JP5158648B2 - Network interface apparatus, image forming apparatus, print control method, and print control program - Google Patents

Description

  The present invention relates to an information processing apparatus that generates print data, an image forming apparatus that is communicably connected to an authentication server that performs user authentication, and a network interface apparatus, method, and program provided in the image forming apparatus.

Conventionally, a so-called “pull print (accumulated printing)” printing system that enables print data to be output from a printing apparatus when a user makes a print request to the print data temporarily accumulated on the server from the printing apparatus. Has been proposed.

  As an example of a “pull print (accumulation print)” print system, Patent Document 1 is cited. Patent Document 1 discloses a print control system in which an authentication function is provided in a multifunction machine and security is taken into consideration.

  Patent Document 1 is as follows.

  As shown in FIG. 4 of Patent Document 1, first, the user logs in to a client PC (Personal Computer) 100 ((1) -1). Then, a print instruction is issued from the client PC 100 to the printer ((1) -2). Then, the client PC 100 transmits the generated print data to the print server 200 ((2) -1) and stores it in a predetermined storage location of the print server 200 ((2) -2). At this time, print data is not transmitted to the printing apparatus.

  Next, the client PC 100 generates bibliographic information data of the print data transmitted to the print server 200, transmits the generated bibliographic information data to the print management server 400, and stores it in a predetermined storage location of the print management server 400. ((3) -1). When the bibliographic information data file is stored from the client PC 100, the print management server 400 analyzes the bibliographic information data file and registers the bibliographic information in the bibliographic information DB ((3) -2). Next, when the multifunction device 300 detects the IC card 410 by the card reader, it reads the personal authentication information in the IC card 410 and transmits the read personal authentication information to the print management server 400 as an authentication request ((4 ) -1). When the print management server 400 receives the personal authentication information from the multi-function peripheral 300, the print management server 400 performs authentication processing of the personal authentication information based on the IC card authentication table stored on the external storage device of the print management server 400, and the authentication result. Is returned to the MFP 300 ((4) -2).

  Next, upon receiving an authentication result (login user ID of the client PC 100) indicating that the authentication has succeeded from the print management server 400, the multifunction device 300 transmits a print data list request to the print management server 400 ((5)). -1).

  Note that the print data list request includes the login user ID of the client PC 100. When the print management server 400 receives a print data list request from the multifunction device 300, the print management server 400 searches the bibliographic information DB with the login user ID included in the print data list request, and generates a print data list corresponding to the login user ID. Then, the response is sent back to the multifunction machine 300 ((5) -2). When the MFP 300 receives the print data list from the print management server 400, the MFP 300 displays the print data list on the UI of the operation unit 308. When the user selects print data and gives a print instruction, the multi-function device 300 transmits a print request (output instruction) for the selected print data to the print management server 400 (6).

  When the print management server 400 receives a print data print request (output instruction) from the MFP 300, the bibliographic information of the print data for which the output instruction has been issued, the login user name of the client PC 100, and the print data time stamp as keys. The print server 200 is searched from the bibliographic information DB, the print server 200 storing the corresponding print data is specified from the searched bibliographic information, and a print instruction for the corresponding print data is transmitted to the print server 200 (7). When the print server 200 receives a print instruction from the print management server 400, the print server 200 transmits print data to the multi-function apparatus 300 based on the print instruction and causes the multi-function apparatus 300 to print (8).

According to the above method, the printed matter is output when the user makes a print request from the printing apparatus to the server. Therefore, the printed matter can be prevented from being left for a long time, and the secure print can be performed. A system can be realized.
However, if the authentication server cannot communicate with the authentication server, such as when the authentication server is down, there is a problem that printing cannot be performed because the authentication cannot be performed, and work is delayed.

  In order to solve this problem, a technique disclosed in Patent Document 2 is disclosed.

  In Japanese Patent Laid-Open No. 2004-260688, there is no function for indicating to the user only the jobs that match the user information from the accumulated print data. However, from the printing apparatus by making a print request to the temporarily accumulated print data. 1 is an example of a pull print system that enables output of print data. In this method, when communication with the authentication server is not possible, whether or not the user who requests authentication is the owner of the document to be printed is used by using the authentication information of the printing apparatus itself registered in advance. Perform local authentication.

  As a result, printing can be performed even when communication with the authentication server is not possible.

JP 2006-99714 A JP 2005-173816 A

  However, in the above method, since the printing apparatus has an authentication function in addition to the conventional authentication server, user information is managed in various places. Therefore, when updating user information, it is necessary to update the authentication information of each printing device as well as the information of the authentication server, such as when a plurality of printing devices are installed in the office as in recent years, etc. There is a problem that the update work is very complicated. In addition, it is assumed that authentication is performed somewhere, and there is a problem that when all the authentication servers are down, the business is stagnated.

  SUMMARY OF THE INVENTION An object of the present invention is to provide a mechanism for preventing printing work from being delayed while maintaining high-security printing even when authentication cannot be performed due to, for example, an authentication server going down.

In order to achieve the above-described object, the first invention is a print data storage means for storing print data , an authentication server which is communicably connected to the image forming apparatus and performs user authentication, and performs printing with the image forming apparatus. A network interface device that communicates with an information processing apparatus that transmits print data via a network, the reading object identification information receiving means for receiving reading object identification information by reading the reading object, and the reading object identification A transmission unit that transmits an authentication request including information to the authentication server; a user that stores user information including user identification information obtained in response to the authentication request transmitted by the transmission unit and the reading object identification information in association with each other; and information storage means, a first print data receiving means for receiving print data transmitted from the information processing apparatus, the first First user identification information determination means for determining whether or not the user identification information included in the print data matches the user identification information in the user information storage means when the print data reception means accepts the print data. If, when it is determined that the user identification information matches with the first user identification information determination means an instruction to store the print data received by said first print data receiving means to the print data storage means When the print data storage instructing unit and the first user identification information determining unit determine that the user identification information does not match, the print data received by the first print data receiving unit is printed by the image forming apparatus. In order to do so, a network interface device comprising first output means for outputting.

  With the network interface device according to the first aspect of the present invention, even when authentication cannot be performed due to, for example, an authentication server going down, it is possible to maintain printing with high security and not delay printing operations.

  In the network interface device, the first user identification information determination unit determines whether or not the user identification information matches when communication with the authentication server is not possible.

  The network interface device has user identification information corresponding to the read object identification information in the user information storage means when communication with the authentication server is not possible when the transmission means transmits the read object identification information. If the second user identification information determination means and the second user identification information determination means determine that there is user identification information in the user information storage means, the print data storage means stores the user identification information. A second print data receiving unit that receives print data corresponding to the user identification information to be printed, and a second print data that is output by the image forming apparatus for printing the print data received by the second print data receiving unit. Output means.

  The second print data accepting unit of the network interface apparatus responds to the authentication request transmitted by the transmitting unit when the transmitting unit can communicate with the authentication server when transmitting the reading object identification information. Print data corresponding to the user identification information included in the user information obtained in this way is received from the print data storage means.

  When the network interface device cannot communicate with the authentication server, the first user identification information determination unit determines whether the user identification information matches, and the first print data reception unit accepts it. When the first mode for storing the print data and communication with the authentication server are possible, the first user identification information determination unit does not determine whether or not the user identification information matches. Mode setting means for setting a second mode for storing the print data received by the print data receiving means in the print data storage means.

  The network interface device includes communication determining means for determining whether or not communication with the authentication server is possible, and the mode setting means of the network interface device is configured to perform communication when the communication determination means cannot communicate with the authentication server. The first mode is set, and the second mode is set when the communication determination unit can communicate with the authentication server.

  The network interface device comprises communication confirmation means for confirming whether or not communication with the authentication server is possible at regular intervals, and when the communication confirmation means of the network interface device determines that communication with the authentication server is possible, The mode setting means changes the setting from the first mode to the second mode.

  The user information storage unit of the network interface device stores the user identification information and other user identification information in association with each other, and the second print data reception unit receives the user identification information from the print data storage unit. In addition, print data corresponding to other user identification information associated with the user identification information is received.

