JP5585009B2 - Authentication assistant device and authentication system - Google Patents

Description

  The present invention relates to an authentication assistant device, an authentication system, an authentication method, and a program for assisting an authentication procedure.

  When accessing a site on the Internet that requires authentication, the user is generally required to input a user ID and password. When accessing a plurality of sites requiring authentication, a user ID and a password must be entered on each login page. For this reason, there has been an increase in demand from users regarding whether authentication (login) can be performed easily. For example, the following inventions have been proposed as related techniques.

  For example, JP 2005-259106 A (Patent Document 1) describes an intermediary device. In this mediation device, a mediation server is arranged in the middle of the communication path between the processing server and the terminal device. Then, the mediation server transfers a request from the terminal device to an appropriate processing server so that the function provided by the processing server can be used by the terminal device.

  Japanese Unexamined Patent Application Publication No. 2004-157675 (Patent Document 2) describes an authentication system. In this authentication system, an image captured by a user himself / herself with a mobile communication terminal with a camera is used for personal authentication.

  Japanese Patent Laying-Open No. 2006-350767 (Patent Document 3) describes an input support method. In this input support method, a character string of personal information such as an ID (identifier) and a password is displayed in an input dialog box. The user can input a predetermined text box by clicking or dragging and dropping a necessary character string from the input dialog box.

  Japanese Patent Laying-Open No. 2005-321970 (Patent Document 4) describes a computer system. In this computer system, the window server accesses the client and the back-end server. For this reason, the client logs in to the window server.

  Japanese Patent Laying-Open No. 2005-011098 (Patent Document 5) describes a proxy authentication device. This proxy authentication device stores and manages the ID and password in this one place, and this authentication proxy device performs the client authentication procedure. Specifically, when the client designates a server to be connected to the proxy authentication device, the proxy authentication device performs an authentication procedure on the proxy server for the requested server. After this authentication is completed, the client and the server requested to connect are connected.

Japanese Patent Laying-Open No. 2005-259106 JP 2004-157675 A JP 2006-350767 A JP 2005-321970 A JP 2005-011098 A

  The purpose of the system described in Patent Document 1 is to operate stably even when the system configuration is changed by reducing the management burden of destination information. For this reason, although the system described in Patent Document 1 is described with respect to the mediation server controlling the transfer destination of the command from the terminal device, the description is also suggested with regard to simplifying the login. There is no. Therefore, the system described in Patent Document 1 is not a system that simplifies login.

  The authentication system described in Patent Document 2 is an authentication system that authenticates a user by selecting a registered image, and is not a system that simplifies login.

  In addition, the input support method described in Patent Document 3 requires an operation for the user to select an ID and a password for login, and thus is not necessarily a method that simplifies login.

  In the system described in Patent Document 4, since the client can connect to the back-end server without going through the window server, the system is not necessarily a system in which an automatic login function that simplifies authentication is executed. In addition, when automatically logging in to the back-end server, the client needs to log in to the window server, and it is not easy to log in.

  In the system described in Patent Document 4, a login page is transmitted to the client. However, when the client reads the login page, the login page is changed so that the login page is transmitted. For this reason, the user can only respond visually to the login page, and cannot input or update an ID or password. As a result, even when it is desired to log in with a different ID, the system described in Patent Document 4 cannot cope. Also, in the case of using a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart, which is described later) and a one-time password, described in Patent Document 4 This system is not compatible.

  In the proxy authentication device described in Patent Document 5, this proxy authentication device manages IDs and passwords and performs all authentication procedures. For this reason, in the proxy authentication device described in Patent Document 5, the login page is not displayed on the client. Since the login page is not displayed to the user, when the input and selection by the user are indispensable, the proxy authentication device of Patent Document 5 cannot perform the authentication proxy.

