JP5180013B2 - Authentication processing system, control method thereof, and program - Google Patents

Description

The present invention relates to an authentication processing system that performs authentication processing using authentication target information input by a user, a control method thereof, and a program.

  2. Description of the Related Art Conventionally, a so-called “pull print” printing system is known in which a print request is output from a printing device when a user makes a print request to the printing data temporarily stored on a server. (For example, refer to Patent Document 1 below). Thus, the user can output print data from a desired printing apparatus, instead of designating a specific printing apparatus and outputting print data when a printing instruction is issued from an application.

An example of a printing process procedure in such a printing system is as follows.
When the user holds the IC card over the IC card reader connected to the printing apparatus, the IC card reader detects the card ID (unique ID) of the IC card. Then, in order to determine whether or not the user is a usable user, the printing apparatus refers to an authentication table stored in the authentication server and in which authentication based on the card ID is set, and executes a user authentication process.
If the authentication is permitted as a result of the authentication process, the printing apparatus acquires the user's print data temporarily stored on the server and performs the print process.

  Here, when a user who starts using the printing apparatus or a user who stops using the printing apparatus occurs, the administrator who manages the authentication table (maintenance) authenticates the card ID of the corresponding user. The target information is registered or deleted as user information in the authentication table.

  However, in general, as the number of users who use the printing apparatus increases, the administrator needs to register or delete user information including information such as a card ID in the authentication table, which makes it difficult to operate the authentication table. There is a problem that the labor of the administrator increases.

Therefore, in an authentication processing system represented by the printing system described above, it is conceivable to automatically register a user by the following method.
For example, if authentication is not permitted as a result of the above-described authentication process, the registration process is performed at that time. More specifically, when authentication is not permitted, an authentication failure screen is displayed on the operation unit having the display screen of the printing apparatus, and if a user registration instruction is received from the user, the user name is input from the user. Accept input in the field and password entry field. Then, the input information is transmitted to a server different from the authentication server, for example, a directory server that manages employee information, etc., and the authentication process is executed there. Perform new registration processing in the authentication table.

In addition, regarding the processing in the case of a user who is no longer used due to retirement or the like, the user information can be automatically deleted by the following method.
For example, each time a printing device is used, the user and the date and time information are stored in the authentication server, and when a certain period, for example, one month has passed since the last use date, the user is determined to have retired. It is conceivable to automatically delete user information such as the card ID of the corresponding user from the authentication table.

  By the way, the reason why such an automatic registration process (including a deletion process) is necessary is that it is necessary to manage many users. In this case, if the authentication server goes down due to a failure or the like, it hinders business and becomes a problem. Therefore, it is required to make the system redundant.

  For example, when a plurality of authentication servers are provided for the purpose of redundancy, etc., it is required that the plurality of authentication tables have the same contents (that is, a complete synchronization process of the authentication tables is required). Will need to be done.

  Patent Document 2 listed below discloses a technology for synchronizing the setting information of the distributed server, by determining whether the own server is primary or secondary, and then synchronizing the secondary and setting information by communication under the primary initiative. ing.

JP 2006-99714 A JP 2006-209490 A

  However, in the technique disclosed in Patent Document 2, it is necessary to stop the service in the authentication processing system during the synchronization processing (complete synchronization processing) in order to maintain the consistency of information during the synchronization processing. is there.

  In this regard, in a printing system used by many users, authentication processing frequently occurs, and during that time, it is a problem from the viewpoint of business efficiency that the service must be stopped. On the other hand, in order to avoid this problem, for example, it is conceivable to reduce the frequency of performing the synchronization processing. However, in order to manage many users, user information such as a card ID is often registered or deleted from the authentication table, and the date and time of use each time an information processing device such as a printing device is used. Since there are many processes for storing information in the authentication server, if the frequency of simply performing the synchronization process is reduced, there will be a problem of lack of consistency.

The present invention has been made in view of such problems, and in the synchronization of authentication information stored in each authentication device that performs authentication processing, the service stop time related to authentication processing is shortened as much as possible, The purpose is to provide a mechanism to improve business efficiency.

An authentication processing system according to the present invention enables registration of an information processing apparatus that receives input of authentication target information from a user and authentication target information input from the information processing apparatus, and performs authentication processing using the authentication target information A first authentication device as a primary server that stores the first authentication information and authentication information different from the first authentication information is registered, and the authentication target information is obtained when authentication cannot be performed by the first authentication device. an authentication processing system comprising a second authentication device as the secondary server storing second authentication information for performing authentication process using the second authentication device, the first authentication device in but ready for an authentication process, from the first authentication device, a first receiving means for receiving the first authentication information, the second authentication information, to include the first authentication information , According to the authentication target information of the first authentication information received by the first receiving means, and a first simple synchronizing processing means for updating the second authentication information, the first authentication device , at a predetermined timing determined in advance, in a state in which the first authentication device and the second authentication device does not perform the authentication process, from the second authentication device, the receiving the second authentication information 2 receiving means, and according to the authentication object information of the second authentication information received by the second receiving means so that the first authentication information and the second authentication information become the same authentication information, Complete synchronization processing means for updating the first authentication information stored in the first authentication device .
According to another aspect of the authentication processing system of the present invention, an information processing apparatus that accepts input of authentication target information from a user, authentication target information input from the information processing apparatus can be registered, and authentication using the authentication target information is performed. A first authentication device as a primary server for storing first authentication information for processing, and authentication information different from the first authentication information is registered, and the first authentication device cannot authenticate An authentication processing system comprising: a second authentication device as a secondary server that stores second authentication information for performing authentication processing using authentication target information, wherein the first authentication device includes the information When there is an authentication request for the authentication target information from the processing device and the authentication target information cannot be authenticated, an authentication request for the authentication target information is sent to the second authentication device. Authentication request transmitting means, and authentication corresponding to the authentication object information obtained from the second authentication information when authentication is obtained by the second authentication device in accordance with the authentication request by the authentication request transmitting means. A receiving means for receiving information; a simple synchronization processing means for updating the first authentication information using the authentication information received by the receiving means; and the first authentication device at a predetermined timing. And a second receiving means for receiving the second authentication information from the second authentication device in a state where the second authentication device does not perform the authentication process, the first authentication information, and the second The first authentication information stored in the first authentication device according to the authentication object information of the second authentication information received by the second receiving means so that the authentication information of the second authentication means becomes the same authentication information. Full sync update And a physical means.

The method of the authentication processing system of the present invention, an information processing apparatus that receives an input of authentication object information from the user, to enable the registration authentication object information input from the information processing apparatus, the authentication processing using the authentication object information The first authentication device as a primary server for storing the first authentication information for performing authentication and authentication information different from the first authentication information is registered, and the authentication cannot be performed by the first authentication device. A control method of an authentication processing system comprising a second authentication device as a secondary server that stores second authentication information for performing authentication processing using target information, wherein the second authentication device includes: in a state where the first authentication apparatus perform the authentication process, from the first authentication device, a first receiving step of receiving the first authentication information, the second authentication information, wherein To include one of the authentication information, according to the authentication target information of the first authentication information received by the first receiving step, it performed the first simple synchronizing process updating the second authentication information, The first authentication device receives the second authentication device from the second authentication device in a state where the first authentication device and the second authentication device do not perform authentication processing at a predetermined timing . And the second authentication step received in the second reception step so that the first authentication information and the second authentication information are the same authentication information. In accordance with the authentication object information of the information, a complete synchronization processing step of updating the first authentication information stored in the first authentication device is performed .
According to another aspect of the control method of the authentication processing system of the present invention, an information processing apparatus that accepts input of authentication target information from a user, authentication target information input from the information processing apparatus can be registered, and the authentication target information is The first authentication device as the primary server for storing the first authentication information for performing the used authentication process and authentication information different from the first authentication information are registered, and the first authentication device cannot authenticate And a second authentication device as a secondary server for storing second authentication information for performing authentication processing using the authentication target information, wherein the first processing method is a control method for the authentication processing system. When there is an authentication request for the authentication target information from the information processing apparatus and the authentication target information cannot be authenticated, the authentication apparatus sends the authentication target information to the second authentication apparatus. An authentication request transmission step for transmitting an authentication request for information, and the authentication obtained from the second authentication information when authentication is obtained by the second authentication device in accordance with the authentication request by the authentication request transmission step. In a reception step of receiving authentication information corresponding to target information, a simple synchronization processing step of updating the first authentication information using the authentication information received in the reception step, and a predetermined timing, A second receiving step of receiving the second authentication information from the second authentication device in a state where the first authentication device and the second authentication device do not perform authentication processing; In accordance with the authentication object information of the second authentication information received in the second reception step, the first authentication device so that the authentication information and the second authentication information become the same authentication information. Performing a full synchronization process step of updating the first authentication information stored.

An information processing apparatus for accepting an input of authentication target information from a user and an authentication target information input from the information processing apparatus and registering the authentication target information using the authentication target information. The first authentication device as a primary server that stores one authentication information and authentication information different from the first authentication information is registered, and the authentication target information is used when the first authentication device cannot authenticate The first authentication device can perform the authentication process on the second authentication device in an authentication processing system including a second authentication device as a secondary server that stores second authentication information for performing authentication processing. state, from the first authentication device, a first receiving means for receiving the first authentication information, as said second authentication information, including the first authentication information, wherein According to the authentication target information of the first authentication information received by the first receiving means, said first simple synchronizing processing means and to thereby function of updating the second authentication information, the first authentication device, previously The second authentication information is received from the second authentication device in a state where the first authentication device and the second authentication device do not perform authentication processing at a predetermined timing . In accordance with the authentication object information of the second authentication information received by the second receiving means, the receiving means, and the first authentication information and the second authentication information become the same authentication information. This is intended to function as complete synchronization processing means for updating the first authentication information stored in one authentication apparatus .
According to another aspect of the program of the present invention, an information processing apparatus that accepts input of authentication target information from a user, authentication target information input from the information processing apparatus can be registered, and an authentication process using the authentication target information is performed. A first authentication device as a primary server that stores first authentication information to be performed, and authentication information different from the first authentication information is registered, and the authentication target is not authenticated by the first authentication device. The first authentication device in an authentication processing system comprising a second authentication device as a secondary server that stores second authentication information for performing authentication processing using information from the information processing device to the authentication When there is an authentication request for the target information and the authentication target information cannot be authenticated, an authentication request for transmitting the authentication request for the authentication target information to the second authentication device is sent. Authentication information corresponding to the authentication target information obtained from the second authentication information when authentication is obtained by the second authentication device in accordance with an authentication request from the request transmission means and the authentication request transmission means. A receiving means for receiving, a simple synchronization processing means for updating the first authentication information using the authentication information received by the receiving means, and the first authentication device and the at a predetermined timing Second receiving means for receiving the second authentication information from the second authentication device in a state in which the second authentication device does not perform authentication processing, the first authentication information, and the second authentication Update the first authentication information stored in the first authentication device according to the authentication object information of the second authentication information received by the second receiving means so that the information becomes the same authentication information. Complete synchronization processing means It is intended to function with.

ADVANTAGE OF THE INVENTION According to this invention, in the synchronization of the authentication information memorize | stored in each authentication apparatus which performs an authentication process, the stop time of the service which concerns on an authentication process can be shortened as much as possible, and the improvement of work efficiency can be implement | achieved.

  The best mode for carrying out the present invention will be described below in detail with reference to the accompanying drawings.

FIG. 1 is a schematic diagram illustrating an example of a schematic configuration of an authentication processing system according to an embodiment of the present invention.
As shown in FIG. 1, the authentication processing system 10 according to the present embodiment includes a multifunction peripheral 100, an IC card authentication server 200, a directory service server 300, a computer 400, a print data storage server 500, and a network 600. Configured.