According to a second aspect of the present invention, there is provided a print data storage unit that stores print data , an authentication server that is communicably connected to the image forming apparatus and that authenticates a user, and an information processing apparatus that transmits print data to be printed by the image forming apparatus And a network interface device print control method for communicating via a network with a reading object identification information receiving step for receiving reading object identification information by reading the reading object, and an authentication including the reading object identification information A transmission step of transmitting a request to the authentication server; a user instruction including user identification information obtained in response to the authentication request transmitted in the transmission step and the reading object identification information in association with each other; a user information storage instruction step of, first accepting the print data transmitted from the information processing apparatus When print data is received in the print data reception step and the first print data reception step, it is determined whether or not the user identification information included in the print data matches the user identification information in the user information storage unit a first user identification information determination step, when it is determined that the user identification information matches with the first user identification information determination step, the said print data received by said first print data receiving step printing of Accepted in the first print data accepting step when it is judged that the user identification information does not match in the print data storage instructing step for instructing to store in the data storage means and the first user identification information judging step A first output step for outputting the print data for printing by the image forming apparatus. It is a print control method to.

A third invention is a program for causing a network interface device to execute the method of the second invention.
The other invention is an image forming apparatus, a method thereof, and a program for executing the method.

  According to the present invention, it is possible to provide a mechanism for preventing printing work from being delayed while maintaining high-security printing even when authentication cannot be performed due to, for example, an authentication server being down.

The figure which shows an example of a structure of the conventional secure print system 1 is a diagram showing an example of the configuration of a secure print system 1 according to the present invention. The figure which shows the hardware constitutions of LDAP server 200 and client PC300 The figure which shows the hardware constitutions of the printing apparatus 1000 The figure which shows the hardware constitutions of NIC700 1 is a block diagram showing a configuration of a secure print system 1 according to the present invention. The flowchart which shows an example of the print job input processing procedure of the secure print system 1 The flowchart which shows an example of the print job output processing procedure of the secure print system 1 The flowchart which shows an example of the print job output processing procedure of the secure print system 1 The flowchart which shows an example of the print job output processing procedure of the secure print system 1 The flowchart which shows an example of the print job output processing procedure of the secure print system 1 The flowchart which shows an example of the print job output processing procedure of the secure print system 1 The flowchart which shows an example of the detailed procedure of the output process of the secure print system 1 The flowchart which shows an example of the LDAP server monitoring processing procedure of the secure print system 1 The flowchart which shows an example of the user notification processing procedure of the secure print system 1 The figure which shows an example of the setting information 802 The figure which shows the detail of the authentication cache 860 FIG. 10 is a diagram illustrating an example of a message displayed on the printing apparatus 1000. Diagram showing details of job 310 The figure which shows the detail of the printing information management header 311 The figure which shows the detail of the job information 820 The figure which shows the detail of the job list 805 The figure which shows the detail of the execution list 804 The figure which shows the detail of the file system 501 The figure which shows the detail of IC card 410 The figure which shows an example of the user information 210 Figure showing details of the LDAP directory The figure which shows the Example of the secure print system 1 The flowchart which shows an example of the standard print processing procedure of the secure print system 1 The figure which shows the detail of the printing mode 850

  Hereinafter, preferred embodiments of a secure print system according to the present invention will be described in detail with reference to the accompanying drawings.

  FIG. 1 is a diagram illustrating an example of a configuration of a conventional secure print system.

  As shown in FIG. 1, for example, one or a plurality of printing apparatuses 1000 installed at each floor, one or a plurality of client PCs 300 installed at one administrator, one at each user, and installed at each site One or more printer servers 101 and one or more authentication servers 102 installed at each site are connected via a LAN (Local Area Network) 150. Further, the card reader 400 is connected to the printing apparatus 1000 via the USB cable 160.

  The client PC 300 is a PC for setting the printing apparatus 1000. The client PC 300 is a PC equipped with a function capable of communicating with the printing apparatus 1000 via the LAN 150 using, for example, HTTP (Hyper Text Transfer Protocol), TCP / IP (Transmission Control Protocol / Internet Protocol), or the like.

  The client PC 300 is a PC for inputting a print job from the user. When a user generates a print job from an application running on the client PC 300 via a printer driver, the printer driver transmits the print job to the printing apparatus 1000 or the printer server 101 using a print protocol such as LPR (Line Printer Daemon protocol). can do.

  The printer server 101 receives a print job from the client PC 300, analyzes the print job, acquires job information, and accumulates the print job. Also, a print request is received from the printing apparatus 1000, a user job is searched from the stored jobs based on the user name included in the print request, and a print instruction is issued to the printing apparatus 1000 for the found user job. .

  The authentication server 102 is a server for the printing apparatus 1000 to perform user authentication. It has data such as user name, e-mail address, usage authority, etc. associated with the card ID 211. In response to an inquiry from the printing apparatus 1000, the authentication server 102 has a function of returning the presence / absence of a user and user information when there is a user.

  The card reader 400 is connected to the printing apparatus 1000 via the USB cable 160.

  When the IC card 410 (for example, FeliCa (registered trademark) of Sony (registered trademark)) is held over the card reader 400, the card reader 400 reads information in the card and notifies the printing apparatus 1000 via the USB cable 160. .

  In this embodiment, the authentication is performed by holding the IC card over a card reader. However, the authentication may be performed using fingerprints or information on the veins of hands and fingers (biological information). . In this case, it can be realized by replacing the card reader 400 with a reader (non-read object) that reads a read object such as a finger or a hand.

  Next, the secure print system 1 according to the present invention will be described with reference to FIG.

  FIG. 2 is a diagram showing an example of the configuration of the secure print system 1 according to the present invention.

  A secure print system 1 shown in FIG. 2 is connected to a client PC (information processing apparatus) 300, an LDAP (Lightweight Directory Access Protocol) server (authentication server) 200, and a NIC (network interface apparatus) 700 via a LAN 150. A NIC (network interface device) 700 is inserted into the printing apparatus 1000.

  The NIC 700 connects a mass storage (storage unit) 500 and a card reader 400 via a USB cable 160 and a USB hub 600.

  Although the mass storage 500 and the USB hub 600 are externally attached to the printing apparatus 1000 via the NIC 700, they may be built in the printing apparatus 1000. Further, when the NIC 700 has a plurality of USB ports, it is not necessary to go through the USB hub 600, and the card reader 400 and the mass storage 500 are directly connected to the NIC 700.

  The LDAP server 200 performs the role of the authentication server 102 in FIG. 1 and has a function of performing communication using the LDAP protocol. The LDAP server 200 can centrally manage user information in an internal directory. The LDAP server 200 may be composed of one server. Further, the LDAP server 200 may be composed of two servers, a primary server and a secondary server, as will be described later. Further, the LDAP server 200 may be configured by three or more servers. In any case, the fact that the LDAP server 200 is down means that all the servers constituting the LDAP server 200 are down.

  Although the LDAP server 200 is used in FIG. 2, the server is not limited to the LDAP server as long as it can perform authentication.

  The client PC 300 is an information processing apparatus that generates print data.

  The mass storage 500 is hardware having a large capacity file system such as an HDD (Hard Disk Drive) or a flash memory, and is connected to the USB hub 600 via the USB cable 160.

  The mass storage 500 can perform file system control such as file writing, reading, and deletion from the printing apparatus 1000.

  Next, the client PC 300, the LDAP server 200, the printing apparatus 1000, and the NIC 700 will be described with reference to FIGS.

  3 is a diagram illustrating the hardware configuration of the LDAP server 200 and the client PC 300, FIG. 4 is a diagram illustrating the hardware configuration of the printing apparatus 1000, and FIG. 5 is a diagram illustrating the hardware configuration of the NIC 700.

  As shown in FIG. 3, an LDAP server 200 and a client PC 300 are connected via a system bus 2004 to a CPU (Central Processing Unit) 2001, a RAM (Random Access Memory) 2002, a ROM (Read Only Memory) 2003, an input controller 2005, a video. A controller 2006, a memory controller 2007, and a communication I / F controller 2008 are connected.

  The CPU 2001 controls each device and controller connected to the system bus 2004 in an integrated manner.

  The ROM 2003 or the external memory 2011 holds a basic input / output system (BIOS) and an operating system (OS) that are control programs of the CPU 2001, various programs executed by each server or each PC, and the like.

  A RAM 2002 functions as a main memory, work area, and the like for the CPU 2001. The CPU 2001 implements various operations by loading a program necessary for execution of processing from the ROM 2003 or the external memory 2011 to the RAM 2002 and executing the loaded program.

  An input controller 2005 controls input from a pointing device such as a keyboard (KB) 2009 or a mouse (not shown).