  Specific examples that require user input include CAPTCHA and one-time passwords. CAPTCHA is an authentication method for discriminating between humans and machines depending on whether characters or numbers written on an image can be read. Therefore, the user is required to input a character string displayed on the image. The one-time password is an authentication method in which a device called a security token displays a one-time-use password and asks the user for input. Furthermore, a specific example in which a user input is indispensable is a case where the server authentication ID or password is updated for some reason. Since the proxy authentication device of Patent Document 5 stores the ID and password before update, it is necessary for the user to input the updated ID and password and perform an authentication procedure. For this reason, the proxy authentication device of Patent Document 5 cannot cope with the case where these user inputs are indispensable.

  An object of the present invention is to provide an authentication assistant device, an authentication system, an authentication method, and a program that can solve the above-described problem and can easily log in and can also input and update IDs and passwords. .

The present invention is for solving the above-mentioned problems, and the authentication assistant device of the present invention
A device that is installed in the middle of the communication path between the client and the server and relays communication between the two,
Analyzing means for analyzing whether or not there is an input location of login information related to the client on a login page transmitted from the server to the client;
When it is analyzed that the input location is present, the login information is rewritably embedded in a predetermined input location of the login page, and a new login page in which information regarding the operation of the login page is maintained is generated. Generating means;
Transmission means for transmitting the new login page to the client instead of the analyzed login page.

Moreover, the authentication system of the present invention includes:
A server and a client connected to the network, and an authentication assistant device arranged in the middle of a communication path between the server and the client,
The authentication assistant device is used as the authentication assistant device.

The authentication method of the present invention includes:
A monitoring step for relaying and monitoring communication between the server and the client;
An analysis step of analyzing whether there is an input location of login information related to the client on a login page transmitted from the server to the client;
When it is analyzed that the input location is present in this analysis step, the login information is rewritably embedded in a predetermined input location of the login page, and a new login in which information regarding the operation of the login page is maintained A generation step to generate a page;
A transmission step of transmitting the new login page to the client instead of the analyzed login page.

The program of the present invention is
A monitoring function for relaying and monitoring communication between the server and the client;
An analysis function for analyzing whether or not there is an input location of login information related to the client in a login page transmitted from the server to the client;
When it is analyzed by the analysis function that the input location is present, the login information is rewritably embedded in a predetermined input location of the login page, and a new login in which information regarding the operation of the login page is maintained A generation function to generate a page;
A transmission function for transmitting the new login page to the client instead of the analyzed login page is realized in the computer.

  According to the present invention, since the login page in which the login information is embedded is generated and transmitted, the user of the client can log in by approving the generated login page. Thereby, the user of the client can easily log in without inputting login information. Moreover, since the login information is embedded in the login page so as to be rewritable, the login information can be input again, and according to the present invention, the input and update of the login information can be handled.

It is explanatory drawing which shows the outline of the authentication auxiliary | assistance apparatus of 1st Embodiment. It is explanatory drawing which shows the outline of the authentication system of 2nd Embodiment. It is explanatory drawing which shows the outline of the authentication system of 3rd Embodiment. It is a block diagram which shows the internal structure of an authentication auxiliary | assistance apparatus. It is explanatory drawing which shows login information. It is explanatory drawing shown about rewriting of the login page using login information. It is explanatory drawing which shows the operation | movement sequence with a client, an authentication auxiliary | assistance apparatus, and a server. It is a block diagram which shows the outline of the approval assistance apparatus in 4th Embodiment. It is explanatory drawing which shows the operation | movement sequence with the client of the authentication system of 4th Embodiment, an authentication auxiliary | assistance apparatus, and a server. It is explanatory drawing which shows the example of notification. It is explanatory drawing which shows the example of confirmation. It is explanatory drawing which shows the example of selection. It is explanatory drawing which shows the authentication method of 7th Embodiment.

  A first embodiment of the present invention will be described with reference to FIG.

  FIG. 1 is an explanatory diagram illustrating an outline of the authentication assistant device according to the first embodiment.

  The authentication assistant device 100 is installed in the middle of the networks 103 and 104 that constitute the communication path between the client 101 and the server 102, and relays communication between the two.

