high secure level using a password, both can be used properly.

  Further, when the scan service 111 and the storage service 112 that function independently are combined to provide a scan-storage service that is a new Web service, as shown in FIG. 112 is associated with authentication / authorization service A (107) and authentication service B (108), respectively, and scan / storage service, which is a new Web service, is associated with authentication / authorization service C (115). be able to.

  The XML script shown in FIG. 8 is associated with the authentication / authorization service A (107) for both the print service 110 and the scan service 111, and both Web services are based on a database managed by the authentication / authorization service C (115). Therefore, the user who uses both Web services is authenticated and authorized based on the same credential information (that is, single sign-on is executed for the print service 110 and the scan service 111). Be possible).

  The XML script shown in FIG. 9 describes the authentication service B (108) and the authority service B (109) for the print service 110 and associates them. In this case, the arbitration service 103 is included in the XML script. Call each authentication and authorization service in the order described. Therefore, authentication processing is performed by the authentication service B (108), and the authority information is given by notifying the assertion given by the authentication service (108) to the authority service B (109) as the next processing. It becomes possible to receive. In other words, when it is necessary to execute authentication processing in multiple ways, or when it is necessary to separate authentication processing and authority processing and change the combination depending on the use case, an XML script as shown in FIG. Will be described and registered.

  In this embodiment, it is possible to register a plurality of XML scripts shown in the above example, and the association process between the Web service and the authentication / authorization service is performed in accordance with the description of the XML script specified by EnableScript. The Therefore, it is possible to change or update the authentication / authorization process to be executed according to the use case only by changing the description of the XML script.

  Returning to FIG. 3A again. As shown in the figure, the SOAP processing unit 102 that has received the processing result from the arbitration service 103 (step S303A) analyzes the processing result (step S304A), and if the authentication result is NG (in step S304A). In the case of “no”, a SOAP Fault is returned as an unauthorized request to the computer terminal 1121 (step S305A).

  On the other hand, if the authentication result is OK (in the case of “yes” in step S304A), the service attribute information described in the SOAP body part is parsed (step S306A), and the corresponding Web service (any of 110 to 113) is parsed. ), And notifies the Web service of the attribute information and requests execution of the Web service (step S307A).

  As shown in FIG. 3D, the web service (any one of 110 to 113) that has received the web service execution request from the SOAP processing unit 102 executes the web service process based on the notified attribute information (step S302D). The processing result is returned to the SOAP processing unit 102 (step S303D). After returning the processing result, the Web service shifts to waiting for reception of a Web service execution request from the SOAP processing unit 102 (step S301D).

  Returning to FIG. 3A again. The SOAP processing unit 102 that has received the processing result from the Web service (step S308A) generates a SOAP response based on the processing result (step S309A). At this time, if additional information such as assertion information has been received via the arbitration service 103 to be sent back to the computer terminal 1121 from the authentication / authorization service, the information is described in the SOAP header. When the generation of the SOAP response is completed, the SOAP processing unit 102 returns a SOAP response to the computer terminal 1121 (step S310A). After returning the SOAP response, the SOAP processing unit 102 shifts to waiting for reception of a SOAP request from the computer terminal 1121 (step S301A).

  By repeating the above series of processes, it is possible to perform authentication and authorization processing for the requested Web service.

  As is clear from the above description, according to the information processing apparatus based on the Web service according to the present embodiment, when installing the Web service, the service management service 114 installs the Web service mounting module in the information processing apparatus. At the same time, the XML script (MAPPING TABLE) describing the location information corresponding to the authentication service is notified to the XML script processing unit 104, and the XML script processing unit 104 receives the XML script and automatically updates the XML script. Therefore, the system administrator does not need to explicitly manually associate the authentication service corresponding to the installation operation of the Web service, so that the management cost can be kept low.

  In addition to installing a web service, a series of management operations such as deleting, stopping, and restarting a web service can be easily and centrally realized in the remote environment by the service management service 114. There is an effect that the management cost can be reduced.

  In addition, since the MAPPING TABLE is automatically updated by the system administrator as services are added / deleted, reflection of new service addition / deletion information is not delayed, and the optimal security system is set at the optimal timing. This can also be used to prevent damage caused by unauthorized use.

[Other Embodiments]
Note that the present invention can be applied to a system including a plurality of devices (for example, a host computer, an interface device, a reader, and a printer), and a device (for example, a copying machine and a facsimile device) including a single device. You may apply to.

  Another object of the present invention is to supply a storage medium storing software program codes for implementing the functions of the above-described embodiments to a system or apparatus, and the computer (or CPU or MPU) of the system or apparatus stores the storage medium. Needless to say, this can also be achieved by reading and executing the program code stored in the.

  In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the storage medium storing the program code constitutes the present invention.

  As a storage medium for supplying the program code, for example, a floppy (registered trademark) disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, magnetic tape, nonvolatile memory card, ROM, or the like is used. be able to.

  Further, by executing the program code read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on the instruction of the program code. It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the actual processing and the processing is included.

  Further, after the program code read from the storage medium is written into a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer, the function expansion is performed based on the instruction of the program code. It goes without saying that the CPU or the like provided in the board or the function expansion unit performs part or all of the actual processing, and the functions of the above-described embodiments are realized by the processing.