  In the authentication processing system 10 of the present embodiment, one or a plurality of multifunction peripherals 100 are provided. This multi-function device 100 constitutes an information processing apparatus that accepts input of card ID information related to an IC card that is authentication target information from a user. Further, upon receiving the user's print request specified in the authentication process, the multifunction peripheral 100 acquires the user's print data stored in a predetermined storage location of the print data storage server 500 and executes the print process. Has the function of a printing device. The MFP 100 can use a scan function, a copy (copy) function, and the like in addition to the print function when IC card authentication is permitted.

  The IC card authentication server 200 constitutes a redundant authentication device including the primary server 210 and the secondary server 220. For example, in the present embodiment, one primary server 210 is provided and one or more secondary servers 220 are provided. Each of the primary server 210 and the secondary server 220 stores an authentication table for IC card authentication, and performs an authentication process using each authentication table in response to an authentication request by the IC card from the multifunction device 100. . Here, in the IC card authentication server 200, the primary server 210 normally performs authentication processing, but when the primary server 210 is in a function stop state due to a failure or the like, the secondary server 220 performs authentication processing. It is configured as. In the following description, when it is not necessary to distinguish between the process of the primary server 210 and the process of the secondary server 220, the process will be described simply as the IC card authentication server 200 for the sake of simplicity.

  The directory service server 300 centrally stores and manages various types of information such as various resources existing on the network 600, hardware resources such as clients and multifunction peripherals, attributes of users who use these, and access rights. Is. For example, as the directory service server 300, a server or the like equipped with an active directory function can be used. The user attributes include, for example, the login user name and password of the computer 400 (for example, the login user name and password of Microsoft Windows (registered trademark)).

  The computer 400 constitutes, for example, the client, and is provided with one or a plurality (for example, for each user). A printer driver is installed in the computer 400. The printer driver generates print data based on the data received from the application program, transmits the print data to the print data storage server 500, and stores the print data in a predetermined storage location (spool area) of the print data storage server 500. be able to.

  The print data storage server 500 performs control to transfer print data stored in a predetermined storage location to the multi-function peripheral 100 based on a command received from an external device.

  The network 600 connects the MFP 100, the IC card authentication server 200, the directory service server 300, the computer 400, and the print data storage server 500 in the authentication processing system 10 so that they can communicate with each other. It is composed of communication media.

  In the authentication processing system 10 shown in FIG. 1, an independent print data storage server 500 is provided. However, for example, the present invention can be applied to a configuration in which the function of the print data storage server 500 is configured in the MFP 100. Is possible.

Here, a simple processing flow in the authentication processing system 10 of FIG. 1 will be described.
When the MFP 100 acquires the card ID information of the IC card, the MFP 100 transmits the card ID information to the IC card authentication server 200.

  Then, the IC card authentication server 200 executes an authentication process based on the received card ID information, and transmits the authentication result to the multifunction device 100. At this time, if the authentication is not permitted, the IC card authentication server 200 inputs user information (for example, a user name and a password managed by the directory service server 300) together with the authentication result to the multifunction peripheral 100. Send a request.

  When the MFP 100 receives a user information input request from the IC card authentication server 200, the MFP 100 displays that fact on an operation unit having a display screen and accepts input of user information from the user. When the user information is input to the operation unit by the user, the multi-function device 100 transmits the input user information to the IC card authentication server 200.

  When the IC card authentication server 200 receives the user information from the multifunction device 100, the IC card authentication server 200 transmits the user information to the directory service server 300.

  When the directory service server 300 receives user information from the IC card authentication server 200, the directory service server 300 executes an authentication process based on the user information and transmits the authentication result to the IC card authentication server 200. At this time, if the directory service server 300 does not permit authentication, the IC card authentication server 200 discards the user information. On the other hand, when the directory service server 300 permits authentication, the IC card authentication server 200 performs processing for registering the information (for example, user name information) and card ID information as user specifying information in the authentication table.

  Next, the hardware of each device (the multifunction peripheral 100, the primary server 210 and the secondary server 220 of the IC card authentication server 200, the directory service server 300, the computer 400, and the print data storage server 500) in the authentication processing system 10 of FIG. The hardware configuration will be described.

  FIG. 2 is a schematic diagram illustrating an example of a hardware configuration of the primary server 210 and the secondary server 220, the directory service server 300, the computer 400, and the print data storage server 500 of the IC card authentication server 200 illustrated in FIG.

  As shown in FIG. 2, a primary server 210 and a secondary server 220 of the IC card authentication server 200, a directory service server 300, a computer 400, and a print data storage server 500 are respectively a CPU 201, a ROM 202, a RAM 203, and a system. The hardware configuration includes a bus 204, various controllers 205 (205a to 205d), a keyboard (KB) 206, a CRT display (CRT) 207, and an external memory 208. Specifically, as various controllers 205, an input controller 205a, a video controller 205b, a memory controller 205c, and a communication interface (communication I / F) controller 205d are configured.

  In FIG. 2, the CPU 201 comprehensively controls each device and controller connected to the system bus 204.

  In the ROM 202 or the external memory 208, a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS), which is a control program of the CPU 201, various programs necessary for realizing functions executed by the own device, Information, data, etc. are stored.

  The RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program or the like necessary for executing the processing into the RAM 203 and executing the program.

  The system bus 204 connects the CPU 201, ROM 202, RAM 203, input controller 205a, video controller 205b, memory controller 205c, and communication I / F controller 205d so that they can communicate with each other.

  The input controller 205a controls input from a pointing device such as a keyboard (KB) 206 or a mouse (not shown).

  The video controller 205 b controls display on a display device such as a CRT display (CRT) 207. In addition, as a display apparatus, not only CRT but a liquid crystal display may be used, for example. These are used by the administrator as needed.

  The memory controller 205c is stored in a hard disk (HD), floppy disk (registered trademark: FD) or PCMCIA card slot for storing a boot program, browser software, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 208 such as a CompactFlash (registered trademark) memory connected via an adapter.

  The communication I / F controller 205d is connected to and communicates with an external device via the network 600, and executes communication control processing in the network 600. For example, the communication I / F controller 205d can perform Internet communication using TCP / IP.

  Note that the CPU 201 can perform display on a CRT display (CRT) 207 by executing, for example, outline font rasterization processing on a display information area in the RAM 203. Further, the CPU 201 can give a user instruction by a mouse cursor (not shown) on the CRT display (CRT) 207.

  In the present embodiment, various programs to be described later for realizing the present invention are stored, for example, in the external memory 208, and are executed by the CPU 201 by being loaded into the RAM 203 as necessary. Furthermore, a definition file and various information tables used when executing the program are also stored in the external memory 208.

  In the present embodiment, the primary server 210 and the secondary server 220 of the IC card authentication server 200 are each provided with the hardware configuration shown in FIG. Even if the hardware configuration shown in FIG. 1 is used and the functions of the primary server 210 and the secondary server 220 are executed by one CPU 201, the present invention can be applied.

FIG. 3 is a schematic diagram illustrating an example of a hardware configuration of the multifunction peripheral 100 illustrated in FIG.
As illustrated in FIG. 3, the multifunction peripheral 100 is configured to have a hardware configuration of a controller unit 110, an operation unit 120, an IC card reader 130, a printer 140 that is a printing device, and a scanner 150. .

  The controller unit 110 includes a CPU 101, a RAM 102, a ROM 103, a hard disk drive (HDD) 104, a network I / F (Network I / F) 105, a modem (MODEM) 106, and an operation unit I / F 107. , Image bus I / F (IMAGE BUS I / F) 108, external I / F 109, system bus 111, image bus 112, raster image processor (RIP) 113, printer I / F 114, scanner I / F F115 and the hardware configuration of the image processing unit 116 are configured.

  The controller unit 110 is connected to a scanner 150 that functions as an image input device and a printer 140 that functions as an image output device, while a LAN (for example, the network 600 shown in FIG. 1) or a public line (WAN) (for example, PSTN or By connecting to ISDN or the like, image data and device information are input / output.

  The CPU 101 is a processor that controls the entire system inside the multifunction peripheral 100. A RAM 102 is a system work memory for the CPU 101 to operate, and is also a program memory for recording a program and an image memory for temporarily recording image data.

  The ROM 103 stores a system boot program and various control programs in the multifunction peripheral 100. A hard disk drive (HDD) 104 constitutes an external storage device, and stores various programs, image data, and the like for controlling the system inside the multifunction peripheral 100.

  A network I / F (Network I / F) 105 is connected to a network (600) such as a LAN and inputs / outputs data. A modem (MODEM) 106 is connected to a public line and inputs / outputs data such as FAX transmission / reception.

  The operation unit I / F 107 is an interface with the operation unit 120 including a user interface (UI) and the like, and outputs image data to be displayed on the operation unit 120 and various kinds of information to the operation unit 120. Further, the operation unit I / F 107 serves to transmit the input information input by the user from the operation unit 120 to the CPU 101. Note that the operation unit 120 includes a display unit having a touch panel, and various instructions can be given by a user pressing (touching with a finger or the like) a button displayed on the display unit.

  An image bus I / F (IMAGE BUS I / F) 108 is a bus bridge that connects a system bus 111 and an image bus 112 that transfers image data at high speed and converts a data structure.

  The external I / F 109 is an interface that accepts external inputs such as USB, IEEE 1394, printer port, and RS-232C. In the present embodiment, an IC card reader 130 for reading IC card information that is authentication target information necessary for authentication is connected to the external I / F 109. Then, the CPU 101 controls reading of information on the IC card by the IC card reader 130 via the external I / F 109, and acquires information read from the IC card.

  The system bus 111 includes a CPU 101, a RAM 102, a ROM 103, a hard disk drive (HDD) 104, a network I / F 105, a modem (MODEM) 106, an operation unit I / F 107, an image bus I / F 108, and an external I / F 109. It connects so that it can communicate.

  The image bus 112 connects the image bus I / F 108, the raster image processor (RIP) 113, the printer I / F 114, the scanner I / F 115, and the image processing unit 116 so that they can communicate with each other. The image bus 112 is composed of, for example, a PCI bus or IEEE1394.

  A raster image processor (RIP) 113 expands vector data such as a PDL code into a bitmap image, for example. The printer I / F 114 connects the printer 140 and the controller unit 110, and performs synchronous / asynchronous conversion of image data.

  A scanner I / F 115 connects the scanner 150 and the controller unit 110, and performs synchronous / asynchronous conversion of image data. The image processing unit 116 performs image processing on image data read from the scanner 150, for example.

  Next, the software configuration of the MFP 100 and the primary server 210 and the secondary server 220 of the IC card authentication server 200 in the authentication processing system 10 of FIG. 1 will be described.

  FIG. 4 is a schematic diagram illustrating an example of a software configuration of the multifunction peripheral 100 illustrated in FIG. In FIG. 4, the same components as those shown in FIG. Specifically, FIG. 4 shows an example of a software configuration in the controller unit 110 inside the multifunction peripheral 100.

  As shown in FIG. 4 (and FIG. 3), an IC card reader 130 is communicably connected to the controller unit 110. Although not shown in FIG. 4, it is natural that the operation unit 120, the printer 140, and the scanner 150 are communicably connected to the controller unit 110 as shown in FIG. 3.

  The controller unit 110 includes software configurations of an IC card authentication application (program) 1101 and a card ID storage unit 1102. For example, the IC card authentication application 1101 includes a program stored in the CPU 101 and the hard disk drive (HDD) 104 or the ROM 103 shown in FIG. That is, the IC card authentication application 1101 is realized by the CPU 101 shown in FIG. 3 executing a program (including a program read into the RAM 102) stored in the hard disk drive (HDD) 104 or the ROM 103. Further, for example, the card ID storage unit 1102 is configured in the hard disk drive (HDD) 104 (or RAM 102) shown in FIG.