  The video controller 2006 controls display on a display device such as a CRT (Cathode Ray Tube) 2010. The display is not limited to the CRT, but may be another display such as a liquid crystal display. These are used by the administrator as needed.

  The memory controller 2007 is a hard disk (HD), flexible disk (FD), or PCMCIA (Personal Computer Memory Card International Association) that stores a boot program, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 2011 such as a compact flash (registered trademark) memory connected to the card slot via an adapter.

  The communication I / F controller 2008 connects and communicates with an external device via a network such as the LAN 150, and executes communication control processing on the network. The communication I / F controller 2008 can perform communication using TCP / IP (Transmission Control Protocol / Internet Protocol), for example.

  The CPU 2001 can display on the CRT 2010 by executing outline font rasterization processing on a display information area in the RAM 2002, for example. Further, the CPU 2001 enables a user instruction using a mouse cursor (not shown) on the CRT 2010 or the like.

  Various programs operating on the hardware of the LDAP server 200 and the client PC 300 are recorded in the external memory 2011, loaded into the RAM 2002 as necessary, and executed by the CPU 2001. Definition files and various information tables used when executing the program are stored in the external memory 2011.

  Next, the hardware configuration of the printing apparatus 1000 will be described.

  As shown in FIG. 4, the printing apparatus 1000 includes an input unit 3000, a CPU 3001, an operation unit 3002, a print processing unit 3003, a storage unit 3004, an output unit 3005, a paper cassette 3006, and the like.

  The input unit 3000 connects the printing apparatus and the NIC 700, and controls data communication with the NIC 700.

  A CPU 3001 controls the overall operation of the printing apparatus 1000.

  The operation unit 3002 provides an interface for direct user operation to the printing apparatus 1000.

  A print processing unit 3003 analyzes a command received by the input unit 3000, analyzes print data (PDL), and the like.

  The storage unit 3004 includes a ROM (not shown) for operating the printing apparatus 1000, a RAM (not shown), a secondary storage device (not shown), and the like. The RAM is a data storage area that is not restricted in use, and is used for the reception buffer of the input unit 3000 or the data expansion in the print processing unit 3003.

  The output unit 3005 transfers the print data received by the input unit 3000 into image information that can be printed by the print processing unit 3003 onto paper.

  The paper cassette 3006 supplies appropriate paper in accordance with the processing of the output unit 3005.

  The NIC 700 is a network interface card. The NIC 700 receives data received from another device via the LAN 150 as a window, and passes the data to a program (not shown) in the NIC or the input unit 3000 of the printing apparatus 1000.

  Next, the hardware configuration of the NIC 700 will be described.

  As shown in FIG. 5, the NIC 700 includes a CPU 4001, a RAM 4002, a communication I / F controller 4003, a USB I / F controller 4004, an internal memory 4005, a memory controller 4006, a ROM 4007, a device I / F controller 4008, and the like.

  The CPU 4001 controls the NIC 700 and controls devices connected internally.

  A RAM 4002 functions as a main memory, work area, and the like for the CPU 4001. The CPU 4001 loads a program necessary for execution of processing from the ROM 4007 or the internal memory 4005 to the RAM 4002 and executes the loaded program.

  The communication I / F controller 4003 connects and communicates with an external device via a network such as the LAN 150, and executes communication control processing in the network. For example, communication using a communication protocol such as TCP / IP or UDP (User Datagram Protocol) is possible.

  The USB I / F controller 4004 connects and communicates with the NIC 700 and USB devices such as the card reader 400, the mass storage 500, and the USB hub 600, and executes USB communication control processing.

  The internal memory 4005 includes an OS that controls the NIC 700, and stores application programs that operate on the OS and setting information thereof.

  The memory controller 4006 controls access to the internal memory 4005 that stores various applications, various data, and the like.

  The ROM 4007 is a read-only semiconductor memory and stores a boot program because the contents are not lost even when the power is turned off.

  A device I / F controller 4008 connects and communicates with the NIC 700 and the printing apparatus 1000.

  Next, an overall processing flow of the secure print system 1 will be described with reference to FIGS. 6, 16, 17, 19, 20, 21, 22, 23, 24, 25, 26, 27, and 30.

  6 is a block diagram showing the configuration of the secure print system 1 according to the present invention, FIG. 16 is a diagram showing an example of the setting information 802, FIG. 17 is a diagram showing details of the authentication cache 860, and FIG. FIG. 20 is a diagram illustrating details of the print information management header 311. FIG. 21 is a diagram illustrating details of the job information 820. FIG. 22 is a diagram illustrating details of the job list 805. Is a diagram showing details of the execution list 804, FIG. 24 is a diagram showing details of the file system 501, FIG. 25 is a diagram showing details of the IC card 410, and FIG. 26 is a diagram showing an example of user information 210, FIG. 27 is a diagram showing details of the LDAP directory 201, and FIG. 30 is a diagram showing details of the print mode 850.

  In the secure print system 1, the NIC 700 connected to the LDAP server 200, the client PC 300, and the printing apparatus 1000 is connected via a LAN 150 capable of bidirectional communication. A mass storage 500, a USB hub 600, and a card reader 400 are connected to the NIC 700 via a USB cable 160 capable of USB communication.

  The LDAP server 200 includes an LDAP directory 201, an LDAP function unit 202, an I / F driver unit 190, and the like. The LDAP server 200 can have a redundant configuration, and a plurality of LDAP servers may be installed.

  Since the LDAP server 200 has a role of searching for user information in the system, the LDAP server 200 is not limited to the LDAP server as long as it has a function for storing and searching for user information.

  The LDAP directory 201 stores the data shown in FIG.

  In the LDAP directory 201, one or a plurality of identification codes are arranged under the highest unit Suffix for grouping data groups, and one or a plurality of user information 210 is stored under the identification codes.

Generally, the identification code is constructed by OU (Organization Unit). Active
In Directory (registered trademark), Suffix is a unit called a domain.

  As shown in FIG. 26, the user information 210 has a card ID 211, a user name 212, a password 213, a sub user 1 214, a sub user 2 215, a sub user 3 216, a sub user 4 217, a use restriction 218, and the like.

  As shown in FIG. 25, the card ID 211 registers the ID of the user's IC card 410, and is a unique value in the suffix.

  The user name 212 is the name of the user holding the IC card 410 that matches the card ID 211.

  The password 213 is stored for user identification when performing user authentication.

  The sub-users 1 to 4 214 to 217 have different names from the main user name 212 used by the user, and are user names used when the user acts as a proxy for another user.

  The usage restriction 218 stores restriction information for using the printing apparatus 1000.

  The LDAP function unit 202 performs communication connection, authentication, search, change, addition, deletion, disconnection, and the like according to the LDAP protocol.

  In connection, a logical communication path is secured for the client that issued the connection request.

  In the authentication, the user name that issued the authentication request is searched from the LDAP directory 201, the password is verified, and the authentication result is returned.

  In the search, based on the value received the search request, the corresponding user is searched from the LDAP directory 201 and the matched user information 210 is returned.

  The I / F driver unit 190 connects and communicates with an external device via a network such as the LAN 150, and controls communication according to a communication protocol such as TCP / IP or UDP.

  The client PC 300 includes an application unit 301, a printer driver unit 302, a transmission buffer 303, an I / F driver unit 190, and the like.

  The application unit 301 provides a graphic user interface to the user, and generates image data suitable for the user's purpose.

  The printer driver unit 302 converts the image data generated by the application unit 301 into page description language (PDL) data that can be printed by the printing apparatus 1000. Further, a print information management header 311 including job information such as a job owner 312 and a job name 313 is added to the PDL data, as shown in FIG. 20, and a job 310 shown in FIG. 19 is created.

  The transmission buffer 303 temporarily stores the job 310 created by the printer driver unit 302 and realizes spooling.

  The USB hub 600 includes a USB communication unit 195 and the like. The USB hub 600 relays the USB data, and transfers the USB data of the device connected to the USB hub 600 to other devices.

  The USB communication unit 195 performs data communication such as control transfer, interrupt transfer, bulk transfer, and isochronous transfer according to the USB specification. Data transfer is a necessary condition, and the transfer speed, USB version, etc. are not particularly limited.

  The mass storage 500 includes a file system 501, a file system management unit 502, a USB communication unit 195, and the like.

  As shown in FIG. 24, the file system 501 stores the job 310 in an internal storage device (not shown). Also, the job 310 is written, read and deleted.

