JP4858945B2 - System access method and network system - Google Patents

Description

  The present invention relates to a method for accessing a system and a network system, and more particularly, to a method and a network system for accessing a system that simplifies the trouble of one user logging in using a plurality of terminal devices.

Patent Document 1 creates authentication data when a terminal device accesses one server device and receives authentication, and when the terminal device continues to access another system, the authentication data is used to access another system. Discloses a single sign-on authentication method for judging the legitimacy of login.
JP 2004-334395 A

  In a medical information system, a user may perform medical care while operating a plurality of client PCs. For example, it is a case where diagnosis is performed by referring to the image observation apparatus while operating the electronic medical record terminal. This is because the required specifications (color / monochrome, resolution) of each client PC are different. In this case, since the single sign-on authentication method of Patent Document 1 is based on the premise that one client accesses a plurality of information systems, when logging in using a plurality of clients, There was a problem that it could not be applied.

  The present invention has been made in view of such circumstances, and provides a method and a network system for accessing a system capable of simplifying the trouble when one user logs in using a plurality of terminal devices. The purpose is to provide.

  In order to achieve the above object, according to the present invention, when one user logs in to the network using a plurality of terminal devices connected to the network, the user identification information is input at the first terminal device. And a method for accessing a system that makes it unnecessary to input user identification information again by diverting authentication information performed in the first terminal in the second and subsequent terminal devices when authentication is performed based on the authentication It is.

  Specifically, the present invention is a method for accessing a system that performs control when a user logs in to the network system using a plurality of terminal devices connected to the network system. One of the terminal devices acquires a user identification information indicating the user, and the user logs in to the network system based on the acquired user identification information. Based on authentication information indicating the result of the authentication, performing authentication for permitting or requesting authentication for permitting the user to log in to the network, obtaining the authentication result, A step of logging into the network system from the one terminal device, the authentication information, and an terminal configured from the plurality of terminal devices; A step of associating and storing the group information indicating the device group in the storage means, and another terminal device constituting the terminal device group to which the one terminal device belongs indicates the terminal device group to which the other terminal device belongs. The method includes a step of acquiring authentication information associated with group information, and a step of logging in to the network system from the other terminal device based on the acquired authentication information.

  In addition, a network system according to the present invention includes a plurality of terminal devices operated by one user, at least one server connected to these terminal devices over a network, and predetermined terminal devices in the plurality of terminal devices. Means for authenticating the user and storing the authentication state, and when the state authenticated by the storage means is maintained, the user uses a terminal device different from the predetermined terminal device And means for authenticating using the maintained authentication information.

  The method for accessing the system is made possible by storing the following program according to the present invention in a terminal device, and loading the CPU on the terminal device as appropriate and executing it.

  Specifically, the program according to the present invention is a program for performing control when a user logs in to the network system using a plurality of terminal devices connected to the network system, and the plurality of terminals To perform processing between group information indicating a terminal device group composed of devices and authentication information indicating that the user is permitted to log in to the network system in association with each other. When the terminal device performs a login process to the network system, the storage unit obtains authentication information stored in association with group information indicating a group of terminal devices to which the terminal device belongs. And requesting the terminal based on the acquired authentication information when the authentication information is acquired in response to the request. Based on the step of executing login from the device to the network system, the step of acquiring user identification information indicating the user when the authentication information cannot be acquired in response to the request, and the user identification information Requesting authentication for permitting the user to log in to the network system, obtaining authentication information indicating a result of the authentication, and logging in to the network system based on the authentication information; And causing the computer to execute a request to store the authentication information in the storage means.

  According to the present invention, when one user logs in using a plurality of terminal devices, when authentication is performed in one terminal device, authentication information in the one terminal device is obtained when logging in from another terminal device. Can be used, so that it is possible to simplify the trouble of logging in.

  Hereinafter, a preferred embodiment of a method for accessing a system according to the present invention and a network system will be described in detail with reference to the accompanying drawings.

〔System configuration〕
In the medical information system 1 according to the present invention, a plurality of terminal devices 11A, 11B, and 11C operated by one doctor A, a Web server 20, an application server 30, and an authentication server 40 are connected via a hospital LAN 50. The authentication server 40 may be an authentication server 40 operated and managed by a third party connected via a wide area network (for example, the Internet or a dedicated line) connected to the hospital LAN 50, or directly connected to the hospital LAN 50. The authentication server 40 may be configured.