  The IC card authentication application 1101 (CPU 101) detects the IC card via the IC card reader 130, and acquires card ID information stored in the IC card. Then, the IC card authentication application 1101 (CPU 101) stores the acquired card ID information in the card ID storage unit 1102. Here, the card ID information is information that can specify a user such as a card ID (unique number) such as a manufacturing number of an IC card or personal identification information that identifies an individual.

  FIG. 5 is a schematic diagram showing an example of a software configuration in the primary server 210 and the secondary server 220 of the IC card authentication server 200 shown in FIG. Specifically, FIG. 5A shows an example of a software configuration in the primary server 210, and FIG. 5B shows an example of a software configuration in the secondary server 220.

  The primary server 210 includes an IC card authentication service unit 211, a security agent (Security Agent) service unit 212, an authentication table deletion service unit 213, an authentication table storage unit 214, a log storage unit 215, a setting file storage unit 216, and an authentication The software configuration of the table synchronization service unit 217 and the black list table storage unit (not shown) is configured.

  For example, the IC card authentication service unit 211, the security agent (Security Agent) service unit 212, the authentication table deletion service unit 213, and the authentication table synchronization service unit 217 include the CPU 201 of the primary server 210 and the external memory 208 ( Or it is comprised from the program memorize | stored in ROM202). That is, the IC card authentication service unit 211, the security agent (Security Agent) service unit 212, the authentication table deletion service unit 213, and the authentication table synchronization service unit 217 are configured so that the CPU 201 of the primary server 210 shown in FIG. Alternatively, it is realized by executing a program (including a program read into the RAM 102) stored in the ROM 202). When the IC card authentication server 200 has the hardware configuration shown in FIG. 2, the IC card authentication service unit 211, the security agent service unit 212, the authentication table deletion service unit 213, and The authentication table synchronization service unit 217 is realized by the CPU 201 of the IC card authentication server 200 executing a program (including a program read into the RAM 102) stored in the external memory 208 (or ROM 202).

  Further, for example, the authentication table storage unit 214, the log storage unit 215, the setting file storage unit 216, and the black list table storage unit (not shown) are stored in the external memory 208 (or RAM 203) of the primary server 210 shown in FIG. Composed. When the IC card authentication server 200 has the hardware configuration shown in FIG. 2, the authentication table storage unit 214, the log storage unit 215, the setting file storage unit 216, and the black list table storage unit (not shown) Is configured in the external memory 208 (or RAM 203) of the IC card authentication server 200. The authentication table storage unit 214 stores an authentication table 214a, the log storage unit 215 stores a log 215a, the setting file storage unit 216 stores a setting file 216a, and a black list table storage unit (not shown). ) Stores a black list table.

  The IC card authentication service unit 211 registers (stores), for example, the card ID, the user name, and the user information of the last login date in the authentication table 214a of the authentication table storage unit 214, or the card ID registered in the authentication table 214a. Search user information, user information of the last login date.

  Further, when there is a request for overwriting of card ID information, the IC card authentication service unit 211 uses the authentication table storage unit 214 to authenticate the card ID information for which the overwriting request has been made, the user name, and the last login date information. Register in the table 214a. In addition, when there is a request for adding card ID information, the IC card authentication service unit 211 performs authentication in the authentication table storage unit 214 with the card ID information for which the addition request has been made, the user name, and the last login date information. Register in the table 214a.

  A security agent (Security Agent) service unit 212 performs processing related to a security agent service. For example, the security agent service unit 212 performs processing related to user registration processing in the authentication table.

  The authentication table deletion service unit 213 deletes the corresponding card ID, user name, and last login date user information in the authentication table 214a based on the user information holding period of the setting file 216a stored in the setting file storage unit 216. .

  The authentication table synchronization service unit 217 controls the IC card authentication service unit 211, the security agent service unit 212, and the authentication table deletion service unit 213 as necessary, and synchronizes the authentication table 214a of the own server.

  Similar to the primary server 210, the secondary server 220 includes an IC card authentication service unit 221, a security agent (Security Agent) service unit 222, an authentication table deletion service unit 223, an authentication table storage unit 224, a log storage unit 225, a setting file The software configuration of the storage unit 226, the authentication table synchronization service unit 227, and the black list table storage unit (not shown) is configured.

  For example, the IC card authentication service unit 221, the security agent (Security Agent) service unit 222, the authentication table deletion service unit 223, and the authentication table synchronization service unit 227 are configured such that the CPU 201 of the secondary server 220 illustrated in FIG. Alternatively, it is realized by executing a program (including a program read into the RAM 102) stored in the ROM 202). When the IC card authentication server 200 has the hardware configuration shown in FIG. 2, the IC card authentication service unit 221, the security agent (Security Agent) service unit 222, the authentication table deletion service unit 223, and The authentication table synchronization service unit 227 is realized by the CPU 201 of the IC card authentication server 200 executing a program (including a program read into the RAM 102) stored in the external memory 208 (or ROM 202).

  For example, the authentication table storage unit 224, the log storage unit 225, the setting file storage unit 226, and the black list table storage unit (not shown) are stored in the external memory 208 (or RAM 203) of the secondary server 220 shown in FIG. Composed. When the IC card authentication server 200 has the hardware configuration shown in FIG. 2, the authentication table storage unit 224, the log storage unit 225, the setting file storage unit 226, and the black list table storage unit (not shown) Is configured in the external memory 208 (or RAM 203) of the IC card authentication server 200. The authentication table storage unit 224 stores an authentication table 224a, the log storage unit 225 stores a log 225a, the setting file storage unit 226 stores a setting file 226a, and a black list table storage unit (not shown). ) Stores a black list table.

  Further, the function of each software configuration of the secondary server 220 shown in FIG. 5B is the same as the function of each software configuration corresponding to the primary server 210 shown in FIG. Omitted.

Hereinafter, the flow of processing in the authentication processing system 10 of the present embodiment will be described.
FIG. 6 is a flowchart showing an example of the processing procedure of the synchronization processing in the authentication table of the authentication processing system according to the embodiment of the present invention. Specifically, the flowchart illustrated in FIG. 6 illustrates an example of a processing procedure when the secondary server 220 that has been down is started up while the primary server 210 is operating. In the following description, the processing of the authentication table synchronization service units 217 and 227 that performs the synchronization processing in the authentication tables of the primary server 210 and the secondary server 220 will be described with reference to the flowchart of FIG.

  Here, before explaining FIG. 6, each authentication table 214a and 224a of the primary server 210 and the secondary server 220 is demonstrated using FIG.

  FIG. 7 is a schematic diagram illustrating an example of the authentication table 214a of the primary server 210 and the authentication table 224a of the secondary server 220 illustrated in FIG. Specifically, FIG. 7A shows an example of the authentication table 214a (first authentication information) of the primary server 210, and FIG. 7B shows the authentication table 224a (second authentication information) of the secondary server 220. An example is shown. Further, as shown in FIG. 7, each authentication table 214a and 224a includes, for each user, user identification information of a card ID and a user name, and the user's login time (in this example, the date when authentication is permitted). User information including attribute information related to (last login date) is registered (stored). Here, in the example shown in FIG. 7, the information is the last login date. However, in the present embodiment, the information is not limited to this mode, and includes, for example, the time information in addition to the last login date. Even if it exists, it is applicable.

  In FIG. 7, the information with the card ID “12345678” is a state registered in both the primary server 210 and the secondary server 220, and each server is activated, and the user name is The case where the user of “ABC” performs authentication is shown. At this time, referring to the last login date, only the authentication table 214a of the primary server 210 is updated.

  In FIG. 7, the information with the card ID “12345679” is a state registered in both the primary server 210 and the secondary server 220 and only the secondary server 220 is activated, and the user name Shows a case where a user with “CBA” performs authentication. At this time, referring to the last login date, only the authentication table 224a of the secondary server 220 is updated, and the authentication table 214a of the primary server 210 is not updated.

  In FIG. 7, information with a card ID “234456789” is a state in which only the primary server 210 is activated, and a user with a user name “BCD” is registered. In FIG. 7, information with a card ID “345567890” is a state in which only the secondary server 220 is activated, and a user with a user name “CDE” is registered.

  In FIG. 7, information with a card ID “45678901” is a state in which only the primary server 210 is activated, and a user whose user name is “WXY” is registered. This is a case where only the server 220 is activated and a user whose user name is “XYZ” has registered using an IC card with the same card ID. In this case, in the server authentication table 214a and the authentication table 224a, the card IDs match but the user names are different.

  6 will be described in the registration state of the authentication table 214a and the authentication table 224a.

  First, in step S101 of FIG. 6, the secondary server 220 determines whether or not the authentication table synchronization service unit 227 of its own server has been activated. If the authentication table synchronization service unit 227 is not activated as a result of this determination, the process stands by in step S101.

  On the other hand, if the authentication table synchronization service unit 227 is activated as a result of the determination in step S101, the process proceeds to step S102.

  In step S102, the authentication table synchronization service unit 227 of the secondary server 220 reads the setting information of the setting file 226a stored in the setting file storage unit 226.

  FIG. 8 is a schematic diagram illustrating an example of setting information set as a setting file according to the embodiment of this invention.

  As shown in FIG. 8, the setting file (setting file 226a in the example shown in FIG. 8) includes setting information including information on a primary determination flag, a synchronization destination server IP, a complete synchronization processing time, and a user information holding period. Is set.

  The primary determination flag indicates whether the own server is a primary server or a secondary server. If it is 0, it indicates that it is the primary server 210, and if it is 1, it indicates that it is the secondary server 220. Therefore, the example illustrated in FIG. 8 indicates that the local server is the secondary server 220.

  The synchronization destination server IP is set with an IP address value indicating the server to be synchronized. In the case of this embodiment, the IP address value of the primary server 210 that is the synchronization target server is set. Yes.

  When the local server is the primary server 210, information indicating the time for performing the complete synchronization processing described later is set as the complete synchronization processing time. In the user information holding period, information indicating a period (for example, a day) for holding user information from the last login of the user until a deletion process described later is set in the authentication table of the own server.

Here, it returns to description of FIG. 6 again.
When the setting file is read in step S102, subsequently, in step S103, the secondary server 220 (including the primary server 210) executes a simple synchronization process of the authentication table when the authentication table synchronization service unit 227 is activated. . Details of the simple synchronization process in step S103 will be described later with reference to FIG. 9. In the above-described complete synchronization process (complete synchronization process in step S108 described later), the authentication table 214a of the primary server 210 and the secondary server 220 are described. In this simple synchronization process, some of the information in each of the authentication tables 214a and 224a is information having the same content. It is processing.

  Here, with reference to the flowchart of FIG. 9, the simple synchronization process of the authentication table at the time of starting the authentication table synchronization service unit 227 shown in step S103 will be described.

  FIG. 9 is a flowchart illustrating an example of a detailed processing procedure of the simple synchronization processing in step S103 illustrated in FIG. Here, in the flowchart shown in FIG. 9, the processes in the primary server 210 and the secondary server 220 shown in the upper part of FIG. Further, in this example, since the subject of the processing in step S103 of FIG. 6 is the secondary server 220, FIG. 9 illustrates the simple synchronization processing at the time of starting the authentication table synchronization service unit 227 of the secondary server 220. For example, when the primary server 210 is applied as the subject of the processing in step S103 in FIG. 6, the processing of each server indicated in the vertical division is reversed on the left and right.