  The authentication assistant device 100 includes an analysis unit 106, a generation unit 107, and a transmission unit 108.

  The analysis unit 106 analyzes whether or not the login page transmitted from the server 102 to the client 101 has an input location of login information related to the client 101. The login page is an authentication page, and the login information is, for example, a user ID of a client or a password. Depending on the login page, the login information may be a login ID, a login password, a personal identification number, or the like.

  When it is analyzed that there is an input location, the generation unit 107 embeds the login information in a rewritable manner in a predetermined input location of the login page, for example, an HTML (Hyper Text Markup Language) form, and information on the operation of the login page Generate a new login page where is maintained. The operation of the login page is described in, for example, a script language such as JavaScript (registered trademark) or VBScript (registered trademark), and the description is not changed or added to this part. For this reason, this embodiment is different from the invention in which the login page is changed so that the login page is transmitted when the login page is read as in Patent Document 4.

  The transmission means 108 transmits this new login page to the client 101 instead of the login page before analysis.

  The operation of the authentication assistant device 100 configured as described above will be described.

  It is assumed that the user has already input login information at the first login of a specific server 102 using the client 101. Then, it is assumed that the login information input at this time is stored in the authentication assistant device 100.

  A user tries to log in to a specific server 102 using the client 101. For example, the URL is directly input to the browser software, or the shortcut to the stored URL is clicked with the mouse pointer. This requests the specific server to send a login page.

  The specific server 102 transmits a login page in response to the request. Since the authentication assistant device 100 includes the analysis unit 106, the authentication assistant device 100 analyzes whether or not there is an input location of login information related to the client 101 on the login page to be relayed. Since this login page is a page that requires input of login information, the analysis unit 106 analyzes that there is an input location of login information.

  When it is analyzed that there is an input location, the generation unit 107 generates a new login page that only embeds the login information in a rewritable manner in a predetermined input location of the login page, for example, an HTML form. For example, a user ID is embedded in the user ID form, and a password is embedded in the password form.

  Then, the transmission unit 108 transmits the newly generated login page to the client 101 instead of the analyzed login page.

  The user using the client 101 receives this login page and displays it on the display unit, and confirms that the login information is embedded in advance. Then, in order to log in, the user presses a button for logging in. Accordingly, a login page in which login information is embedded in advance can be transmitted to the specific server 102 via the authentication assistant device 100 and logged in.

  Further, when the login page is displayed on the display unit and it is confirmed that the login information is embedded in advance, the user may want to log in with login information different from the login information. In this case, the user can log in with different login information by inputting different login information.

  Thus, according to this embodiment, since the login page in which the login information is embedded is generated by the generation unit 107 of the authentication assistant device 100 and transmitted from the transmission unit 108, the client user generates the login page. Login is possible by approving the login page. Thereby, the user of the client can easily log in without inputting login information. Moreover, since the login information can be rewritten, the login information can be re-entered. According to this embodiment, the input and update of the login information can be handled.

  Further, according to this embodiment, the authentication assistant device manages login information such as IDs and passwords and does not need to be stored in the client, so that information leakage can be suppressed as much as possible.

  Next, a second embodiment of the present invention will be described with reference to FIG.

  FIG. 2 is an explanatory diagram showing an outline of the authentication system of the second embodiment.

  The authentication system 200 includes servers 102 and 112 and a client 101, and an authentication assistant device 100 arranged in the middle of a communication path between the servers 102 and 112 and the client 101. The networks 103 and 104 constituting the communication path may be two networks as shown in the figure, but may be one network.

  Moreover, this 2nd Embodiment attaches | subjects the same code | symbol about the structure same as 1st Embodiment.

  As described in the first embodiment, the authentication assistant device 100 includes the analysis unit 106, the generation unit 107, and the transmission unit 108.

  Further, the user of the client 101 can request to log in not only to the server 102 but also to the server 112.

  According to the second embodiment, as in the first embodiment, the user can easily log in without inputting login information. In addition, since the login information can be rewritten, the login information can be re-entered. According to the second embodiment, the input and update of the login information can be handled.