  The doctor A logs in to the medical information system 1 from the three terminal devices 11A, 11B, and 11C using the same user ID. These three terminal devices 11A, 11B, and 11C are arranged in a range that can be operated by the doctor A at the same time, usually on the desk of the doctor A or around the desk.

  The terminal device 11A includes an operation system program (hereinafter referred to as “OS”) 12A, a terminal agent program (hereinafter referred to as “terminal agent”) 13, and various application programs (hereinafter referred to as “applications”) such as a Web browser and an image display program. 14A. The terminal devices 11B and 11C are the same as the terminal device 11A. The processing contents of the terminal agent 13 will be described later. Since it is desirable that the terminal device for displaying medical images has higher resolution and faster processing speed than other terminal devices, the hardware performance of each terminal device is the purpose of use of the terminal device. May be different.

  The Web server 20 transmits / receives requests and responses to the web application server received from the server OS 21, the access authority management module 22 that manages access authority to the Web server 20, and the terminal devices 11A to 11C, and displays web pages. A Web module 23 that performs transmission and reception is provided.

  The application server 30 is a medical image server, an electronic medical record server, and a pathological examination server, and includes a server OS 31, an access authority management module 32 that manages access authority to the application server 30, a medical image server, an electronic medical record server, and a pathological examination server. A server application 33 for realizing the functions is provided.

  The authentication server 40 includes a server OS 41, an authentication module 42 for performing authentication based on the user ID from the terminal devices 11A to 11C, and a plurality of terminal devices 11A to 11C used simultaneously by one user (for example, a doctor A). The repository 60 storing the user ID for identifying the doctor A, the result of the authentication module 42 authenticating based on the user ID, and the terminal agent 13 are interactively processed to update the repository 60 and the terminal agent 13. And a server agent 61 that transmits response information to the request. As described above, the repository 60 in the present specification and drawings means data stored in association with a terminal device, a user ID for identifying the user, and user authentication information. The structure is not limited to the table structure described below.

  The terminal devices 11A to 11C, the Web server 20, the application server 30, and the authentication server 40 are not shown, but a control unit (CPU) of these computer devices, a memory and magnetic disk as a data storage unit, and an input / output device. A keyboard, a mouse, a monitor, a network adapter for connecting to the in-hospital LAN 50, and a common bus for connecting these components are provided.

  FIG. 2 shows the structure of the repository. FIG. 2A shows a group of a plurality of terminal device groups used by one user, a group ID indicating the group, and a terminal for identifying the terminal device 1, the terminal device 2, and the terminal device 3 belonging to the group. It is a table that associates identification information. The terminal identification information may be any information that can identify which terminal device is connected to the medical information system 1, such as the MAC address, IP address, and name of each terminal device. Each record of the terminal devices 1, 2, and 3 includes a flag record “L / I” indicating that the terminal device is logged in. When the flag record “L / I” is “1”, this indicates that the terminal device is logged in to the medical information system 1. If the flag record is blank, it indicates that the terminal device is not logged in.

  FIG. 2B shows the group ID of FIG. 2A, the user ID indicating the user who uses the terminal device associated with the group ID, and the user is permitted to log in. This is a table that associates authentication information (for example, “TGT1”) indicating this. FIGS. 2A and 2B use a group ID as a primary key and use two normalized tables together to associate and manage a user and a plurality of terminal devices operated by the user. However, the table structure of the repository is not limited to FIGS. 2 (a) and 2 (b). For example, instead of using the group ID, as shown in FIG. 2C, the user ID may be associated with the terminal identification information of the terminal device used by the user indicated by the user ID. In FIG. 2C, the group ID is not explicitly used, but the user ID, the terminal identification information of the terminal devices 1 to 3 and the authentication result are input in one line, and the terminal input in the same line The terminal devices indicating the identification information indicate that they are the same group.