  When the simple synchronization process in step S103 in FIG. 6 is started, first, in step S201 in FIG. 9, the authentication table synchronization service unit 227 of the secondary server 220 stops the IC card authentication service unit 221 of its own server and sends it to its own server. Stop the authentication process. This process is to prevent the authentication table 224a from being updated at an unexpected timing, and the authentication table consistency is ensured by not accepting the authentication request during the simple synchronization process described later. To keep. In this case, the IC card authentication service unit 211 of the primary server 210 is in an activated state.

  Subsequently, in step S <b> 202, the secondary server 220 (for example, the authentication table synchronization service unit 227) sends a transmission request for information in the authentication table 214 a of the primary server 210 to the primary server 210.

  When the information transmission request of the authentication table 214a is received from the secondary server 220, the primary server 210 (for example, the authentication table synchronization service unit 217) subsequently receives the authentication table 214a (authentication table (P)) of its own server in step S203. ) Is transmitted to the secondary server 220.

  Subsequently, in step S204, the secondary server 220 (for example, the authentication table synchronization service unit 227) receives the information of the authentication table 214a (authentication table (P)) from the primary server 210.

  Subsequently, in step S205, the authentication table synchronization service unit 227 of the secondary server 220 reads one record from the information in the authentication table 214a (authentication table (P)) received in step S204. That is, in this step S205, for example, a record related to information of one card ID, user name, and last login date shown in FIG. 7A is read.

  Subsequently, in step S206, the authentication table synchronization service unit 227 of the secondary server 220 has the same card ID as the card ID related to the information of one record of the authentication table 214a (authentication table (P)) read in step S205. It is determined whether it is in the authentication table 224a (authentication table (S)).

  As a result of the determination in step S206, the same card ID as the card ID related to the information of one record in the authentication table 214a (authentication table (P)) read in step S205 is stored in the authentication table 224a (authentication table (S)) of the own server. If there is, the process proceeds to step S207.

  In step S207, the authentication table synchronization service unit 227 of the secondary server 220 determines that the last login date related to the information of one record in the authentication table 214a (authentication table (P)) read in step S205 is the card ID in step S206. Are the same as the last login date related to the record information of the authentication table 224a (authentication table (S)) determined to be the same.

  As a result of the determination in step S207, if the last login date is the same, the process proceeds to step S208. In step S208, the authentication table synchronization service unit 227 of the secondary server 220 uses the information of one record in the authentication table 214a (authentication table (P)) read in step S205, and the card ID is the same in step S206. Control is performed to overwrite information of the record of the determined authentication table 224a (authentication table (S)). The overwriting process in step S208 is, for example, a form in which the authentication table synchronization service unit 227 controls the IC card authentication service unit 221 and the IC card authentication service unit 221 performs the overwriting process. The synchronization service unit 227 itself may perform the overwriting process. By overwriting the record information, for example, correct user information can be managed even when the user name is changed.

  On the other hand, if the result of determination in step S207 is that the last login date is not the same (different), the process proceeds to step S209. In step S209, the authentication table synchronization service unit 227 of the secondary server 220 performs control to overwrite the authentication table 224a (authentication table (S)) with the newer date record. The overwriting process in step S209 may be performed by, for example, the authentication table synchronization service unit 227 controlling the IC card authentication service unit 221 and performing the overwriting process by the IC card authentication service unit 221. The synchronization service unit 227 itself may perform the overwriting process.

  In addition, as a result of the determination in step S206, the same card ID as the card ID related to the information of one record in the authentication table 214a (authentication table (P)) read in step S205 is the authentication table 224a (authentication table (S)) of the own server. If not, the process proceeds to step S210.

  In step S210, the authentication table synchronization service unit 227 of the secondary server 220 uses the information of one record in the authentication table 214a (authentication table (P)) read in step S205 as the authentication table 224a (authentication table (S)). Controls additional processing to be added to. The additional processing in step S210 may be performed by, for example, the authentication table synchronization service unit 227 controlling the IC card authentication service unit 221 and performing the additional processing by the IC card authentication service unit 221. The synchronization service unit 227 itself may perform the addition process.

  When the process of step S208, step S209, or step S210 ends, the process proceeds to step S211.

  When the processing proceeds to step S211, the authentication table synchronization service unit 227 of the secondary server 220 determines whether or not the processing of all the records of the information in the authentication table 214a (authentication table (P)) received in step S204 has been completed. Judging. As a result of this determination, if the processing of all the information of the authentication table 214a (authentication table (P)) has not been completed yet (there is a record that has not been processed yet), the process returns to step S205. A record that has not yet been processed is read, and the processes in and after step S206 are performed.

  On the other hand, as a result of the determination in step S211, when the processing is completed for the information of all records in the authentication table 214a (authentication table (P)), the process proceeds to step S212. In step S212, the authentication table synchronization service unit 227 of the secondary server 220 starts activation of the IC card authentication service unit 221 and starts authentication processing addressed to the own server. Thereafter, the process of the flowchart shown in FIG. 9 ends.

  As described above, by performing the processing in steps S201 to S212 shown in FIG. 9, the simple synchronization processing at the time of activation of the authentication table synchronization service unit 227 in step S103 shown in FIG. 6 is performed.

  FIG. 10 is a schematic diagram showing an example of the authentication table 214a of the primary server 210 and the authentication table 224a of the secondary server 220 after the simple synchronization processing in step S103 shown in FIG.

  Taking the case where the authentication table synchronization service unit 227 of the secondary server 220 is activated by the simple synchronization process of step S103 shown in FIG. 6 as an example, the authentication table 214a of the primary server 210 and the authentication table 224a of the secondary server 220 are as shown in FIG. From what is shown in FIG.

  In the simple synchronization process of step S103, there is no change in the authentication table 214a of the primary server 210, but the difference from the authentication table 214a of the primary server 210 is reflected in the authentication table 224a of the secondary server 220. Note that, as described above, even during the simple synchronization process of step S103, in the primary server 210, the IC card authentication service unit 211 is in an activated state, and the process by the IC card authentication service unit 211 is continued. The authentication process can be performed at any time.

Here, it returns to description of FIG. 6 again.
When the simple synchronization process at the time of activation of the authentication table synchronization service unit in step S103 is performed, subsequently, in step S104, the secondary server 220 determines whether there is a registration request (authentication request) from the authentication request source. To do.

  As a result of the determination in step S104, if there is a registration request (authentication request), the process proceeds to step S105. In step S105, the multifunction peripheral 100, the primary server 210, and the secondary server 220 execute a simple synchronization process of an authentication table at the time of an authentication / registration request.

  Here, with reference to the flowchart of FIG. 11, the simple synchronization process of the authentication table at the time of the authentication / registration request shown in step S105 will be described.

  FIG. 11 is a flowchart illustrating an example of a detailed processing procedure of the simple synchronization processing in step S105 illustrated in FIG. Here, in the flowchart shown in FIG. 11, the processes in the multi-function device 100, the primary server 210, and the secondary server 220 shown in the upper part of FIG. 11 are shown in a vertically divided manner. Each process in the case of “ABC”, “CDE”, and “XXX” is vertically divided.

  In the description of FIG. 11 shown below, the date at the time of the authentication / registration request is assumed to be October 2, 2007 (20071002). The user “ABC” is assumed to be a user (card ID: 12345678, user name: ABC) registered in the authentication table 214a of the primary server 210 shown in FIG. Further, the user “CDE” is not registered in the authentication table 214a of the primary server 210 shown in FIG. 10A, but is registered in the authentication table 224a of the secondary server 220 shown in FIG. Card ID: 34567890, user name: CDE). Further, the user “XXX” is a user who is not registered in the authentication table 214a of the primary server 210 shown in FIG. 10A or the authentication table 224a of the secondary server 220 shown in FIG. ID: 56789012, user ID not registered).

  First, the simple synchronization process in the authentication table at the time of authentication / registration request for the user “ABC” will be described.

  First, in step S301, the multi-function device 100 (for example, the IC card authentication application 1101) acquires card ID information (card ID: 12345678) related to the user “ABC” and stores it in the IC card authentication server 200 (specifically, Sends an authentication request to the primary server 210).

  Subsequently, in step S302, the primary server 210 of the IC card authentication server 200 receives the authentication request for the card ID information (card ID: 12345678) transmitted from the authentication request source in step S301.

  Subsequently, in step S303, the primary server 210 (for example, the authentication table synchronization service unit 217) determines whether or not the card ID information (card ID: 12345678) has been registered in the authentication table 214a of the own server. If it is registered, authentication is permitted. If it is not registered, authentication is not permitted.

  Here, as shown in FIG. 10A, the card ID information (card ID: 12345678) relating to the user “ABC” has already been registered in the authentication table 214a. (S303 / YES).

  Subsequently, in step S304, the primary server 210 (for example, the authentication table synchronization service unit 217) performs control to update the attribute information related to the user “ABC” in the information of the authentication table 214a of the own server. The update process in step S304 may be performed by, for example, the authentication table synchronization service unit 217 controlling the IC card authentication service unit 211 and performing the update process by the IC card authentication service unit 211. The synchronization service unit 217 itself may perform the update process.

  FIG. 12 is a schematic diagram illustrating an example of updating attribute information relating to the user “ABC” in the authentication table in the simple synchronization process of step S105 illustrated in FIG. Here, FIG. 12 shows the state of each authentication table after the update processing of the attribute information related to the user “ABC” from the state of each authentication table shown in FIG.

  Specifically, in step S304, in the authentication table 214a of the primary server 210 shown in FIG. 12A, the last login date that is attribute information related to the user “ABC” is updated from 20071001 (FIG. 10A) to 20071002. Has been. At this time, in this embodiment, information is not transmitted to the secondary server 220 or the like for the purpose of reducing communication traffic, and therefore, the authentication table 224a of the secondary server 220 is not updated and the authentication table of the primary server 210 is not updated. A difference occurs in the attribute information of the user “ABC” between the authentication table 224a of the secondary server 220 and the authentication table 214a. Since this difference is not an important difference in the system, the synchronization is deferred until the complete synchronization process.

  After performing the update process of the attribute information of the user “ABC”, in step S305, the primary server 210 subsequently performs the card ID information (card ID: 12345678) relating to the user “ABC” requested for authentication in step S301. Authentication OK information indicating that the authentication is permitted is transmitted to the MFP 100 that is the authentication request source.

  Subsequently, in step S306, the multifunction peripheral 100 receives the authentication OK information for the card ID information (card ID: 12345678) transmitted from the primary server 210.

  Subsequently, in step S307, the multi-function device 100 (for example, the IC card authentication application 1101) executes an authentication process to give a print permission to the user “ABC” or provide various services. .

  Through the processes in steps S301 to S307 described above, the simple synchronization process in the authentication table at the time of authentication / registration request of the user “ABC” is performed.

  Next, the simple synchronization process in the authentication table at the time of authentication / registration request for the user “CDE” will be described.

  First, in step S301, the multi-function device 100 (for example, the IC card authentication application 1101) acquires card ID information (card ID: 34567890) related to the user “CDE”, and stores it in the IC card authentication server 200 (specifically, Sends an authentication request to the primary server 210).

  Subsequently, in step S302, the primary server 210 of the IC card authentication server 200 receives the authentication request for the card ID information (card ID: 34567890) transmitted from the authentication request source in step S301.

  Subsequently, in step S303, the primary server 210 (for example, the authentication table synchronization service unit 217) determines whether or not the card ID information (card ID: 34567890) has been registered in the authentication table 214a of the own server.

  Here, as shown in FIG. 10A, since the card ID information (card ID: 34567890) relating to the user “CDE” is not registered in the authentication table 214a, it is determined in step S303 that it has not been registered. (S303 / NO).

  Subsequently, in step S308, the primary server 210 requests the secondary server 220 to check whether or not the card ID information (card ID: 34567890) is registered in the authentication table 224a of the secondary server 220. Send.