  Next, a third embodiment of the present invention will be described with reference to FIGS.

  FIG. 3 is an explanatory diagram showing an outline of the authentication system according to the third embodiment. FIG. 4 is a block diagram showing an internal configuration of the authentication assistant device. FIG. 5 is an explanatory diagram showing login information. FIG. 6 is an explanatory diagram showing rewriting of a login page using login information. FIG. 7 is an explanatory diagram showing an operation sequence of the client, the authentication assistant device, and the server.

  As illustrated in FIG. 3, the authentication system 300 according to the third embodiment includes a client 301, an authentication assistant device 303, and a server 302. The client 301 and the authentication assistant device 303 are connected via a network 304 that forms a communication path, and the authentication assistant device 303 and the server 302 are connected via a network 305.

  The client 301 is a communication device that requests data from the server 302, and is a communication device on which a Web browser (browsing software) operates. As this communication device, for example, a personal computer or a portable communication terminal can be used.

  The server 302 is a Web server that returns a Web page such as a login page or image data to the client 301 in response to a request. Although servers other than the server 302 are connected to the network 305, they are not shown. The authentication assistant device 303 is a communication device that receives an HTTP (hyper text transfer protocol) request message from the client 301 and transfers the request message to the server 302. Further, the authentication assistant device 303 is a communication device that returns an HTTP response (such as a web page or image data) received from the server 302 to the client 301.

  As illustrated in FIG. 4, the authentication assistant device 303 includes a communication unit 311, a session management unit 312, an analysis unit 313, a search unit 314, a storage unit 315, a rewrite unit 316, and a communication unit 317. .

  The communication unit 311 has a function of transmitting / receiving a message to / from the client 301 via the network 304.

  The session management unit 312 has a function of managing a communication session relayed by the authentication assistant device 303. Specifically, an HTTP message is received from the communication unit 311 or the communication unit 317, an HTTP header is analyzed, and a request URI (Uniform Resource Identifier), an HTTP header, and a message body included in the HTTP header are passed to the analysis unit 313. In addition, the message received from the rewriting unit 316 is passed to the communication unit 311 or the communication unit 317. Furthermore, the session management unit 312 includes storage means (not shown), and stores a message request URI in association with the session.

  At this time, instead of the request URI, the URI of the action attribute can be associated with the session and stored. At this time, the session management unit 312, the analysis unit 313, the search unit 314, and the rewrite unit 314 handle the action attribute URI as in the case where the request URI is associated with the session. Further, at this time, the login information stored in the storage unit 315 needs to be associated with the URI of the action attribute, and the search unit 314 performs a search from the storage unit 315 using the URI of the action attribute as a key.

  The analysis unit 313 has a function of analyzing a document included in the message body of the HTTP message, specifically, a document such as HTML or XHTML (extensible hypertext markup language). For this reason, the analysis unit 313 corresponds to an analysis unit. Further, the analysis unit 313 includes storage means (not shown).

  The search unit 314 has a function of performing a search from the storage unit 315 using the request URI as a key and acquiring related login information. At this time, the login information is, for example, the name and value of the input field.

  The login information will be specifically described based on FIG. In the login information, the name and value of the input field are recorded in association with the URI of the login page. If the URI used as a search key by the search unit 314 is “http: //address.of.server1/login.html”, the login information to be acquired is “user ID: 111” and “password: 222”. is there.

  The search unit 314 further passes the analysis result of the message (login page) and the acquired login information to the rewrite unit 316. If no corresponding search result is found at this time, the search unit 314 passes the message analysis result and information indicating that there is no login information to the rewrite unit 316.

  The storage unit 315 has a function of storing the name and value of the input field in association with the URI of the login page. For this reason, it corresponds to a storage means. Specifically, the storage unit 315 stores login information as shown in FIG.