  The card reader 400 includes a USB communication unit 195, a card reading unit 401, and the like.

  The card reading unit 401 is for reading the card ID 211 from the IC card 410. When the IC card 410 is held over the card reader 400, information such as the card ID 211 is read from the IC card 410, and the information is transmitted to other devices connected via the USB communication unit 195.

  The NIC 700 includes an application 800, a NIC OS 900, and the like.

  The application 800 is a program that operates on the NIC OS 900.

  The NIC OS 900 controls the NIC 700, and at the same time, manages the application 800 on the NIC 700 and performs various instructions to the printing apparatus 1000.

  An application 800 of the NIC 700 includes a setting information management unit 801, setting information 802, an LPR communication unit 803, an execution list 804, a job list 805, an LDAP communication unit 806, an LDAP server monitoring unit 807, a print information management protocol analysis unit 808, and a list management. A section 809, a user notification section 810, a card reader management section 811, a file management section 812, a print instruction section 813, a beep instruction section 814, a panel display instruction section 815, and the like.

  The setting information management unit 801 manages setting information 802 necessary for executing the application 800 shown in FIG. 16, and writes and reads the setting information 802.

  When the client PC 300 accesses the application 800 using a browser to set the setting information of the application 800, and the application 800 receives an instruction from the client PC 300, the setting information management unit 801 displays the set data as setting information 802. Hold as.

  The setting information 802 includes a Suffix 831, an identification code 832, a primary server 833, a primary port 834, a secondary server 835, a secondary port 836, a user 837, a password 838, and the like.

  The Suffix 831 and the identification code 832 are conditions for designating a search location when issuing a search request to the LDAP server 200.

  The primary server 833, the primary port 834, the secondary server 835, and the secondary port 836 are information for connecting to the LDAP server 200. Since the LDAP server 200 can have a redundant configuration, it is possible to set a plurality of units such as primary and secondary.

  The user 837 and the password 838 are information necessary for issuing an authentication request to the LDAP server 200.

  The LPR communication unit 803 analyzes the LPR printing protocol and performs communication. The LPR communication unit 803 analyzes and communicates the protocol when receiving the job 310 from the client PC 300.

  Here, LPR is described as an example, but the printing protocol is not limited to LPR.

  The execution list 804 is shown in FIG. 23 and is a subset of the job list 805 shown in FIG. When printing is performed, a print instruction is issued based on the job information 820 stored in the execution list 804.

  The job list 805 includes job information 820 shown in FIG. The job information 820 is information obtained by extracting information necessary for managing the job 310, and includes a user name 821, a file name 822, a job name 823, a time stamp 824, and the like. The job list 805 holds all information on the job 310 stored in the file system 501.

  The LDAP communication unit 806 communicates with the LDAP server 200 according to the LDAP protocol, and connects to the LDAP server 200 specified by the primary server and the primary port of the setting information 802.

  The LDAP communication unit 806 performs authentication using the user 837 and the password 838 of the setting information 802. Further, the LDAP communication unit 806 searches the user information 210 (FIG. 26) associated with the card ID 211 using the suffix 831 and the identification code 832 of the setting information 802 as search locations. If neither the primary nor the secondary can be accessed, the print mode 850 shown in FIG. 30 is set to “do not store”. Note that the print mode 850 is information that the application 800 stores and manages in the RAM 4002 like the setting information 802. When the primary or secondary can be accessed, the print mode 850 shown in FIG. 30 is set to “accumulate”. The default setting for the print mode 850 is “store”. 30 can be configured to be managed by the mass storage 500 or the internal memory 4005 in addition to the RAM 4002.

  Further, if the user information 210 is found as a result of the search performed by the LDAP communication unit 806, the user information 210 is acquired, and the received card ID is stored in the authentication cache 860 shown in FIG. It is registered in association with the user information 210. This is because the user name can be specified and authenticated from the card ID 211 even when the authentication server is stopped. Note that the authentication cache 860 is information that the application 800 stores and manages in the RAM 4002 like the setting information 802. Note that the information shown in FIG. 17 can be configured to be managed by the mass storage 500 or the internal memory 4005 in addition to the RAM 4002.

  The LDAP server monitoring unit 807 periodically monitors whether the LDAP server 200 and the NIC 700 can communicate with each other. Actual connection processing and the like are performed through the LDAP communication unit 806. If it is determined that the LDAP server 200 and the NIC 700 can communicate during the monitoring process, and the print mode 850 is set to “do not store”, the print mode 850 is changed to “store”. This realizes the return of print switching when the server is down.

  The print information management protocol analysis unit 808 analyzes the print information management header 311 included in the job 310. The print information management header 311 is binary data added to the head of PDL data, and includes various job information.

  When the job owner 312 and the job name 313 included in the print information management header 311 are acquired and the job information 820 is created, the value analyzed by the print information management protocol analysis unit 808 is used.

  A list management unit 809 manages the execution list 804 and the job list 805. When the job 310 is written in the file system 501, the job information 820 is received from the file management unit 812, and added to the job list 805 for management. In addition, job information 820 that matches the user name passed from the LDAP communication unit 806 is extracted from the job list 805 to create an execution list 804. The list management unit 809 receives a notification from the file management unit 812 when printing is completed, and deletes the corresponding job information 820 from the job list 805.

  The user notification unit 810 notifies the user who is using the printing apparatus 1000 of an error or the like. The user notification unit 810 issues a beep instruction to the NIC OS 900, sounds a beep from the printing apparatus 1000 to appeal to the user's hearing, and instructs the panel display to display arbitrary characters on the panel of the printing apparatus 1000. , Has a function to appeal to the user's vision.

  The card reader management unit 811 is for controlling the card reader 400 connected to the NIC 700 via the USB cable 160. When the IC card 410 is held over the card reader 400, the card reader management unit 811 acquires the card ID 211.

  The file management unit 812 manages the job 310 within the application 800. The file management unit 812 encrypts the job 310 and stores it in the file system 501, decrypts the job 310, sends the job 310 to the print instruction unit 813, or finishes submitting the job to the print instruction unit 813 At the timing, the corresponding job 310 is deleted from the file system 501.

  The print instruction unit 813 instructs the NIC OS 900 to print the decrypted job 310 sent from the file management unit 812 using the print information management protocol.

  The beep instruction unit 814 receives the beep command from the user notification unit 810 and notifies the NIC OS 900 of it. Regarding the beep sound, it is possible to use a print information management protocol, JL, UDP, or the like, or to realize a beep sound by various methods. Which function is supported differs depending on the printing apparatus 1000. The beep instruction unit 814 absorbs the difference depending on the type of the printing apparatus 1000 and performs an appropriate beep instruction.

  The panel display instruction unit 815 displays an arbitrary message on a panel (not shown) of the printing apparatus 1000 using MIB (Management Information Base). In the case of a printing apparatus 1000 of a model that cannot be displayed for a certain period of time, the display is reset after being displayed for a few seconds.

  Next, details of the NIC OS 900 will be described.

  The NIC OS 900 includes an I / F driver unit 190, a USB communication unit 195, an encryption / decryption unit 905, a print information management protocol analysis / communication unit 904, a JL communication unit 903, a UDP communication unit 902, an MIB communication unit 901, a communication control. Part 906.

  The encryption / decryption unit 905 is for performing encryption and decryption of data. The format is not fixed, and block encryption such as DES (Data Encryption Standard), triple DES, AES (Advanced Encryption Standard), and stream encryption such as RC4 can be performed.

  The print information management protocol analysis / communication unit 904 is for performing data communication according to the print information management protocol. The print information management protocol is a communication protocol for controlling the printing apparatus 1000, and can perform a print instruction, a beep sound, and the like.

  The JL communication unit 903 is for performing JL communication. JL is a job control language, and can issue an information acquisition command for the printing apparatus 1000, a PDL data reception command, a beep command to the printing apparatus 1000, and the like.

  The UDP communication unit 902 performs UDP communication. Using this UDP communication, a DNS (Domain Name System) query, a beep command, and the like can be performed.

  The MIB communication unit 901 is for performing MIB communication. The MIB is a protocol for managing communication devices, and performs panel display of the printing apparatus 1000 and the like.

  The communication control unit 906 notifies the application 800 of data received from the I / F driver unit 190 or passes it to the printing apparatus 1000.

  Next, the printing apparatus 1000 will be described.