  Subsequently, in step S309, the secondary server 220 receives a registration confirmation request for the card ID information (card ID: 34567890) transmitted from the primary server 210 in step S308.

  Subsequently, in step S310, the secondary server 220 (for example, the authentication table synchronization service unit 227) determines whether or not the card ID information (card ID: 34567890) has been registered in the authentication table 224a of the own server.

  Here, as shown in FIG. 10B, since the card ID information (card ID: 34567890) related to the user “CDE” has already been registered in the authentication table 224a, it is determined in step S310 that the card has been registered. (S310 / YES).

  Subsequently, in step S311, the secondary server 220 (for example, the authentication table synchronization service unit 227) performs control to update the attribute information related to the user “CDE” in the information of the authentication table 224a of the own server. The update process in step S311 may be performed by, for example, the authentication table synchronization service unit 227 controlling the IC card authentication service unit 221 and performing the update process by the IC card authentication service unit 221. The synchronization service unit 227 itself may perform the update process.

  FIG. 13 is a schematic diagram illustrating an example of updating attribute information related to the user “CDE” in the authentication table in the simple synchronization process of step S105 illustrated in FIG. Here, FIG. 13 shows the state of each authentication table after the update process of the attribute information related to the user “CDE” from the state of each authentication table shown in FIG. 10.

  Specifically, in step S311, the last login date that is attribute information related to the user “CDE” is updated from 20071001 (FIG. 10A) to 20071002 in the authentication table 224a of the secondary server 220 illustrated in FIG. Has been.

  Subsequently, in step S312, the secondary server 220 confirms that the card ID information (card ID: 34567890) related to the registration confirmation request in step S308 is registered, and authentication OK information indicating that authentication is OK. Transmit to the primary server 210.

  Subsequently, in step S313, the primary server 210 receives the authentication OK information for the card ID information (card ID: 34567890) transmitted from the secondary server 220.

  Subsequently, in step S314, the primary server 210 (for example, the authentication table synchronization service unit 217) performs control to register user information related to the user “CDE” in the authentication table 214a of the own server. In the registration process in step S314, for example, the authentication table synchronization service unit 217 controls the IC card authentication service unit 211 (or the security agent service unit 212 or the like) and the IC card authentication service unit 211 (or the security agent service). Or the authentication table synchronization service unit 217 itself may perform the registration process.

  Specifically, in step S314, in the authentication table 214a of the primary server 210 shown in FIG. 13A, card ID: 34567890, user name: CDE, and last login date: 20071002 which are user information related to the user “CDE”. Registration processing for adding the information is performed.

  Subsequently, in step S315, the primary server 210 transmits authentication OK information for the card ID information (card ID: 34567890) relating to the user “CDE” requested for authentication in step S301 to the MFP 100 that is the authentication request source. To do.

  Subsequently, in step S316, the multifunction peripheral 100 receives the authentication OK information for the card ID information (card ID: 34567890) transmitted from the primary server 210.

  Subsequently, in step S317, the multi-function device 100 (for example, the IC card authentication application 1101) executes an authentication process to give the user “CDE” permission to print or provide various services. .

  Through the processes of steps S301 to S303 and steps S308 to S317, the simple synchronization process in the authentication table at the time of authentication / registration request for the user “CDE” is performed. Even if the user information related to the user (“CDE”) does not exist in the authentication table 214a of the primary server 210 by the processing of steps S301 to S303 and steps S308 to S317, the user (“CDE”) performs the registration work. The authentication table 224a of the secondary server 220 is authenticated and various services are received, and the authentication table 214a of the primary server 210 and the authentication table 224a of the secondary server 220 are associated with the user ("CDE"). Is in a synchronized state.

  Next, the simple synchronization processing in the authentication table when the user “XXX” is requested for authentication / registration will be described.

  First, in step S301, the multi-function device 100 (for example, the IC card authentication application 1101) obtains card ID information (card ID: 5789902) related to the user “XXX” and stores it in the IC card authentication server 200 (specifically, Sends an authentication request to the primary server 210).

  Subsequently, in step S302, the primary server 210 of the IC card authentication server 200 receives the authentication request for the card ID information (card ID: 56789012) transmitted from the authentication request source in step S301.

  Subsequently, in step S303, the primary server 210 (for example, the authentication table synchronization service unit 217) determines whether or not the card ID information card ID information (card ID: 56789012) has been registered in the authentication table 214a of the own server. To do.

  Here, in the authentication table 214a, as shown in FIG. 10A, the card ID information (card ID: 56789012) relating to the user “XXX” is unregistered, so in step S303, it is determined that it has not been registered. (S303 / NO).

  Subsequently, in step S308, the primary server 210 requests the secondary server 220 to confirm whether or not the card ID information (card ID: 56789021) is registered in the authentication table 224a of the secondary server 220. Send.

  Subsequently, in step S309, the secondary server 220 receives the registration confirmation request for the card ID information (card ID: 5678902) transmitted from the primary server 210 in step S308.

  Subsequently, in step S310, the secondary server 220 (for example, the authentication table synchronization service unit 227) determines whether or not the card ID information (card ID: 56789012) relating to the user “XXX” has been registered in the authentication table 224a of the own server. Determine whether.

  Here, as shown in FIG. 10B, the card ID information (card ID: 5789902) related to the user “XXX” is not registered in the authentication table 224a, and therefore it is determined in step S310 that the card is not registered. (S310 / NO).

  Subsequently, in step S318, the secondary server 220 confirms that the card ID information (card ID: 56789012) related to the registration confirmation request in step S308 is unregistered, and authentication NG indicating that the authentication is not permitted. Information is transmitted to the primary server 210.

  Subsequently, in step S319, the primary server 210 receives the authentication NG information for the card ID information (card ID: 56789012) transmitted from the secondary server 220.

  Subsequently, in step S320, the primary server 210 transmits authentication NG information for the card ID information (card ID: 5678902) related to the user “XXX” requested for authentication in step S301 to the MFP 100 that is the authentication request source. To do.

  Subsequently, in step S321, the multi-function device 100 receives the authentication NG information for the card ID information (card ID: 567889012) transmitted from the primary server 210.

  Subsequently, in step S322, the multi-function device 100 transmits the card ID information (card ID: 567890212) related to the user “XXX” to the IC card authentication server 200 (specifically, the primary server 210), and the user “XXX”. Request registration of user information relating to “XXX”. At this time, the multifunction device 100 also transmits user name information (user name: XXX) and password information input by the user (“XXX”) to the IC card authentication server 200 (specifically, the primary server 210).

  Subsequently, in step S323, the primary server 210 of the IC card authentication server 200 receives the card ID information (card ID: 5789902), user name information (user name: XXX), and password information transmitted from the multi-function device 100 in step S322. Receive a registration request containing.

  Subsequently, in step S324, the primary server 210 (for example, the authentication table synchronization service unit 217) stores the user information (card ID: 56789012, user name: XXX, last) in the authentication table 214a of the own server. Control to register login date: 20071002) is performed. The registration process in step S314 may be performed by, for example, the authentication table synchronization service unit 217 controlling the security agent service unit 212 and performing the registration process by the security agent service unit 212. The synchronization service unit 217 itself may perform the registration process.

  Here, the registration process to the authentication table shown in step S324 will be described with reference to the flowchart of FIG.

  FIG. 14 is a flowchart illustrating an example of a detailed processing procedure of the registration process to the authentication table in step S324 illustrated in FIG.

  When the registration process to the authentication table in step S324 in FIG. 11 is started, first, in step S401 in FIG. 14, the authentication table synchronization service unit 217 (or the security agent service unit 212) of the primary server 210 User name and password information is received from the IC card authentication application 1101. Note that the user name and password information received in step S401 is the information received in step S323 of FIG.

  Subsequently, in step S402, the authentication table synchronization service unit 217 (or security agent service unit 212) of the primary server 210 transmits the user name and password information received in step S401 to the directory service server 300 for authentication. Query the result.

  Thereafter, when the authentication result in step S402 is received from the directory service server 300, in step S403, the authentication table synchronization service unit 217 (or the security agent service unit 212) of the primary server 210 indicates that the received authentication result is It is determined whether or not the authentication is OK.

  If the result of determination in step S403 is authentication OK, the process proceeds to step S404. In step S404, the authentication table synchronization service unit 217 (or the security agent service unit 212) of the primary server 210 transmits an authentication result indicating that the authentication is OK to the IC card authentication application 1101 of the multifunction peripheral 100. Thereafter, the process of the flowchart shown in FIG. 14 ends.

  On the other hand, if the result of determination in step S403 is that authentication is not OK (that is, authentication is NG), the process proceeds to step S405. In step S405, the authentication table synchronization service unit 217 (or the security agent service unit 212) of the primary server 210 transmits an authentication result indicating that the authentication is NG to the IC card authentication application 1101 of the multifunction peripheral 100. Thereafter, the process of the flowchart shown in FIG. 14 ends.

  FIG. 15 is a schematic diagram illustrating an example of a registration process of user information related to the user “XXX” in the authentication table in the simple synchronization process of step S105 illustrated in FIG. Here, FIG. 15 shows the state of each authentication table after the registration process of the user information related to the user “XXX” from the state of each authentication table shown in FIG.

  Specifically, in step S324, in the authentication table 214a of the primary server 210 shown in FIG. 15A, the card ID: 56789012, the user name: XXX, and the last login date: 20071002 which are user information related to the user “XXX”. Registration processing for adding the information is performed.

Here, it returns to description of FIG. 11 again.
When the registration process to the authentication table in step S324 is performed, subsequently, in step S325, the primary server 210 transmits the card ID information (card ID: 56789012) relating to the user “XXX” to the secondary server 220, Make a registration request. At this time, the primary server 210 also transmits user name information (user name: XXX) and the like to the secondary server 220.

  Subsequently, in step S326, the secondary server 220 receives a registration request including the card ID information (card ID: 56789012) and the user name information (user name: XXX) transmitted from the primary server 210 in step S325.

  Subsequently, in step S327, the secondary server 220 (for example, the authentication table synchronization service unit 227) performs control to register user information related to the user “XXX” in the authentication table 224a of the own server. In the registration process in step S327, for example, the authentication table synchronization service unit 227 controls the IC card authentication service unit 221 (or the security agent service unit 222 or the like) and the IC card authentication service unit 221 (or the security agent service). For example, the authentication table synchronization service unit 227 itself may perform the registration process.

  Specifically, in step S327, in the authentication table 224a of the secondary server 220 shown in FIG. 15B, the card ID: 56789012, the user name: XXX, and the last login date: 20071002 which are user information related to the user “XXX”. Registration processing for adding the information is performed.

  Subsequently, in step S328, the secondary server 220 transmits registration OK information to the effect that the registration process related to the registration request in step S325 is OK to the primary server 210.

  Subsequently, in step S <b> 329, the primary server 210 receives registration OK information indicating that the user information registration process related to the user “XXX” transmitted from the secondary server 220 is OK.

  Subsequently, in step S330, the primary server 210 transmits registration OK information for the user information related to the user “XXX” requested for registration in step S322 to the multifunction peripheral 100 that is the registration request source.

  Subsequently, in step S <b> 331, the multifunction peripheral 100 receives registration OK information from the primary server 210 and detects that registration of the user information related to the user “XXX” in the authentication table is completed.

  Through the processes in steps S301 to S303, steps S308 to S310, and steps S318 to S331, the simple synchronization process in the authentication table at the time of authentication / registration request for the user “XXX” is performed.