At this time, the login information stored in association with “http: //address.of.server1/login.html”, which is the URI of the login page, is “user ID: 111” and “password: 222”.
The rewriting unit 316 rewrites the message according to the login information, and generates a new message (login page) in which “user ID” and “password” are simply embedded so as to be rewritable. Note that the display may be changed in generating this message (login page). For example, in the message (login page), a notification message “Login information is embedded because authentication assistant is currently running!” Or a mark indicating “authentication assistant is running” is additionally displayed. You can do it. This change has no effect on the behavior of the login page.

  Furthermore, the rewriting unit 316 passes the rewritten message to the session management unit 312.

  Based on FIG. 6, the message rewriting will be specifically described. The rewriting unit 316 searches for the name of the input field described in the login information from the message. Here, the names of the input fields are “user ID” and “password”. Further, the rewriting unit 316 adds the value of the input field to the found input field as a value attribute. In this example, value = "111" is added to name = "user ID", and value = "222" is added to name = "password". On the other hand, when there is no login information, the rewriting unit 316 passes the received message to the session management unit 312 as it is.

  The communication unit 317 has a function of transmitting and receiving messages with the server 302 via the network 305.

  Next, an operation sequence will be described with reference to FIG. FIG. 7 shows the process until the client 301 transmits an HTTP request, the server 302 transmits an HTTP response requesting authentication to the client 301, and further the client 301 transmits an HTTP request responding to the authentication request.

  The client 301 transmits an HTTP request to the server 302 by the operation of the user (step 101, hereinafter, “step” will be referred to as “S”). The communication unit 311 receives a message from the client 301 and passes it to the session management unit 312 (S102).

  The session management unit 312 analyzes the HTTP header of the received message, extracts the request URI, stores it in association with the session. Then, the session management unit 312 passes this message and this request URI to the analysis unit 313 (S103). The analysis unit 313 analyzes the received message (S104).

  As a result of the analysis, the analysis unit 313 determines that the message is an HTTP request and the message does not include HTML, and returns the message to the session management unit 312 (S105). The session management unit 312 passes the message to the communication unit 317 (S106). The communication unit 317 transmits a message to the server 302 (S107).

  When the server 302 receives the message, it returns an HTTP response (login page) (S108). Upon receiving a message (login page) from the server 302, the communication unit 317 passes the message to the session management unit 312 (S109). The session management unit 312 passes the message (login page) and the request URI stored in association with the session to the analysis unit 313 (S110). The analysis unit 313 analyzes the received message (login page) (S111). The analysis unit 313 determines that the message (login page) includes HTML, passes the analysis result and the request URI to the search unit 314, and requests the search for login information (S112).

  The search unit 314 searches for login information using the request URI passed from the analysis unit 313 as a key (S113). The storage unit 315 returns the corresponding login information to the search unit 314. If there is no relevant login information, information indicating that there is no login information is passed to the search unit 314 (S114). The search unit 314 passes the analysis result of the message (login page) and the login information to the rewriting unit 316 and requests rewriting of the message (login page) (S115). When there is login information, the rewriting unit 316 performs the following operation. The rewriting unit 316 refers to the login information and rewrites the message (login page). On the other hand, when there is no login information, the rewriting unit 316 does not rewrite the received message (login page) (S116). When there is login information, the rewriting unit 316 passes a newly generated message (login page) to the session management unit 312. On the other hand, if there is no login information, the message (login page) itself received from the search unit 314 is passed to the session management unit 312 (S117).

  Next, the session management unit 312 passes a message (login page) to the communication unit 311 (S118). The communication unit 311 transmits a message (login page) to the client 301 (S119). The communication unit 311 transmits a rewritten message, that is, a login page in which login information is rewritably embedded, and thus corresponds to a transmission unit.

  The client 301 displays the received message (login page) on the screen. When the message (login page) has been rewritten by the rewriting unit 316, the ID and password input form of the login page displayed on the screen is displayed with the ID and password already input (S120). .