  The “authentication result” records in FIGS. 2B and 2C are authenticated that the user indicated by the user ID is valid to log in to the medical information system 1, and log in to the medical information system 1. In the case of authentication, authentication information (for example, “TGT1”) that is an authentication result of the authentication server 40 is input. After logging in at any of the terminal devices 1 to 3, the authentication information is deleted when all terminal devices in the group to which the terminal device belongs log out. In the present embodiment, description will be made using the repository 60 having the table structure of FIGS.

  Next, a flow of processing for logging in to the medical information system 1 according to the present embodiment will be described based on FIG.

  In S1, the doctor A activates the OS of the terminal device 11A (S1). In S2, the doctor A activates the application of the terminal device 11A (S2).

  In S3, it is determined whether there is authentication information in the group to which the terminal device 11A belongs (S3). The terminal agent 13 transmits terminal identification information for identifying the terminal device 11 </ b> A to the server agent 61 of the authentication server 40. The server agent 61 refers to the repository 60 and searches the group ID associated with the terminal identification information from FIG. 2A based on the received terminal identification information of the terminal device 11A. In FIG. Then, it is referred to whether authentication information is stored in association with the group ID. If the authentication information is stored, the server agent 61 transmits it to the terminal agent 13 and proceeds to S6. If the authentication information is not stored, a reference result indicating that is transmitted to the terminal agent 13, and the process proceeds to S4.

  The case of “NO” is a state where the doctor A is not using any of the terminal devices 11A to 11C and is not logged in to the medical information system 1. In this case, the repository 60 is in a state where the “authentication information” record is “null” like the user ID “hitachi-jirou” in FIG. Therefore, in S4, the terminal agent 13 displays an input screen for inputting a user ID (for example, “hitachi-jirou”) for identifying the user. In the present embodiment, a user ID input field is displayed on the initial screen when the application is activated in S2. The doctor A inputs a user ID for indicating the doctor A.

  In S <b> 5, the terminal agent 13 transmits the input user ID (for example, “hitachi-jiro”) to the authentication server 40. Based on the received user ID, the authentication server 40 authenticates whether or not the user indicated by the user ID is permitted to log in to the medical information system 1. The terminal agent 13 receives the authentication result of the authentication server 40. The received authentication result is transmitted from the terminal agent 13 to the server agent 61, and is written in the authentication information record of the repository 60 by the server agent 61.

  S6 is a case where “YES” is determined in S3, and the doctor A logs in the medical information system 1 using at least one terminal device (for example, the terminal device 11B) of the terminal devices 11A to 11C. State. In this case, in the repository 60, authentication information “TGT1” is input to the “authentication information” record like the user ID “hitachi-tarou” in FIG. Therefore, in S6, the terminal agent 13 sends terminal identification information indicating the terminal device 11A to the server agent 61, and the server agent 61 acquires the group ID to which the terminal device 11A belongs from the table of FIG. . Subsequently, the server agent 61 transmits the authentication information “TGT1” input to the authentication information record associated with the group ID from the table of FIG. The terminal agent 13 logs into the medical information system 1 using the received authentication information “TGT1”. When logging in, the terminal agent 13 transmits information indicating that the user has logged in to the server agent 61. The server agent 61 inputs a flag “1” in the L / I field of the logged-in terminal device.

  When logging in at the third terminal device, S1, S2, and S6 are sequentially executed as in the case of logging in at the second terminal device.

  When logout processing is executed in each of the terminal devices 11A to 11C logged in the medical information system 1, logout information is transmitted from the terminal agent 13 provided in the terminal device that logs out to the server agent 61. The server agent 61 deletes the flag “1” in the L / I field of the repository 60 based on the received logout information, and updates the repository 60. When all the terminal devices 11A to 11C constituting one group log out, the server agent 61 deletes the authentication information associated with the group ID to which the terminal devices 11A to 11C belong, and the repository 60 is updated.

  Accordingly, when the doctor A logs in to the medical information system 1 using the plurality of terminal devices 11A to 11C, if the user ID is input and authenticated only when logging in to the first terminal device, the second and subsequent devices When logging in with a terminal device, there is no need to perform login work (input of a user ID or authentication processing).