Here, it returns to description of FIG. 6 again.
If the simple synchronization process of the authentication table at the time of the authentication / registration request in step S105 is completed, or if it is determined in step S104 that there is no registration request (authentication request), the process proceeds to step S106. In step S106, the secondary server 220 determines whether or not the server itself is the primary setting based on the information of the setting file (FIG. 8) read in step S102. Here, in this example, since the subject of the processing of FIG. 6 is the secondary server 220, it is determined that the primary setting is not made in step S106. For example, when the subject of the processing of FIG. In step S106, it is determined that the primer is set.

  If the result of determination in step S106 is primary setting, the process proceeds to step S107. In step S107, in this case, the primary server 210 determines whether or not the current time is the complete synchronization processing time set in the setting file (FIG. 8).

  If the result of determination in step S107 is that the current time is the complete synchronization processing time set in the setting file, the process proceeds to step S108. In step S108, the primary server 210 (including the secondary server 220) executes a complete synchronization process of the authentication table 214a and the authentication table 224a.

  Here, the complete synchronization process of the authentication table shown in step S108 will be described with reference to the flowcharts of FIGS.

  FIGS. 16A and 16B are flowcharts illustrating an example of a detailed processing procedure of the complete synchronization processing in step S108 illustrated in FIG. Here, in the flowcharts shown in FIGS. 16A and 16B, the processes in the primary server 210 and the secondary server 220 shown in the upper part of FIGS. 16A and 16B are vertically divided. .

  When the complete synchronization process in step S108 in FIG. 6 starts, first, in step S501 in FIG. 16A, the authentication table synchronization service unit 217 of the primary server 210 transmits an authentication process stop command to the secondary server 220.

  Subsequently, in step S502, the secondary server 220 receives the authentication processing stop command transmitted from the primary server 210.

  Subsequently, in step S503, the authentication table synchronization service unit 227 of the secondary server 220 stops the IC card authentication service unit 221 of the own server, and stops the authentication process addressed to the own server.

  Subsequently, in step S <b> 504, the secondary server 220 transmits an authentication process stop completion report to the primary server 210.

  Subsequently, in step S <b> 505, the primary server 210 receives the authentication processing stop completion report transmitted from the secondary server 220.

  Subsequently, in step S506, the authentication table synchronization service unit 217 of the primary server 210 stops the IC card authentication service unit 211 of the own server, and stops the authentication process addressed to the own server.

  Subsequently, in step S <b> 507, the primary server 210 (for example, the authentication table synchronization service unit 217) sends a transmission request for information in the authentication table 224 a of the secondary server 220 to the secondary server 220.

  When the information transmission request for the authentication table 224a is received from the primary server 210, the secondary server 220 (for example, the authentication table synchronization service unit 227) subsequently receives the authentication table 224a (authentication table (S)) of its own server in step S508. ) Is transmitted to the primary server 210.

  Subsequently, in step S509, the primary server 210 (for example, the authentication table synchronization service unit 217) receives information of the authentication table 224a (authentication table (S)) from the secondary server 220.

  Subsequently, in step S510, the authentication table synchronization service unit 217 of the primary server 210 reads one record from the information in the authentication table 224a (authentication table (S)) received in step S509. That is, in this step S510, for example, a record relating to the user information of one card ID, user name, and last login date shown in FIG. 7B is read.

  Subsequently, in step S511, the authentication table synchronization service unit 217 of the primary server 210 has the same card ID as the card ID related to the information of one record of the authentication table 224a (authentication table (S)) read in step S510. It is determined whether it is in the authentication table 214a (authentication table (P)).

  As a result of the determination in step S511, the same card ID as the card ID related to the information of one record in the authentication table 224a (authentication table (S)) read in step S510 is stored in the authentication table 214a (authentication table (P)) of the own server. If there is, the process proceeds to step S512.

  In step S512, the authentication table synchronization service unit 217 of the primary server 210 determines that the last login date related to the information of one record in the authentication table 224a (authentication table (S)) read in step S510 is the card ID in step S511. Are determined to be the same as the last login date related to the record information of the authentication table 214a (authentication table (P)) determined to be the same.

  If the result of the determination in step S512 is that the last login date is not the same (different), the process proceeds to step S513. In step S513, the authentication table synchronization service unit 217 of the primary server 210 performs control to overwrite the authentication table 214a (authentication table (P)) with the newer date record. The overwriting process in step S512 may be performed by, for example, the authentication table synchronization service unit 217 controlling the IC card authentication service unit 211 and performing the overwriting process by the IC card authentication service unit 211. The synchronization service unit 217 itself may perform the overwriting process.

  As a result of the determination in step S511, the same card ID as the card ID related to the information of one record in the authentication table 224a (authentication table (S)) read in step S510 is the authentication table 214a (authentication table (P)) of the own server. If not, the process proceeds to step S514.

  In step S514, the authentication table synchronization service unit 217 of the primary server 210 converts the information of one record of the authentication table 224a (authentication table (S)) read in step S510 into the authentication table 214a (authentication table (P)). Controls additional processing to be added to. The addition process in step S514 may be performed by, for example, the authentication table synchronization service unit 217 controlling the IC card authentication service unit 211 and performing the addition process by the IC card authentication service unit 211. The synchronization service unit 217 itself may perform the addition process.

  When it is determined in step S512 that the last login date is the same, when the process of step S513 is completed, or when the process of step S514 is completed, the process proceeds to step S515.

  When the processing proceeds to step S515, the authentication table synchronization service unit 217 of the primary server 210 determines whether or not the processing of all the records of the information in the authentication table 224a (authentication table (S)) received in step S509 has been completed. Judging. As a result of this determination, if the processing of all the information of the authentication table 224a (authentication table (S)) has not been completed yet (there is a record that has not been processed yet), the process returns to step S510, A record that has not yet been processed is read, and the processes in and after step S511 are performed.

  On the other hand, as a result of the determination in step S515, if the processing is completed for all record information in the authentication table 224a (authentication table (S)), the process proceeds to step S516 in FIG.

  When the process proceeds to step S516 in FIG. 16B, the primary server 210 (for example, the authentication table synchronization service unit 217) performs the synchronization process with the authentication table 224a (authentication table (S)) and the authentication table 214a (authentication table). (P)) information is transmitted to the secondary server 220.

  Subsequently, in step S517, the secondary server 220 (for example, the authentication table synchronization service unit 227) receives the information of the authentication table 214a (authentication table (P)) from the primary server 210.

  Subsequently, in step S518, the authentication table synchronization service unit 227 of the secondary server 220 uses the information in the authentication table 214a (authentication table (P)) after the synchronization processing received in step S517 as the authentication table 224a (authentication) of the own server. Control to overwrite the table (S)) is performed. The overwriting process in step S518 may be performed by, for example, the authentication table synchronization service unit 227 controlling the IC card authentication service unit 221 and performing the overwriting process by the IC card authentication service unit 221. The synchronization service unit 227 itself may perform the overwriting process.

  Subsequently, in step S519, the secondary server 220 sends a post-synchronization authentication table overwrite completion report to the primary server 210 indicating that the overwrite process of the post-synchronization authentication table 214a (authentication table (P)) has been completed. Send.

  Subsequently, in step S520, the primary server 210 receives the post-synchronization authentication table overwrite completion report transmitted from the secondary server 220.

  Subsequently, in step S521, the authentication table synchronization service unit 217 of the primary server 210 starts activation of the IC card authentication service unit 211 of the own server and starts authentication processing addressed to the own server.

  Subsequently, in step S522, the authentication table synchronization service unit 217 of the primary server 210 transmits an authentication process start command to the secondary server 220.

  Subsequently, in step S523, the secondary server 220 receives the authentication process start command transmitted from the primary server 210.

  Subsequently, in step S524, the authentication table synchronization service unit 227 of the secondary server 220 starts activation of the IC card authentication service unit 221 of the own server and starts authentication processing addressed to the own server.

  Subsequently, in step S525, the secondary server 220 transmits an authentication process start completion report to the primary server 210.

  Subsequently, in step S526, the primary server 210 receives the authentication process start completion report transmitted from the secondary server 220.

  As described above, by performing the processing in steps S501 to S526 shown in FIGS. 16A and 16B, the complete synchronization processing in step S108 shown in FIG. 6 is performed.

  FIG. 17 is a schematic diagram showing an example of the authentication table 214a of the primary server 210 and the authentication table 224a of the secondary server 220 after the complete synchronization processing in step S108 shown in FIG.

  As a result of the complete synchronization processing in step S108 shown in FIG. 6, the authentication table 214a of the primary server 210 and the authentication table 224a of the secondary server 220 have exactly the same information shown in FIG.

  In the example shown in FIG. 6, when it is determined in step S107 that the current time is the complete synchronization processing time set in the setting file, the complete synchronization processing shown in step S108 is performed. Although an example assuming that complete synchronization processing is performed at a predetermined time every day has been described, the present embodiment is not limited to this. For example, the frequency of performing complete synchronization processing is set weekly or monthly. It may be a form.

Here, it returns to description of FIG. 6 again.
If it is determined in step S106 that it is not the primary setting, if it is determined in step S107 that the current time is not the complete synchronization processing time set in the setting file (FIG. 8), or the processing in step S108 is completed. In the case, the process proceeds to step S109.

  Subsequently, in step S109, the secondary server 220 determines whether or not there is an instruction to end the process by the authentication table synchronization service unit 227. As a result of this determination, if there is no instruction to end the process by the authentication table synchronization service unit 227, the process returns to step S104, and the processes after step S104 are performed again.

  On the other hand, as a result of the determination in step S109, if there is an instruction to end the process by the authentication table synchronization service unit 227, the process in the flowchart shown in FIG.

Next, a process for deleting user information from each authentication table will be described with reference to FIG.
FIG. 18 is a flowchart illustrating an example of a processing procedure of user information deletion processing in the authentication table of the authentication processing system according to the embodiment of the present invention. Here, in the flowchart shown in FIG. 18, the processes in the primary server 210 and the secondary server 220 shown in the upper part of FIG.

  When the deletion process is started, first, in step S601 of FIG. 18, the authentication table deletion service unit 213 of the primary server 210 sets the user information holding period information (shown in FIG. 8) set in the setting file shown in FIG. In the example, “7 (day)”) is read.

  Subsequently, in step S602, the authentication table deletion service unit 213 of the primary server 210 reads one record (one line) from the authentication table 214a (authentication table (P)) of the own server.

  Subsequently, in step S603, the authentication table deletion service unit 213 of the primary server 210 determines whether one record (one line) read in step S602 is an EOF (End Of File). If the result of this determination is that one record (one line) read in step S602 is EOF, the processing of the flowchart shown in FIG. 18 is terminated.

  On the other hand, if the result of determination in step S603 is that one record (one line) read in step S602 is not EOF, the process proceeds to step S604.

  In step S604, the authentication table deletion service unit 213 of the primary server 210 records one record (one user information (card ID, user name) of the user information holding period read in step S601 and the authentication table 214a read in step S602. , Last login date)), whether or not “today (current) date−last login date ≧ user information holding period” is satisfied, that is, whether the user information holding period end condition is satisfied. to decide.

  As a result of the determination in step S604, if the condition for ending the retention period of the user information is not satisfied, the process returns to step S602, and the next record of the authentication table 214a (authentication table (P)) is read, and step S603 is performed. Perform the following processing.

  On the other hand, as a result of the determination in step S604, if the user information retention period end condition is satisfied, the process proceeds to step S605.

  In step S605, the authentication table deletion service unit 213 of the primary server 210 performs processing for deleting one record (one line) read in step S602 from the authentication table 214a (authentication table (P)).