  Furthermore, the client 301 receives a login instruction from the user (S121). At this time, the user adds or rewrites as necessary. For example, a character string displayed on the CAPTCHA image can be input, or a one-time password can be input. Furthermore, when an ID or password is updated, it can be rewritten by automatically overwriting the ID or password already entered in the form.

  The login instruction from the user is performed by pressing a login button displayed on the screen or clicking a submit button. This allows the client 301 to execute transmission of a login request message.

  Upon receiving a login message transmission request from the user, the client 301 generates an HTTP request and transmits it to the server 302 (S122). As a result, the authentication with the server 302 is successful, and the target login page and the server 302 can be accessed.

  The authentication assistant device 303 enables login without requiring the user to directly input an ID or password even in a login procedure that requires input of an ID or password. Thereby, according to this embodiment, login can be simplified.

  Furthermore, the user of the client 301 can confirm the login page. As a result, the convenience of the user can be improved as compared with the technique in which the user cannot confirm the login page, and the sense of security of the user who uses this authentication system can be enhanced. Moreover, since the login information can be rewritten, the user of the client 301 can input the login information again. For this reason, according to this embodiment, it is possible to cope with input and update of login information, and CAPTCHA and one-time passwords.

  In this embodiment, for convenience of explanation, the networks 304 and 305 are described as different networks and are described. However, the networks 304 and 305 can be implemented as the same network.

  Next, 4th Embodiment of this invention is described based on FIG. 8, FIG.

  FIG. 8 is a block diagram showing an outline of the approval assisting device in the fourth embodiment. FIG. 9 is an explanatory diagram illustrating an operation sequence of the client, the authentication assistant device, and the server in the authentication system according to the fourth embodiment. FIG. 10 is an explanatory diagram illustrating a notification example. FIG. 11 is an explanatory diagram showing a confirmation example. FIG. 12 is an explanatory diagram showing a selection example.

  The fourth embodiment is an authentication system in which a UI 318 is added to the authentication assistant device in addition to the authentication system of the third embodiment. For this reason, a different part from 3rd Embodiment is demonstrated.

  The authentication assistant device 303A according to the fourth embodiment includes a UI 318.

  The UI 318 has a function of notifying or requesting the user of the relay device 303A. Specifically, the UI 318 includes a notification function that notifies that authentication assistance is performed at the timing when the login information is acquired. In addition, the UI 318 includes a function for inquiring whether or not authentication assistance is permitted, that is, a confirmation function that prompts the user to input permission. Further, the UI 318 includes a selection function for requesting selection of login information to be input when a plurality of types of login information are acquired. For this reason, the UI 318 corresponds to a notification unit, also corresponds to a confirmation unit, and further corresponds to a selection unit.

  Next, an operation sequence will be described with reference to FIG. FIG. 9 shows the process until the client 301 transmits an HTTP request, the server 302 transmits an HTTP response requesting authentication to the client 301, and the client 301 transmits an HTTP request responding to the authentication request. Here, the operation A in FIG. 9 is the same operation A as S101 to S113 in FIG.

  In S214, the search unit 314 notifies the UI 318 when the login information is acquired. At this time, as shown in FIG. 10, the acquisition of the login information may be notified at this timing, or the acquired login information itself may be notified. When the user of the relay device 303A confirms the notification and clicks the OK button 411 on the notification screen 410 in FIG. 10 with the mouse pointer 412, the notification screen 410 disappears. When the UI 318 receives a notification from the search unit 314, the UI 318 notifies the user of the relay device 303A of some information. Specifically, for the user of the relay device 303A, the login information has been acquired (see FIG. 10), a request for determining whether to display the login information and permit authentication assistance (see FIG. 11), Alternatively, a notification such as requesting selection when there are a plurality of pieces of login information (see FIG. 12) is made (S215). In step S215, when notifying that the login information has been acquired, the process proceeds to step S218. In step S215, if it is requested whether or not authentication assistance is permitted or if there is a plurality of pieces of login information and selection is requested, the process proceeds to step S216.