  The printing apparatus 1000 includes an I / F driver unit 190, a reception buffer 1001, a transmission buffer 1002, an MIB communication unit 901, a UDP communication unit 902, a JL communication unit 903, a print information management protocol analysis / communication unit 904, an LPR communication unit 803, A panel display unit 1008, a beep sound unit 1009, a PDL translator unit 1011, a device DB unit 1010, a drawing buffer 1012, a drawing unit 1013, and a printer engine unit 1014 are provided.

  The reception buffer 1001 temporarily secures all data received by the I / F driver unit 190 and serves as a buffer for processing delay.

  The transmission buffer 1002 temporarily secures all data before transmission to the I / F driver unit 190 and serves as a buffer for processing delay.

  The panel display unit 1008 displays the designated message on the panel of the printing apparatus 1000.

  The beep sounding unit 1009 activates a sounding device (not shown) built in the printing apparatus 1000 to make a sound.

  The device DB unit 1010 stores information on the printing apparatus 1000 set by JL and provides the information to the PDL translator unit 1011. The environmental information here is, for example, the number of printed sheets.

  The PDL translator unit 1011 performs a translation process on the PDL data and converts it into intermediate data that is a drawing object suitable for drawing.

  The drawing buffer 1012 temporarily stores intermediate data of the drawing object generated by the PDL translator unit 1011 until actual printing is performed.

  The drawing unit 1013 actually draws the drawing object temporarily stored in the drawing buffer 1012 to generate image data that is a bitmap image.

  The printer engine unit 1014 receives the bitmap image generated by the drawing unit 1013 and prints it on a medium such as paper using a known printing technique.

  Next, detailed processing of the secure print system 1 according to the present invention will be described with reference to FIGS. 7, 8, 9, 10, 11, 12, 13, 14, 15, 18, and 28.

  7 is a flowchart showing an example of a print job input processing procedure of the secure print system 1, FIG. 8 is a flowchart showing an example of a print job output processing procedure of the secure print system 1, and FIG. FIG. 10 is a flowchart showing an example of a print job output processing procedure of the secure print system 1, FIG. 11 is a flowchart showing an example of a print job output processing procedure of the secure print system 1, 12 is a flowchart showing an example of a print job output process procedure of the secure print system 1, FIG. 13 is a flowchart showing an example of a detailed procedure of an output process of the secure print system 1, and FIG. Server monitoring processing 15 is a flowchart showing an example of a user notification processing procedure of the secure print system 1, FIG. 18 is a diagram showing an example of a message displayed on the printing apparatus 1000, and FIG. 28 is a secure print system. 6 is a flowchart illustrating an example of a detailed procedure of one standard printing process.

  In the following, processing performed by the NIC 700 is described by distinguishing the function of the application 800 and the function of the NIC OS 900. Therefore, for the sake of convenience, the subject of processing is assumed to be the application 800 and the NIC OS 900. However, in practice, the NIC 700 is the subject that performs the processing. The NIC 700 that is hardware executes processing described later in cooperation with the application 800 or NIC OS 900 that is software.

  In FIG. 7, the NIC 700 receives print data from the client PC 300. The NIC 700 stores the received print data in the mass storage 500. The NIC 700 transmits print data to the printing apparatus 1000.

  As shown in FIG. 7, in the job submission process to the secure print system 1, the application of the client PC 300 generates a job 310 via the printer driver (step S001).

  When the client PC 300 transmits the generated job 310 to the NIC OS 900 (step S002), the NIC OS 900 receives the data transmitted from the client PC 300 and sequentially transfers the received data to the application 800 (step S003).

  In this embodiment, the NIC 700 receives the job 310 from the client PC 300. However, the NIC 700 transmits the job 310 from the client PC 300 to a print server (not shown), and the NIC 700 receives the job 310 via the print server. It is also possible.

  The application 800 analyzes the print information management header 311 of the job 310 received (received) from the NIC OS 900, acquires the job owner and job name (step S004), and the application 800 creates job information 820 (step S005). ).

  Specifically, the acquired job owner 312 is stored as a user name 821 (user identification information), and the acquired job name 313 is stored as a job name 823. Also, a character string that is unique within the application is generated and used as the file name 822. The time stamp 824 is stored after writing the file.

  The application 800 acquires the setting of the print mode 850, and performs branch processing according to the acquired setting (step S006).

  In the present embodiment, when printing from the client PC 300, the user does not need to be aware of whether the printing method uses the mass storage 500 or the printing method that directly outputs from the printing apparatus 1000 without being able to communicate with the LDAP server 200. . In other words, when printing, the print mode can be automatically changed depending on whether or not communication with the LDAP server 200 is possible. Therefore, when the communication with the LDAP server 200 is possible, the job 310 is acquired from the mass storage 500. When printing cannot be performed and communication with the LDAP server 200 is not possible, printing can be performed without accumulating in the mass storage, and a printing system that achieves both a high security printing system and a high usability printing system can be realized.

  In addition, by checking an authentication cache, which will be described later, jobs can be accumulated in the mass storage 500, and when the user is authenticated, the job 310 can be acquired and printed, thus realizing a printing system with further increased security. can do.

  If it is determined in step S006 that the print mode is a mode for accumulating print data, if the print mode 850 is set to “do not accumulate”, the application 800 performs a branch process depending on the state of the authentication cache 860. (Step S007). In other words, in the “not store” mode, it is a case where communication with the LDAP server 200 could not be made, and therefore the process proceeds to a process of checking the authentication cache.

  In step S007, it is determined whether or not the user information 212 stored in the authentication cache 860 includes the same user name 212 (user identification information) as the user who has submitted the job 310 (there is a matching user name) (first). User identification information determination). Note that the user who submitted the job 310 is a user corresponding to the user name 821 of the job information 820 created in step S005.

  When the connection with the LDAP server 200 is not possible, the input job 310 is output without being accumulated, thereby realizing a system that does not stop the business. However, outputting the input job 310 as it is without accumulating it does not stop the work, but causes a decrease in security. Therefore, in the present embodiment, a system is realized in which the authentication cache 860 is confirmed when a job is submitted and the user information 210 is stored, so that the job 310 is stored, thereby preventing a decrease in security and stopping business.

  As will be described in detail later, if the user name of the user who submitted the job 310 is included in the authentication cache 860, authentication can be performed even when communication with the LDAP server 200 is not possible, and the job is stored when the job is submitted. To do. If the user information 210 stored in the authentication cache 860 does not include the user name of the user who submitted the job 310, the job 310 is output without being stored.

  If the user name is not found in the authentication cache 860, the application 800 requests the NIC OS 900 to perform the standard printing process shown in FIG. The standard printing process is a printing method in which the job 310 input from the client PC 300 is output as it is without being stored in the mass storage 500.

  As a result of determining whether or not the print mode is a mode for accumulating print data in step S006, if the print mode 850 is set to “accumulate” or the print mode 850 is set to “not accumulate”. However, if the user name is found in the authentication cache 860, the application 800 passes the job 310 data to the NIC OS 900 to encrypt the job 310, and specifies an encryption key, an encryption algorithm, and the like (step S012). ).

  The NIC OS 900 encrypts the passed job data using the designated parameter (step S013).

  In order to write the job encrypted by the NIC OS 900 in step S014 to the file system 501, the application 800 issues a write (store) instruction to the NIC OS 900 (print data storage instruction).

  Writing the job 310 to the file system 501 eliminates the need to write the job 310 to the printer server 101 as in the prior art. As a result, the printer server 101 is not required, and a secure print system with higher security is realized. Further, since the printer server 101 is unnecessary, it is possible to save the cost of installing the server and the trouble of setting the server installation in the secure print system introduction. Furthermore, even if the mass storage 500 is removed from the printing apparatus 1000, the job 310 is written in an encrypted manner, so there is no concern that the PDL data in the job 310 can be read, and higher security is realized. Yes.

  When the NIC OS 900 receives a write instruction for the job 310, the NIC OS 900 acquires the job 310 and transmits it to the mass storage 500 (step S015). The mass storage 500 writes the encrypted job 310 into the file system 501 (step S016).

  When the NIC OS 900 transmits the write processing of the encrypted job 310 to the file system 501 to the application 800 (step S017), the application 800 obtains a time stamp when the writing of the job 310 to the file system 501 is completed, Stored in the time stamp 824 of the job information 820 (step S018).

  The application 800 stores the created job information 820 in the job list 805 (step S019).

  Next, job output processing of the secure print system 1 will be described with reference to FIGS.