  Subsequently, in step S606, the primary server 210 (for example, the authentication table deletion service unit 213) transmits a record deletion request corresponding to one record (one row) deleted in step S605 to the secondary server 220. . Thereafter, the processing of the primary server 210 returns to step S602, the next one record of the authentication table 214a (authentication table (P)) is read, and the processing after step S603 is performed.

  Further, the secondary server 220 receives the deletion request transmitted from the primary server 210 in step S607.

  Subsequently, in step S608, the authentication table deletion service unit 223 of the secondary server 220 deletes one record (one row) corresponding to the deletion request received in step S607 from the authentication table 224a (authentication table (S)). I do.

  Then, every time a deletion request is transmitted from the primary server 210, the secondary server 220 repeatedly performs a series of processes in steps S607 and S608.

  In the example illustrated in FIG. 18, the deletion request to the secondary server 220 in step S606 has been described for each record (one line). For example, after the process in step S605, the information is stored in the RAM 203 or the like. It may be recorded, and after confirming the EOF in the determination in step S603, records to be deleted based on the information recorded in the RAM 203 or the like may be collectively transmitted to the secondary server 220 as a deletion request.

  As described above, the user of the user who has not logged in to the MFP 100 within the user information holding period (“7” days in the example shown in FIG. 8) set in the setting file by the processing in steps S601 to S608 in FIG. Information (card ID, user name, last login date) is deleted from the authentication tables 214a and 224a by the authentication table deletion service units 213 and 223, respectively. Therefore, it is not necessary to delete the user information manually by the administrator, and the administrator's trouble can be reduced. The activation of the authentication table deletion service units 213 and 223 may be configured to be automatically performed at a predetermined date and time (for example, at night) (night batch). By performing the processing of steps S601 to S608 in FIG. 18, user information including card ID information for which a predetermined period has elapsed since the last login can be deleted from the authentication table.

As described above, the authentication processing system 10 according to the embodiment of the present invention includes the MFP 100 (information processing apparatus) that receives input of card ID information (authentication target information) of the IC card from the user, and the card ID information. The primary server 210 that stores the authentication table 214a (first authentication information) for performing the used authentication process and the authentication table 224a (second authentication information) for performing the authentication process using the card ID information are stored. An IC card authentication server 200 (authentication device) including a secondary server 220 is provided.
Then, in the IC card authentication server 200 (authentication apparatus), in the state where the primary server 210 can perform the authentication process, the secondary server 220 stores part of the authentication table 214a (first authentication information) in the authentication table 224a (second authentication information). (S103 of FIG. 6: first simple synchronization processing step), and then, at a predetermined timing, the first simple synchronization processing (S103 of FIG. 6). ), The process of completely synchronizing all the information in the authentication table 224a (second authentication information) and the authentication table 214a (first authentication information) (S108 in FIG. 6: complete) Synchronous processing step).
According to such a configuration, since the synchronization processing is simply performed on a part of the information in the authentication table 214a and the authentication table 224a in a state where the primary server 210 can perform the authentication processing, the processing time in the subsequent complete synchronization processing is shortened. be able to. As a result, when the process of synchronizing the authentication table (authentication information) stored in each server that performs the authentication process is performed, the service stop time related to the authentication process is shortened as much as possible to improve the business efficiency. be able to.

  Further, in the IC card authentication server 200 (authentication apparatus), when there is an authentication request for card ID information (authentication target information) from the multi-function device 100, it is processed in the first simple synchronization process (S103 in FIG. 6). A process of synchronizing part of the information between the authentication table 224a and the authentication table 214a is further performed (S105 in FIG. 6: second simple synchronization process step). Then, in the subsequent complete synchronization process (S108 in FIG. 6), the first simple synchronization process (S103 in FIG. 6) and the second simple synchronization process (S105 in FIG. 6) were processed. A process of completely synchronizing all information in the authentication table 214a and the authentication table 224a is performed.

Further, in the authentication table 214a and the authentication table 224a, for each user, user identification information (for example, FIG. 7) including information (for example, information on the card ID in FIG. 7) corresponding to the card ID information that is authentication target information. 7) and user information including attribute information (for example, information on the last login date in FIG. 7) related to the login of the user.
Then, in the IC card authentication server 200 (authentication apparatus), the user specifying information (FIG. 7) included in the user information defined in the authentication table 224a during the first simple synchronization process (S103 in FIG. 6) described above. If the user identification information included in the user information defined in the authentication table 214a does not exist in the card ID information) (S206 / NO in FIG. 9), the user information defined in the authentication table 214a is authenticated. Processing to be added to the table 224a is performed (S210 in FIG. 9). Further, in the IC card authentication server 200 (authentication apparatus), the user specifying information (FIG. 7) included in the user information defined in the authentication table 224a during the first simple synchronization process (S103 in FIG. 6) described above. The user ID information included in the user information defined in the authentication table 214a (S206 / YES in FIG. 9), and the user defined in the authentication table 224a. If the attribute information included in the information (last login date information in FIG. 7) and the attribute information included in the user information defined in the authentication table 214a are different (S207 / NO in FIG. 9), the login time is The subsequent user information is stored in the authentication table 224a (S209 in FIG. 9).

  Further, in the IC card authentication server 200 (authentication apparatus), a part of the authentication table 214a is stopped in the state where the authentication process of the secondary server 220 is stopped during the first simple synchronization process (S103 in FIG. 6). Is held in synchronization with the authentication table 224a (S201 in FIG. 9).

  Further, in the IC card authentication server 200 (authentication apparatus), when an authentication request for card ID information (authentication target information) is made from the multifunction device 100 in the second simple synchronization process (S105 in FIG. 6), If the user identification information (card ID information in FIG. 7) included in the user information defined in the authentication table 214a includes information corresponding to the authentication target information, the user information defined in the authentication table 214a The attribute information (the information of the last login date in FIG. 7) is updated, and at the same time, the MFP 100 is notified of authentication permission for permitting use of the MFP 100 (FIG. 11). User: ABC processing).

  Further, in the IC card authentication server 200 (authentication apparatus), when an authentication request for card ID information (authentication target information) is made from the multifunction device 100 in the second simple synchronization process (S105 in FIG. 6), This is a case where there is no information corresponding to the authentication target information in the user identification information (card ID information in FIG. 7) included in the user information defined in the authentication table 214a, and is defined in the authentication table 224a. When information corresponding to the authentication target information exists in the user identification information included in the user information, the attribute information (information on the last login date in FIG. 7) of the user information defined in the authentication table 224a is updated. At the same time, the user information including the updated attribute information is registered in the authentication table 214a, and the MFP 1 is notified to the MFP 100. So that a notification of the authentication permission to allow the use of 0 (User Figure 11: CDE process).

  Further, in the IC card authentication server 200 (authentication apparatus), when an authentication request for card ID information (authentication target information) is made from the multifunction device 100 in the second simple synchronization process (S105 in FIG. 6), When there is no user specifying information corresponding to the authentication target information in any user information of the authentication table 214a and the authentication table 224a, the user specifying information corresponding to the authentication target information is stored in the authentication table 214a and the authentication table 224a. User information including it is registered (user in FIG. 11: XXX process).

  Further, the IC card authentication server 200 (authentication apparatus) authenticates with the authentication table 214a in a state where the authentication processing of the primary server 210 and the secondary server 220 is stopped during the above-described complete synchronization processing (S108 in FIG. 6). Processing to completely synchronize all information with the table 224a is performed (S503 and S506 in FIG. 16A).

  Further, in the IC card authentication server 200 (authentication apparatus), user information that satisfies the end condition of the user information holding period based on a predetermined user information holding period (user information holding period of the setting file shown in FIG. 8). Is deleted from the authentication table 214a and the authentication table 224a (FIG. 18: user information deletion step).

(Other embodiments of the present invention)
Each means of each apparatus constituting the authentication processing system 10 according to the embodiment of the present invention described above, and shown in FIGS. 6, 9, 11, 14, 16-1, 16-2, and 18 Each step can be realized by a computer CPU executing a program stored in a RAM, a ROM, or the like. This program and a computer-readable recording medium recording the program are included in the present invention.

  In addition, the present invention can be implemented as, for example, a system, apparatus, method, program, storage medium, or the like. Specifically, the present invention may be applied to a system including a plurality of devices. You may apply to the apparatus which consists of one apparatus.

  Note that the present invention is a software program that implements the functions of the above-described embodiments (in the embodiment, the flowcharts shown in FIGS. 6, 9, 11, 14, 16-1, 16-2, and 18. Corresponding program) to the system or apparatus directly or remotely. The present invention also includes a case where the system or the computer of the apparatus is achieved by reading and executing the supplied program code.

  Accordingly, since the functions of the present invention are implemented by computer, the program code installed in the computer also implements the present invention. In other words, the present invention includes a computer program itself for realizing the functional processing of the present invention.

  In that case, as long as it has the function of a program, it may be in the form of object code, a program executed by an interpreter, script data supplied to the OS, and the like.

  Examples of the recording medium for supplying the program include a floppy (registered trademark) disk, hard disk, optical disk, magneto-optical disk, MO, CD-ROM, CD-R, and CD-RW. In addition, there are magnetic tape, nonvolatile memory card, ROM, DVD (DVD-ROM, DVD-R), and the like.

  As another program supply method, a browser on a client computer is used to connect to an Internet home page. The computer program itself of the present invention or a compressed file including an automatic installation function can be downloaded from the homepage by downloading it to a recording medium such as a hard disk.

  It can also be realized by dividing the program code constituting the program of the present invention into a plurality of files and downloading each file from a different homepage. That is, a WWW server that allows a plurality of users to download a program file for realizing the functional processing of the present invention on a computer is also included in the present invention.

  In addition, the program of the present invention is encrypted, stored in a storage medium such as a CD-ROM, distributed to users, and key information for decryption is downloaded from a homepage via the Internet to users who have cleared predetermined conditions. Let It is also possible to execute the encrypted program by using the downloaded key information and install the program on a computer.

  Further, the functions of the above-described embodiments are realized by the computer executing the read program. In addition, based on the instructions of the program, an OS or the like running on the computer performs part or all of the actual processing, and the functions of the above-described embodiments can also be realized by the processing.

  Further, the program read from the recording medium is written in a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer. Thereafter, the CPU of the function expansion board or function expansion unit performs part or all of the actual processing based on the instructions of the program, and the functions of the above-described embodiments are realized by the processing.

  The above-described embodiments are merely examples of implementation in carrying out the present invention, and the technical scope of the present invention should not be construed as being limited thereto. That is, the present invention can be implemented in various forms without departing from the technical idea or the main features thereof.