  In the above embodiment, the application is started in S2, and this application is started and the user ID of the doctor A is input on the initial screen of the application. However, in the initial screen when the OS is started in S1 You may comprise so that a user ID may be input. In this case, following S1, the processes of S3 to S6 are performed, and the application software is activated after logging in to the medical information system 1 (corresponding to S2). On the initial screen of this application, since the login to the medical information system 1 has already been completed, it is not necessary to input a user ID for logging in to the medical information system 1.

  In the above embodiment, the authentication server 40 includes the server agent 61 and the repository 60. However, as illustrated in FIG. 4, the repository 60 includes all of the terminal devices 11A to 11C, the Web server 20, and the application server 30. Alternatively, it may be implemented in any combination, and the respective repositories 60 may be synchronized. When each of the terminal devices 11A to 11C includes the repository 60, the terminal agent 13 of each of the terminal devices 11A to 11C performs the synchronization process of the repository 60. When the Web server 20, the application server 30, and the authentication server 40 include the repository 60, each server includes a server agent 61, and the server agent 61 performs the synchronization process of the repository 60. The synchronization process may be performed when the repository 60 is updated or every predetermined time. Further, when the OS or application of the terminal device 11A is activated, the terminal agent 13 of the terminal device 11A performs a synchronization process with the repository 60 of the other terminal devices 11B and C or each of the server devices 20, 30, and 40, and the terminal device After referring to the repository 60 of 11A, it is determined whether or not to display the user ID input screen (OS or application initial screen). As shown in FIG. 4, the fault tolerance can be improved by holding the repository 60 in a distributed manner.

  In the above embodiment, the present invention is applied to the medical information system 1. However, the present invention can be applied to the case where one user logs in to one network using a plurality of terminal devices. It can be applied regardless of the type of system such as a control system. For example, one user logs into a dealing system for financial products such as stocks and currencies using a plurality of terminal devices, one terminal device displays real-time price information of financial products, and the other terminal device The present invention can also be applied to a case where real-time price information of a financial product different from that displayed on the terminal device is displayed or a transaction screen of the financial product is displayed.

The conceptual diagram which shows the structure of the medical information system to which this invention is applied Schematic diagram showing repository structure The flowchart which shows the flow of the process of this invention The conceptual diagram which shows the structure of the medical information system which concerns on other embodiment to which this invention is applied.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Medical information system, 11A, 11B, 11C ... Terminal device, 13 ... Terminal agent, 20 ... Web server, 30 ... Application server, 40 ... Authentication server, 50 ... Hospital LAN, 60 ... Repository, 61 ... Server agent

Claims (4)

Authenticating a user logging in to the network;
A plurality of terminal device groups arranged in a range where one of the users can be operated simultaneously, and connected to the network, user identification information for uniquely identifying the user, and the authentication Storing the management data registered in association with the authentication result obtained in the step of storing in each of at least two or more devices connected to the network;
The one user uses the one terminal device belonging to the plurality of terminal device groups, and after obtaining the authentication result indicating the login permission in the authenticating step, the user identification information of the one user When the other terminal device belonging to the plurality of terminal device groups associated with is operated, the management data is referred to, and the authentication result for the one terminal device is used to log in to the network from the other terminal device. Allowing the one terminal device and the other terminal device to log in to the network together,
A method of accessing a system comprising: An authentication means for authenticating a user who logs in to the network;
A plurality of terminal device groups arranged in a range where one of the users can be operated simultaneously, and connected to the network, user identification information for uniquely identifying the user, and the authentication Storage means for storing the management data registered in association with the authentication result by the means,
After the one user uses the one terminal device belonging to the plurality of terminal device groups and obtains the authentication result indicating the login permission from the authentication unit , the user identification information of the one user and When another terminal device belonging to the plurality of associated terminal device groups is operated, the management data is referred to, and an authentication result for the one terminal device is used to log in to the network from the other terminal device. And means for allowing
The storage means is provided in each of at least two or more devices connected to the network,
Both the one terminal device and the other terminal device log in to the network;
A network system characterized by this. The network system is a medical information system that stores and displays at least one of medical images, electronic medical record information, and examination result information.
The network system according to claim 2, wherein the system is a network system. When all terminal devices belonging to the plurality of terminal device groups log out, the management data further comprises means for deleting the authentication result associated with the plurality of terminal device groups.
The network system according to claim 2 or 3, wherein

Images