2 is a block diagram illustrating a functional configuration of the MFP according to the embodiment of the present invention. FIG. 6 is a flowchart showing a flow of XML script registration, deletion, and validation processing in the MFP according to the embodiment of the present invention. It is a figure which shows the control flow of a SOAP process part. It is a figure which shows the control flow of mediation service. It is a figure which shows the control flow of an authentication and authorization service. It is a figure which shows the control flow of Web service. It is a figure which shows an example of the description content of the header part of a SOAP request. It is a figure which shows the example of a description of an XML script. It is a figure which shows the example of a description of an XML script. It is a figure which shows the example of a description of an XML script. It is a figure which shows the example of a description of an XML script. It is a figure which shows the example of a description of an XML script. FIG. 6 is a conceptual diagram illustrating a processing flow in an MFP when a SOAP request for a Web service is received. 1 is a diagram illustrating an overall configuration of an information processing system including an MFP according to an embodiment of the present invention. It is a figure explaining the service management flow by a system administrator.

Explanation of symbols

101 TCP / IP / UDP protocol stack processing unit 102 SOAP processing unit 103 Arbitration service 104 XML script processing unit 105 Memory device control unit 106 XML script 107 Authentication / authority service A
108 Authentication service B
109 Authority service B
110 Print Service 111 Scan Service 112 Storage Service 113 FAX Service 114 Service Management Service 115 Authentication / Authorization Service C
1101 Communication device 1102 CPU
1103 Memory 1104 HDD
1105 Printer 1106 Scanner 1107 Image Processing Device 1100 MFP
1110 Network 1121 Computer terminal

Claims (9)

Storage means for storing predetermined information in which associations between a plurality of services and a plurality of authentication processing means for executing authentication processing of service requesters are described;
Service request accepting means for accepting a service request including identification information for identifying any of the plurality of services and attribute information indicating processing to be executed by the service from a service request source;
Selecting means for selecting an authentication processing means corresponding to a service identified by the identification information included in the service request based on predetermined information stored in the storage means;
An instruction means for instructing a service,
When the service request accepting unit accepts the service request, the service request accepting unit notifies the selection unit of the identification information included in the service request while holding the attribute information included in the service request. Requesting the service identified by the identification information included in the service request to execute the process indicated by the held attribute information when the service request source is authenticated by the authentication processing means selected by
The storage means, when an instruction about a service is given by the instruction means, the association between the service for which the instruction has been given and the authentication processing means corresponding to the service for which the instruction has been given. An information processing apparatus configured to update information.   When a new service is added based on an instruction given by the instruction unit, the storage unit associates the added service with an authentication processing unit corresponding to the added service. The information processing apparatus according to claim 1, wherein the information processing apparatus is newly added to the predetermined information.   When the service is deleted based on an instruction made by the instruction unit, the storage unit associates the service to be deleted with an authentication processing unit corresponding to the service to be deleted. The information processing apparatus according to claim 1, wherein the information processing apparatus is deleted from predetermined information.   When the process indicated by the attribute information by the service can be executed based on the instruction given by the instruction means, the storage means rewrites the predetermined information about the service that can be executed. The information processing apparatus according to claim 1.   If the execution of the process indicated by the attribute information by the service becomes impossible based on the instruction given by the instruction means, the storage means stores the predetermined information about the service that cannot be executed. The information processing apparatus according to claim 1, wherein the information processing apparatus is rewritten. An information processing system comprising a first information processing device and a second information processing device connected to be communicable with the first information processing device,
The first information processing apparatus includes:
Storage means for storing predetermined information in which associations between a plurality of services and a plurality of authentication processing means for executing authentication processing of service requesters are described;
Service request accepting means for accepting a service request including identification information for identifying any of the plurality of services and attribute information indicating processing to be executed by the service from a service request source;
Selecting means for selecting an authentication processing means corresponding to a service identified by the identification information included in the service request based on predetermined information stored in the storage means;
When the service request accepting unit accepts the service request, the service request accepting unit notifies the selection unit of the identification information included in the service request while holding the attribute information included in the service request. Requesting the service identified by the identification information included in the service request to execute the process indicated by the held attribute information when the service request source is authenticated by the authentication processing means selected by
The second information processing apparatus
An instruction means for instructing services is provided.
The storage means, when an instruction about a service is given by the instruction means, the association between the service for which the instruction has been given and the authentication processing means corresponding to the service for which the instruction has been given. An information processing system configured to update information. An information processing method in an information processing apparatus,
A storage step of storing, in the storage unit, predetermined information in which associations between a plurality of services and a plurality of authentication processing units that perform authentication processing of a service request source are described;
A service request accepting step of accepting, via a service request accepting unit, a service request including identification information for identifying any of the plurality of services and attribute information indicating processing to be executed by the service from a service request source;
A selection step in which a selection unit selects an authentication processing unit corresponding to a service identified by the identification information included in the service request based on predetermined information stored in the storage unit;
An instructing step for instructing a service,
In the service request receiving step, when the service request is received, the selection information is notified to the selection unit while holding the attribute information included in the service request, and the selection unit Requesting the service identified by the identification information included in the service request to execute the process indicated by the held attribute information when the service request source is authenticated by the authentication processing means selected by
In the storage step, when an instruction regarding a service is given in the instruction step, the predetermined processing is performed for associating the service for which the instruction has been given with the authentication processing unit corresponding to the service for which the instruction has been given. An information processing method characterized by updating information.   A storage medium storing a control program for causing a computer to execute the information processing method according to claim 7.   A control program for causing a computer to execute the information processing method according to claim 7.

Images