It is a schematic diagram which shows an example of schematic structure of the authentication processing system which concerns on embodiment of this invention. FIG. 2 is a schematic diagram illustrating an example of a hardware configuration of a primary server and a secondary server, a directory service server, a computer, and a print data storage server of the IC card authentication server illustrated in FIG. 1. FIG. 2 is a schematic diagram illustrating an example of a hardware configuration of the multifunction machine illustrated in FIG. 1. FIG. 2 is a schematic diagram illustrating an example of a software configuration of the multifunction peripheral illustrated in FIG. 1. It is a schematic diagram which shows an example of the software structure in the primary server and secondary server of an IC card authentication server shown in FIG. It is a flowchart which shows an example of the process sequence of the synchronous process in the authentication table of the authentication processing system which concerns on embodiment of this invention. It is a schematic diagram which shows an example of the authentication table of the primary server shown in FIG. 5, and the authentication table of a secondary server. It is a schematic diagram which shows embodiment of this invention and shows an example of the setting information set as a setting file. It is a flowchart which shows an example of the detailed process sequence of the simple synchronous process of step S103 shown in FIG. It is a schematic diagram which shows an example of the authentication table of the primary server after the simple synchronous process of step S103 shown in FIG. 6, and the authentication table of a secondary server. It is a flowchart which shows an example of the detailed process sequence of the simple synchronous process of step S105 shown in FIG. FIG. 7 is a schematic diagram illustrating an example of updating attribute information relating to a user “ABC” in an authentication table in the simple synchronization process of step S105 illustrated in FIG. 6. FIG. 7 is a schematic diagram illustrating an example of updating attribute information related to a user “CDE” in an authentication table in the simple synchronization process of step S105 illustrated in FIG. 6. 12 is a flowchart illustrating an example of a detailed processing procedure of registration processing in the authentication table in step S324 illustrated in FIG. 11. FIG. 7 is a schematic diagram illustrating an example of a registration process of user information relating to a user “XXX” in an authentication table in the simple synchronization process of step S105 illustrated in FIG. 6. It is a flowchart which shows an example of the detailed process sequence of the complete synchronization process of step S108 shown in FIG. 17 is a flowchart illustrating an example of a detailed processing procedure of the complete synchronization processing in step S108 illustrated in FIG. 6 following FIG. It is a schematic diagram which shows an example of the authentication table of a primary server and the authentication table of a secondary server after the complete synchronous process of step S108 shown in FIG. It is a flowchart which shows an example of the process sequence of the deletion process of the user information in the authentication table of the authentication processing system which concerns on embodiment of this invention.

Explanation of symbols

10 Authentication processing system 100 MFP 200 IC card authentication server 210 Primary server 220 Secondary server 300 Directory service server 400 Computer 500 Print data storage server 600 Network

Claims (14)

An information processing device that accepts input of authentication target information from a user, and authentication target information input from the information processing device can be registered, and first authentication information for performing authentication processing using the authentication target information is stored For performing authentication processing using the authentication target information when authentication information different from the first authentication information is registered as the primary server and the first authentication device is not able to authenticate with the first authentication device an authentication processing system comprising a second authentication device as the secondary server storing second authentication information,
The second authentication device includes:
First receiving means for receiving the first authentication information from the first authentication device in a state in which the first authentication device can perform an authentication process ;
Updating the second authentication information according to the authentication object information of the first authentication information received by the first receiving means so that the second authentication information includes the first authentication information ; 1 simple synchronization processing means and
Have
The first authentication device includes:
A second receiving of the second authentication information from the second authentication device in a state where the first authentication device and the second authentication device do not perform authentication processing at a predetermined timing . Means for receiving
The first authentication device according to the authentication object information of the second authentication information received by the second receiving means so that the first authentication information and the second authentication information become the same authentication information. And a complete synchronization processing means for updating the first authentication information stored in the authentication processing system . The first authentication device includes:
Authentication request there of the authenticated information from the information processing apparatus is, if it can not authenticate the authentication object information, the authentication request transmission unit that transmits the authentication request of the authenticated information to the second authentication device When,
And receiving authentication information corresponding to the authentication object information obtained from the second authentication information when authentication is obtained by the second authentication device in accordance with the authentication request by the authentication request transmitting means. Receiving means;
Using the authentication information received by the third receiving means further includes a second simple synchronizing processing means for updating the first authentication information,
The second authentication device includes:
Authentication request receiving means for receiving an authentication request for the authentication target information from the second authentication device;
Authenticating means for authenticating the authentication object information in accordance with the authentication request;
Authentication information transmitting means for transmitting authentication information corresponding to authentication target information authenticated by the authentication means to the second authentication device;
The authentication processing system according to claim 1, further comprising: The first authentication information and the second authentication information, the user information including for each User chromatography THE, and Yoo chromatography The specific information corresponding to the authentication object information, and attribute information according to the time of login by the user identification information Is established,
The first simple synchronization processing means includes:
Authentication If the user information corresponding to the target information does not exist in the second authentication information, the first of the hot water over The information given in the authentication information second authentication information of the first authentication information Add to
In a case where the user information corresponding to the authentication target information of the first authentication information exists in the second authentication information, and attribute information included in the user information of the second authentication information, the first If the attribute information included in the user information of the authentication information is different, the attribute information based on the latest user information, according to claim 1 or 2, characterized in that updating the second authentication information Authentication processing system . The first simple synchronizing processing means, in a state where the authentication process is stopped at the second authentication device, any one of claims 1 to 3, wherein updating the second authentication information 1 The authentication processing system according to item . When the authentication request for the authentication target information is made from the information processing apparatus, the second simple synchronization processing means includes user information corresponding to the authentication target information included in the authentication request in the first authentication information. If present, the attribute information included in the user information of the first authentication information is updated, and at the same time, the information processing apparatus is notified of authentication permission for permitting use of the information processing apparatus. The authentication processing system according to claim 2 . When the authentication request for the authentication target information is made from the information processing apparatus, the second simple synchronization processing means includes user information corresponding to the authentication target information included in the authentication request in the first authentication information. a does not exist, if the user information corresponding to the authenticated information to the second authentication information exists, and registers the user chromatography the information in the first authentication information, to the information processing apparatus 6. The authentication processing system according to claim 2 or 5 , wherein an authentication permission notification for permitting use of the information processing apparatus is performed. When the authentication request for the authentication target information is made from the information processing apparatus, the second simple synchronization processing unit applies the user information to either the first authentication information or the second authentication information. If the user information corresponding to the authentication object information does not exist, the claims in the first authentication information and the second authentication information, and registers the user chromatography the information corresponding to the authenticated information The authentication processing system according to 2, 5, or 6 . The first authentication information and the second authentication information, the user information including for each User chromatography THE, and Yoo chromatography The specific information corresponding to the authentication object information, and attribute information according to the time of login by the user identification information Is established,
The first authentication device or the second authentication device is:
User information deletion that deletes, from the first authentication information or the second authentication information, the user information that satisfies the end condition of the user information holding period based on a predetermined user information holding period and the attribute information authentication processing system according to any one of claims 1 to 7, further comprising a means. Wherein the information processing apparatus, the authentication processing system according to any one of claims 1 to 8, characterized in that it has the function of the printing apparatus. An information processing device that accepts input of authentication target information from a user, and authentication target information input from the information processing device can be registered, and first authentication information for performing authentication processing using the authentication target information is stored For performing authentication processing using the authentication target information when authentication information different from the first authentication information is registered as the primary server and the first authentication device is not able to authenticate with the first authentication device An authentication processing system comprising a second authentication device as a secondary server that stores second authentication information,
The first authentication device includes:
An authentication request transmitting means for transmitting an authentication request for the authentication target information to the second authentication device when there is an authentication request for the authentication target information from the information processing apparatus and the authentication target information cannot be authenticated; ,
Receiving means for receiving authentication information corresponding to the authentication object information obtained from the second authentication information when authentication is obtained by the second authentication device in accordance with an authentication request by the authentication request sending means; ,
Simple synchronization processing means for updating the first authentication information using the authentication information received by the receiving means;
A second receiving of the second authentication information from the second authentication device in a state where the first authentication device and the second authentication device do not perform authentication processing at a predetermined timing. Means for receiving
The first authentication device according to the authentication object information of the second authentication information received by the second receiving means so that the first authentication information and the second authentication information become the same authentication information. Complete synchronization processing means for updating the first authentication information stored in
An authentication processing system comprising: An information processing device that accepts input of authentication target information from a user, and authentication target information input from the information processing device can be registered, and first authentication information for performing authentication processing using the authentication target information is stored For performing authentication processing using the authentication target information when authentication information different from the first authentication information is registered as the primary server and the first authentication device is not able to authenticate with the first authentication device A control method for an authentication processing system comprising a second authentication device as a secondary server for storing second authentication information,
The second authentication device includes:
In a state where the first authentication apparatus perform the authentication process, from the first authentication device, a first receiving step of receiving the first authentication information,
Updating the second authentication information according to the authentication object information of the first authentication information received in the first reception step so that the second authentication information includes the first authentication information ; 1 simple synchronization processing step and
And
The first authentication device includes:
A second receiving of the second authentication information from the second authentication device in a state where the first authentication device and the second authentication device do not perform authentication processing at a predetermined timing . Receiving step,
The first authentication device according to the authentication object information of the second authentication information received in the second reception step so that the first authentication information and the second authentication information are the same authentication information. the method of the authentication processing system and performing a full synchronization process step of updating the first authentication information stored in the. An information processing device that accepts input of authentication target information from a user, and authentication target information input from the information processing device can be registered, and first authentication information for performing authentication processing using the authentication target information is stored For performing authentication processing using the authentication target information when authentication information different from the first authentication information is registered as the primary server and the first authentication device is not able to authenticate with the first authentication device the second authentication apparatus in the second authentication processing system comprising an authentication apparatus as a secondary server for storing the second authentication information,
First receiving means for receiving the first authentication information from the first authentication device in a state in which the first authentication device can perform an authentication process ;
Updating the second authentication information according to the authentication object information of the first authentication information received by the first receiving means so that the second authentication information includes the first authentication information ; to function as a first simple synchronizing processing means,
The first authentication device;
A second receiving of the second authentication information from the second authentication device in a state where the first authentication device and the second authentication device do not perform authentication processing at a predetermined timing . Means for receiving
The first authentication device according to the authentication object information of the second authentication information received by the second receiving means so that the first authentication information and the second authentication information become the same authentication information. A program for functioning as complete synchronization processing means for updating the first authentication information stored in . An information processing device that accepts input of authentication target information from a user, and authentication target information input from the information processing device can be registered, and first authentication information for performing authentication processing using the authentication target information is stored For performing authentication processing using the authentication target information when authentication information different from the first authentication information is registered as the primary server and the first authentication device is not able to authenticate with the first authentication device A control method for an authentication processing system comprising a second authentication device as a secondary server for storing second authentication information,
The first authentication device includes:
An authentication request transmission step of transmitting an authentication request for the authentication target information to the second authentication device when there is an authentication request for the authentication target information from the information processing apparatus and the authentication target information cannot be authenticated; ,
A receiving step of receiving authentication information corresponding to the authentication target information obtained from the second authentication information when authentication is obtained by the second authentication device in accordance with an authentication request in the authentication request sending step; ,
A simple synchronization processing step of updating the first authentication information using the authentication information received in the receiving step;
A second receiving of the second authentication information from the second authentication device in a state where the first authentication device and the second authentication device do not perform authentication processing at a predetermined timing. Receiving step,
The first authentication device according to the authentication object information of the second authentication information received in the second reception step so that the first authentication information and the second authentication information are the same authentication information. A complete synchronization processing step for updating the first authentication information stored in
And a method for controlling the authentication processing system. An information processing device that accepts input of authentication target information from a user, and authentication target information input from the information processing device can be registered, and first authentication information for performing authentication processing using the authentication target information is stored For performing authentication processing using the authentication target information when authentication information different from the first authentication information is registered as the primary server and the first authentication device is not able to authenticate with the first authentication device The first authentication device in an authentication processing system comprising a second authentication device as a secondary server for storing second authentication information;
An authentication request transmitting means for transmitting an authentication request for the authentication target information to the second authentication device when there is an authentication request for the authentication target information from the information processing apparatus and the authentication target information cannot be authenticated; ,
Receiving means for receiving authentication information corresponding to the authentication object information obtained from the second authentication information when authentication is obtained by the second authentication device in accordance with an authentication request by the authentication request sending means; ,
Simple synchronization processing means for updating the first authentication information using the authentication information received by the receiving means;
A second receiving the second authentication information from the second authentication device in a state where the first authentication device and the second authentication device do not perform the authentication process at a predetermined timing; Means for receiving
The first authentication device according to the authentication object information of the second authentication information received by the second receiving means so that the first authentication information and the second authentication information become the same authentication information. A program for functioning as complete synchronization processing means for updating the first authentication information stored in.

Images