  In FIG. 8, the NIC 700 transmits an authentication request including user information 210 to the LDAP server 200. Further, the NIC 700 determines whether or not communication with the LDAP server 200 is possible. If communication with the LDAP server 200 is not possible, the NIC 700 cancels the setting for storing the print data in the mass storage 500. In addition, when the setting to enable communication with the authentication server and the storage of the print data in the mass storage 500 is cancelled, the NIC 700 resets the setting.

  As shown in FIG. 8, the card reader 400 detects the IC card 410, reads the card ID 211 recorded therein (step S100), and the NIC OS 900 transmits the read information to the application 800 (step S101). ).

When the application 800 receives the card ID 211 (reading object identification information) from the NIC OS 900 (reading object identification information reception), the application 800 confirms the print mode 850 (step S102).
When the print mode 850 is confirmed and the print mode 850 is set to “accumulate”, the application 800 attempts to connect to the LDAP server 200 based on the setting information 802 (step S103). If the print mode 850 is set to “do not store”, the process proceeds to step S107.

  As will be described later in step S <b> 106, “No accumulation” in the print mode 850 indicates a state in which communication with the LDAP server 200 is not possible. When communication with the LDAP server 200 is impossible, the authentication cache (user information storage) is confirmed.

  For connection to the LDAP server 200, the application 800 refers to the setting information 802, connects to the primary port of the primary LDAP server 200a, and if the connection cannot be established, the secondary of the secondary LDAP server 200b. Connect to the port.

  Even if the print mode 850 is set to “do not store” in step S102, if communication can be established by communicating with the LDAP server 200, the print mode 850 is changed to “store” (mode setting). The process is configured to transition to the process of step S109.

  The NIC OS 900 tries to connect to the LDAP server 200 based on the connection request (step S104), and the application 800 performs branch processing depending on whether or not the connection attempt is successful (step S105). In other words, it is determined whether or not communication with the LDAP server 200 is possible (communication determination).

  More specifically, if it is not possible to connect to both the primary LDAP server 200a and the secondary LDAP server 200b, it is regarded as a connection failure.

  In step S106, the application 800 changes the print mode 850 to “do not store” (mode setting), and checks the authentication cache (step S107).

  If the connection to the LDAP server 200 is not possible, the print mode 850 is changed to “do not store”, so that the job 310 is not saved in the mass storage 500 from the next printing, and printing is performed directly from the printing apparatus 1000. . Accordingly, it is possible to output a printed matter even when communication with the LDAP server 200 is not possible.

  The application 800 checks the authentication cache 860 (step S107). More specifically, it is confirmed whether or not the card ID 211 acquired in the previous step S100 matches one of the one or more card IDs 211 registered in the authentication cache 860 (second user identification information determination).

  If there is a card ID 211 that matches the authentication cache 860 as a result of step S107, the application 800 acquires user information 210 associated with the card ID 211 (step S108-1).

  On the other hand, if the card ID 211 matching the authentication cache 860 is not found as a result of step S107, the application 800 selects “AP server error” of message 2 from the message shown in FIG. 18 and performs user notification processing ( Step S108-2).

  By checking the authentication cache 860, authentication can be performed even when connection to the LDAP server 200 is not possible, and a system that does not stop business is realized. If the user information 210 corresponding to the card ID is not found in the authentication cache 860, an error message is notified (step S108-2), but the user does not actually hold the IC card 410 in this situation. As described above (step S007), the presence or absence of the authentication cache 860 is confirmed when the job is input. If there is no user in the authentication cache 860, the input job 310 is output as it is without being accumulated. . Therefore, even if there is no user in the authentication cache 860, a system that does not stop the business is realized.

  Next, as shown in FIG. 9, when the connection can be made to either the primary LDAP server 200a or the secondary LDAP server 200b, the application 800 performs LDAP authentication (step S109).

  The user 837 and password 838 of the setting information 802 are transmitted to the LDAP server 200 and an authentication request is issued. This authentication process is a process in the case where strong security is applied such that the search is not performed unless the LDAP server 200 authenticates. As another embodiment, when a setting that does not require authentication when performing a search (non-authentication setting) has been made, the processing from S109 to S114 accompanying authentication may be omitted.

  The NIC OS 900 transmits the data transmitted from the application 800 to the LDAP server 200 (step S110).

  The LDAP server 200 searches the LDAP directory 201 with the user name of the data transmitted by the LDAP server 200. When the user is found, the transmitted data is compared with the password 213 included in the user information 210 of the corresponding user, and the authentication result is returned (step S111).

  When the NIC OS 900 transmits the data received from the LDAP server 200 to the application 800 (step S112), the application 800 receives the LDAP authentication result (step S113).

  The application 800 performs a branch process depending on whether or not the authentication result in the previous stage S113 is acceptable (step S114). If the authentication fails, the application 800 selects “AP server error” in the message 2 from the message shown in FIG. This is performed (step S115).

  When the authentication is successful, the application 800 transmits a search for the card ID 211 based on the setting information 802 (authentication request including the reading object identification information) to the LDAP server 200. (Step S116).

  The application 800 designates a search position using the Suffix 831 and the identification code 832 of the setting information 802.

  The NIC OS 900 transmits the data transmitted from the application 800 to the LDAP server 200 (step S117).

  The LDAP server 200 searches the LDAP directory 201 based on the data transmitted from the application 800, and returns the search result (step S118).

  The specified card ID 211 is searched from the data under the specified Suffix 831 and the identification code 832, and the found user information 210 is transmitted. The Suffix 831 and the identification code 832 are information that is specified to specify the position of the user in the LDAP directory 201, and are generally values that are specified as SearchBases during the LDAP search.

  When the NIC OS 900 transmits the data received from the LDAP server 200 to the application 800 (step S119), the application 800 acquires a search result from the LDAP server 200 (step S120).

  Next, as illustrated in FIG. 10, the application 800 performs branch processing depending on whether the user information 210 has been acquired by looking at the search result from the LDAP server 200, that is, whether or not the user exists (step S <b> 121). .

  When the user information 210 cannot be acquired, the application 800 selects “AP user password” of message 3 from the message shown in FIG. 18, and performs user notification processing (step S122).

  When the user information can be acquired, the application 800 performs a branching process based on whether or not the user has a usage right based on the usage restriction of the user information 210 (step S123).

  Various setting methods can be considered for the usage restriction. For example, the usage authority is expressed by a 4-digit number, the first digit is the printer usage authority, the second digit is the copy usage authority, and the third digit is a scan. Use authority The fourth digit is the use authority for fax. The value “0” is “unusable”, “1” is “monochrome only usable”, and “2” is “both color monochrome usable”. Then, referring to the usage authority in the user information 210, a method of considering “no authority” if the printer item is “0”, and “authorizing” if “1” or “2” is considered.

  If there is no usage right, the application 800 selects “AP user error” in message 4 from the message shown in FIG. 18 and performs user notification processing (step S124).

  If it is determined in step S123 that the user has authority, the application 800 caches the user information 210 (step S124-1).

  Specifically, the card ID 211 acquired in step S100 is set as the card ID 211 serving as the primary key of the authentication cache 860. In addition, the user information 210 acquired in step S111 is set in the authentication cache 860 as the user information 210 associated with the card ID 211. In other words, reading object identification information and user information including user identification information are stored in association with each other.

  If the same card ID 211 has already been registered in the authentication cache 860, this setting is overwritten. This is to prevent the data in the authentication cache 860 from remaining old when the data on the LDAP server 200 is updated.

  If the acquired user information 210 is the user information 210 acquired from the authentication cache 860 as in step S108-1, the authentication cache 860 is not overwritten. Since it is clear that this is the same data, it is for avoiding extra processing and causing performance degradation.

  In FIG. 11, when the NIC 700 can communicate with the LDAP server 200, the NIC 700 acquires print data corresponding to the user information 210 from the mass storage 500.

  As shown in FIG. 11, when there is a use authority, the application 800 extracts job information 820 having the same user name from the job list 805 using the user name in the acquired user information 210 as a key (step S125). .

  The application 800 creates the execution list 804 using the extracted job information 820 as a list (step S126).

  The application 800 acquires a sub user from the acquired user information 210 (step S127).

  If sub user 1 has been acquired immediately before, the next sub user 2 is acquired. A series of processes from S127 to S130 related to the sub-user is a process performed to output a printed matter of a plurality of users by one user. For example, in the past, only one user could be registered per IC card, so it was necessary for the secretary to borrow an IC card if he wanted to output the supervisor's printed material. In addition, a user who uses two PCs alone needs to carry two IC cards. By performing processing related to this series of sub-users, it is possible to solve the above problems and to output printed materials of a plurality of users with a single IC card.

  The application 800 checks the acquired sub-user (step S128), and if all the sub-users up to the sub-user 4 have been acquired, or if the sub-user has not been acquired or has not been registered, the process proceeds to S131. move on.

  If the sub user can be acquired, the application 800 extracts job information 820 that matches the sub user from the job list 805 (step S129), and adds the extracted job information 820 to the execution list 804 (step S130).

  When all the sub users are acquired, the application 800 sorts the created execution list 804 (step S131).

  The job information 820 is sorted by the time stamp 824, then sorted by the user name 821, and rearranged in chronological order by the user name 821. By this sort, when it is desired to output a printed matter of a plurality of users, a collective output matter is obtained for each user, and the labor of sorting can be saved. In addition, since the printed matter of each user is arranged in the order of timeout, the order is in accordance with the instruction of the user who executed printing, and the output order is easy to understand for the user. Further, the sorting method is not limited to this method, and sorting may be performed by user name and then by time stamp.

  Next, as shown in FIG. 12, the application 800 checks the number of job information 820 in the execution list 804 (step S132), and in the case of 0, the message “AP job not” from message 5 shown in FIG. And a user notification process is performed (step S133).

  When the number of job information 820 in the execution list 804 is one or more, the application 800 performs a loop process with the number of job information 820 in the execution list 804 (step S134). When all the job information 820 is referenced, the loop process is terminated. This loop processing is processing for performing steps S135 to S137 for all job information 820 in the execution list. In step S134, that is, it is determined whether all the job information 820 in the execution list has been processed. If it is determined that the process has been completed, the process proceeds to step S138.

  The application 800 determines whether or not a job can be submitted (step S135). Usually, since a printing device has a limited RAM, a print job that can be submitted at one time is limited. The reason for determining whether or not to submit a job is to prevent a job from being submitted even though the submission limit has been exceeded and printing from failing.

  Next, the application 800 performs a weight process (step S136). This wait processing prevents the phenomenon of occupying the CPU by continuing the loop (step S135 to step S137) when the job cannot be submitted beyond the submission limit.

  The application 800 performs the detailed output process shown in FIG. 13 (step S137), and clears all the job information 820 in the execution list 804 (step S138).

  Next, job output processing of the secure print system 1 will be described with reference to FIG.

  In FIG. 13, the NIC 700 transmits print data to the printing apparatus 1000.

  As shown in FIG. 13, the application 800 issues an acquisition instruction to acquire the job 310 from the file system 501 based on the job information 820 passed from the upper level (step S201). The application 800 requests the mass storage 500 to acquire a file in the file system 501 that matches the file name 822 stored in the job information 820.

  When the NIC OS 900 transmits a command from the application 800 to the mass storage 500 (step S202), the mass storage 500 reads a specified file from the file system 501 and returns it to the application 800 (step S203). The command from 500 is transmitted to the application 800 (step S204).

  The application 800 acquires the job 310 (second print data reception). The NIC OS 900 is requested to decrypt the acquired job 310, and at the same time, a decryption key, a decryption algorithm, and the like are designated (step S205).

  The NIC OS 900 performs data decryption processing (step S206), and the application 800 issues a print instruction for the decrypted job 310 and outputs it (step S207).

  The NIC OS 900 receives the job 310 and the print instruction output from the application 800, and sends the print instruction of the job 310 to the printing apparatus 1000 using the print information management protocol communication (step S208).

  The printing apparatus 1000 receives the job 310, stores it in the reception buffer, and performs spool processing (step S209). When the storage in the reception buffer ends, the printing apparatus 1000 returns control to the NIC OS 900 without waiting for the end of printing.

  The printing apparatus 1000 analyzes the print information management header 311 of the spooled job 310 data (step S210). The analyzed data is used for internal log data (not shown).

  The printing apparatus 1000 analyzes the PDL data in the job 310 to generate intermediate data of the drawing object, generates a bitmap image based on the intermediate data (step S211), and the generated bitmap image is known. Printing is performed on a medium such as paper using a printing technique (step S212).

  When the NIC OS 900 transmits a command from the printing apparatus 1000 to the application 800 (step S213), the application 800 requests the mass storage 500 to delete the corresponding job 310 from the file system 501 (step S214).

  When the NIC OS 900 transmits the command of the application 800 to the mass storage 500 (step S215), the mass storage 500 deletes the designated job 310 from the file system 501 (step S216).

  The NIC OS 900 transmits a command from the mass storage 500 to the application 800 (step S217).

  Next, the LDAP server monitoring process of the secure print system 1 will be described with reference to FIG.

  In FIG. 14, the NIC 700 confirms whether or not communication with the LDAP server 200 is possible at regular intervals. In addition, when the NIC 700 can communicate with the LDAP server 200 and the setting for storing the print data in the mass storage 500 has been canceled, the NIC 700 resets the setting.

  As shown in FIG. 14, when the application 800 registers the LDAP server monitoring process as a thread in the NIC OS 900 and starts the process (step S301), the NIC OS 900 checks whether the application 800 has ended (step S302). .

  If the application 800 has not ended, the application 800 requests the NIC OS 900 to connect to the ports of the primary LDAP server 200a and the secondary LDAP server 200b set in the setting information 802 (step S303), and the NIC OS 900 Connects to the two specified LDAP servers 200 (step S304).

  The application 800 checks whether it can connect to either the primary LDAP server 200a or the secondary LDAP server 200b (step S305), and if it can connect, it checks the print mode 850 (step S306).

  If the print mode 850 is set to “do not store”, the application 800 sets the print mode 850 to “store” (step S307).

  The application 800 performs a wait process and avoids the possibility of occupying the CPU due to a loop (step S308).

  Next, the user notification process of the secure print system 1 will be described with reference to FIG.

  As shown in FIG. 15, the application 800 acquires a message character string transmitted from the host (step S501), and requests the NIC OS 900 to sound a beep and display a specified message (step S502).

  The NIC OS 900 determines the type of the printing apparatus 1000 and instructs a beep sound using an appropriate method (step S503). For example, because UDP, print information management protocol, and JL are used depending on the model, the NIC OS 900 absorbs the information and issues a beep sound instruction by a method suitable for the model of the printing apparatus 1000. For panel display, a display instruction is sent to the printing apparatus 1000 using the MIB.

  The printing apparatus 1000 receives the command, makes a beep sound (step S504), and displays a specified message on the panel (step S505).

  Next, standard print processing of the secure print system 1 will be described with reference to FIG.

  In FIG. 29, the NIC 700 transfers print data to the printing apparatus 1000, and the printing apparatus 1000 analyzes the print data and outputs a printed matter.

  As shown in FIG. 29, the NIC OS 900 transfers (outputs) the job 310 received from the host to the printing apparatus 1000 (step S401), and the printing apparatus 1000 accepts the transferred job 310, stores it in the reception buffer 1001, Spool processing is performed (step S402).

  The printing apparatus 1000 analyzes the print information management header 311 of the spooled job 310 (step S403). The analyzed data is used for internal log data (not shown).

  The printing apparatus 1000 analyzes the PDL data in the job 310, creates intermediate data of the drawing object, and further creates a bitmap image based on the intermediate data (step S404).

  The printing apparatus 1000 prints the created bitmap image on a medium such as paper via the printer engine unit 1014 (step S405).

  Next, an overall processing outline of the secure print system 1 according to the present invention will be described with reference to FIG.

  FIG. 28 is a diagram showing an overall processing overview of the secure print system 1.

  The user logs in to the client PC 300 (step 1-1) and issues a data print instruction (step 1-2).

  The printer driver generates a job from the data and transmits it to the printing apparatus 1000 (step 2-1). Here, if the print mode 850 is set not to store the job and there is no user who has submitted the job to the authentication cache 860, the job is output as it is from the printing apparatus 1000 (step 2-2A). On the other hand, if the print mode 850 is set to store the job, it is stored in the mass storage 500 (step 2-2B).

  The user who gives the print instruction holds the IC card 410 over the card reader 400 (step 3-1). The card reader 400 reads the card ID 211 from the IC card 410 and notifies the printing apparatus 1000 (step 3-2).

  The printing apparatus 1000 inquires of the LDAP server 200 about the user name that matches the received card ID 211 (step 4-1). The LDAP server 200 searches the LDAP directory 201 and transmits the searched user name to the printing apparatus 1000 (step 4-2). At the same time, the user information 210 including the card ID 211 and the user name is stored in the authentication cache 860.

  At this time, if the printing apparatus 1000 cannot communicate with the LDAP server 200, the user name is acquired from the user information 210 of the authentication cache 860.

  The printing apparatus 1000 acquires a job that matches the user name from the mass storage 500 (step 5-1), and passes the corresponding job to the printing apparatus 1000 (step 5-2).

  The printing apparatus 1000 outputs the received job (step 6-1).

  As described above, according to the embodiment of the present invention, it is possible to provide a mechanism for preventing printing work from being delayed even when authentication cannot be performed due to, for example, an authentication server going down.

  The secure print system 1 according to the present invention can perform printing even when the authentication server does not operate for some reason, and thus becomes a highly available system that does not stop the user's work.

  Further, since the secure print system 1 according to the present invention does not use a printer server, the problem that print data is accumulated in the printer server and becomes a security hole is solved, and the system becomes more confidential. In addition, since a printer server is not used, the environment construction cost for secure printing can be reduced, resulting in a cheaper system.

  Further, in the secure print system 1 according to the present invention, by not using a printer server, the client is different even in the case of accumulated printing for performing secure printing or in the case of not performing accumulated printing when the authentication server is stopped. This makes it possible to submit a print job with exactly the same operation without being conscious of the fact that the system is more convenient for the user.

  In addition, the secure print system 1 according to the present invention does not use a printer server and does not require a printer driver setting change, so that the installation and installation can be easily performed and the system is less time-consuming.

  The preferred embodiments of the secure print system and the network interface device according to the present invention have been described above with reference to the accompanying drawings, but are not limited to the above-described embodiments. It is obvious for those skilled in the art that various modifications or modifications can be conceived within the scope of the technical idea described in the claims, and these are naturally within the technical scope of the present invention. It is understood that it belongs.

101 Printer server 102 Authentication server 150 LAN
160 USB cable 200 LDAP server 300 Client PC
400 Card reader 500 Mass storage 600 USB hub 700 NIC
800 application 900 NIC OS
1000 printing device

Claims (13)

A print data storage means for storing print data , an authentication server that is communicably connected to the image forming apparatus, and communicates via a network with an authentication server that authenticates a user and an information processing apparatus that transmits print data to be printed by the image forming apparatus. A network interface device,
Reading object identification information receiving means for receiving reading object identification information by reading the reading object;
Transmitting means for transmitting an authentication request including the reading object identification information to the authentication server;
User information storage means for storing user information including user identification information obtained in response to the authentication request transmitted by the transmission means and the reading object identification information in association with each other;
A first print data receiving means for receiving print data transmitted from the information processing apparatus,
First user identification for determining whether or not user identification information included in the print data matches the user identification information in the user information storage means when the print data is received by the first print data reception means Information determination means;
If it is determined that the user identification information matches with the first user identification information determining means, print data instructing to store the print data received by said first print data receiving means to the print data storage means Memory instruction means;
When the first user identification information determination unit determines that the user identification information does not match, the print data received by the first print data reception unit is output for printing by the image forming apparatus. And a network interface device.   The network interface device according to claim 1, wherein the first user identification information determination unit determines whether or not the user identification information matches when communication with the authentication server is not possible. When communication with the authentication server is not possible when transmitting the reading object identification information by the transmission means, it is determined whether or not user identification information corresponding to the reading object identification information exists in the user information storage means. Second user identification information determination means;
When the second user identification information determination unit determines that the user information storage unit has the user identification information, a second process of receiving print data corresponding to the user identification information stored in the print data storage unit Print data receiving means;
3. The network interface device according to claim 1, further comprising: a second output unit that outputs the print data received by the second print data receiving unit in order to print the print data by the image forming apparatus. . The second print data receiving means is user information obtained in response to the authentication request transmitted by the transmitting means when the transmitting means can communicate with the authentication server when transmitting the reading object identification information. The network interface device according to claim 3, wherein print data corresponding to user identification information included in the print data is received from the print data storage unit. When communication with the authentication server is not possible, the first user identification information determination unit determines whether the user identification information matches, and stores the print data received by the first print data reception unit. When communication with the first mode and the authentication server is possible, the first print data receiving unit does not determine whether or not the user identification information matches with the first user identification information determination unit. 5. The network interface device according to claim 1, further comprising: a mode setting unit that sets a second mode for storing the received print data in the print data storage unit. 6. Communication determination means for determining whether communication with the authentication server is possible,
The mode setting means sets the first mode when the communication determining means cannot communicate with the authentication server, and sets the second mode when the communication determining means can communicate with the authentication server. The network interface device according to claim 5, wherein: Communication confirmation means for confirming whether or not communication with the authentication server is possible at regular intervals,
The mode setting unit changes the setting from the first mode to the second mode when the communication confirmation unit determines that communication with the authentication server is possible. The network interface device described. The user information storage means stores the user identification information and other user identification information in association with each other,
5. The second print data receiving unit receives print data corresponding to the user identification information and other user identification information associated with the user identification information from the print data storage unit. The network interface device described in 1. A print data storage means for storing print data , an authentication server that is communicably connected to the image forming apparatus, and communicates via a network with an authentication server that authenticates a user and an information processing apparatus that transmits print data to be printed by the image forming apparatus. A printing control method for a network interface device,
A reading object identification information receiving step for receiving reading object identification information by reading the reading object;
A transmitting step of transmitting an authentication request including the reading object identification information to the authentication server;
A user information storage instruction step in which user information including user identification information obtained in response to the authentication request transmitted in the transmission step and the reading object identification information are associated with each other and stored in a user information storage unit;
A first print data receiving step for receiving print data transmitted from the information processing apparatus;
First user identification for determining whether or not the user identification information included in the print data matches the user identification information in the user information storage means when print data is received in the first print data reception step An information determination step;
If it is determined that the user identification information matches with the first user identification information determination step, the print instructing to store the print data received by said first print data receiving step to the print data storage means A data storage instruction step;
When it is determined in the first user identification information determination step that the user identification information does not match, the print data received in the first print data reception step is output for printing by the image forming apparatus. And a printing control method.   The program which performs the method of Claim 9 in a network interface apparatus. An image forming apparatus comprising: an information processing apparatus that transmits print data; and a print data storage unit that stores print data that communicates with an authentication server that authenticates a user via a network .
Reading object identification information receiving means for receiving reading object identification information by reading the reading object;
Transmitting means for transmitting an authentication request including the reading object identification information to the authentication server;
User information storage means for storing user information including user identification information obtained in response to the authentication request transmitted by the transmission means and the reading object identification information in association with each other;
A first print data receiving means for receiving print data transmitted from the information processing apparatus,
First user identification for determining whether or not user identification information included in the print data matches the user identification information in the user information storage means when the print data is received by the first print data reception means Information determination means;
If it is determined that the user identification information matches with the first user identification information determining means, print data instructing to store the print data received by said first print data receiving means to the print data storage means Memory instruction means;
If the user identification information is determined not to match the first user identification information determining means, the print data received by said first print data receiving unit for printing in the image forming apparatus, the outputs And an output unit. A print control method for an image forming apparatus, comprising: an information processing apparatus that transmits print data; and a print data storage unit that stores print data that is communicated via a network with an authentication server that authenticates a user.
A reading object identification information receiving step for receiving reading object identification information by reading the reading object;
A transmitting step of transmitting an authentication request including the reading object identification information to the authentication server;
A user information storage instruction step in which user information including user identification information obtained in response to the authentication request transmitted in the transmission step and the reading object identification information are associated with each other and stored in a user information storage unit;
A first print data receiving step for receiving print data transmitted from the information processing apparatus;
First user identification for determining whether or not the user identification information included in the print data matches the user identification information in the user information storage means when print data is received in the first print data reception step An information determination step;
Print data instructing to store the print data received in the first print data reception step in the print data storage means when it is determined in the first user identification information determination step that the user identification information matches. A memory instruction step;
When it is determined that the user identification information does not match in the first user identification information determination step, the print data received in the first print data reception step is output for printing on the image forming apparatus. 1 output step and
A printing control method comprising: A program for executing the method according to claim 12 in an image forming apparatus.

Images