  The user of the relay device 303A sees the login information and permits or rejects authentication assistance. For example, when the user of the relay apparatus 303A confirms the notification screen 420 in FIG. 11 and permits authentication assistance, the OK button 421 is clicked with the mouse pointer 423, and when authentication assistance is not permitted, the cancel button 422 is mouse pointer. Click at 423.

  When there is a plurality of login information and selection is requested, the user of the relay device 303A selects permitted login information or rejects authentication assistance (step S216). For example, the user of the relay apparatus 303A confirms the selection screen 430 in FIG. 12, clicks one of the selection buttons 431 and 432 with the mouse pointer 433, and clicks the OK button 434 with the mouse pointer 433. Thereby, login information can be selected. The selected login information is input to the input locations 437 and 438 of the login page 436. The input locations 437 and 438 are sometimes called input forms.

  When the user of the relay device 303A rejects authentication assistance, the user of the relay device 303A clicks the cancel button 435 on the selection screen 430 with the mouse pointer 433 and closes the selection screen 430. Then, the user of the relay device 303 </ b> A inputs a key in the input locations 437 and 438 and clicks the OK button 439 with the mouse pointer 433. Thereby, a login page in which the user ID and password are embedded so as to be rewritable is generated.

  The UI 318 notifies the search unit 314 of login information for which authentication assistance is permitted by the user of the relay device 303A. When authentication assistance is rejected by the user of the relay device 303A, the UI 318 informs the search unit 314 that there is no login information permitted by the user of the relay device 303A (step S217). The search unit 314 passes the analysis result of the message and the login information specified in the UI 318 to the rewriting unit 316. If there is no login information designated from the UI 318, a message analysis result and the absence of login information are passed (S218).

  The subsequent operation B in FIG. 9 is the same as the operation B in S116 to S122 in FIG.

  According to this embodiment, as in other embodiments, the user of the client 301 can easily log in without inputting login information. In addition, according to this embodiment, since the login information can be re-entered into the login page in which the login information is embedded, the input and update of the login information, CAPTCHA, and the one-time password can be handled. Can do.

  Further, according to this embodiment, since the user of the relay device 303A is notified that the authentication assistance is executed, the user of the relay device 303A can surely recognize that the authentication assistance is being executed. it can. Further, according to this embodiment, it is possible to determine whether or not the user of the relay device 303A receives authentication assistance from the authentication assistance device 303. For this reason, it is possible to reduce the risk of logging in to a login page when the user does not intend. Furthermore, according to this embodiment, when there is a plurality of login information for logging in to a certain login page, the login information desired by the user of the relay device 303A can be selected.

  In this embodiment, for example, it is assumed that the client 301 is a game machine and the relay device 303A is a mobile communication terminal. In this case, it is conceivable that the user of the client 301 and the user of the relay device 303A are the same person or a close relationship person. Under such an assumption, the user of the relay device 303A receives a notification informing that authentication assistance is to be performed, answers an inquiry as to whether authentication assistance is permitted, or selects from a plurality of types of login information. It is. For this reason, the user of the relay device 303A is less likely to deal with the user of the client 301 in a disadvantageous manner.

  Next, a fifth embodiment of the present invention will be described.

  In the authentication system of the fifth embodiment, a discrimination means (not shown) is added to the authentication assistant device 303 in the authentication system 300 of the third embodiment. For this reason, the configuration other than this is the same as that of the authentication system 300.

  In this authentication system, when the rewriting unit 316 rewrites a message based on login information, the authentication system includes a determination unit that determines whether to add a password to the message. Specifically, if the type attribute is type = "password", it is determined that addition is possible, and the password is added to the input field. If the type attribute is other than type = "password", for example, if type = "text", it is determined that the addition is not possible, and the password is not added to the input field.

  This type attribute difference appears when displayed on the client 301. When the type attribute is “password”, the entered password is masked or displayed as “*”. For this reason, even if the display screen of the client 301 is viewed, the user of the client 301 cannot determine the password. If the type attribute is other than “password”, the entered password is displayed as it is. Therefore, when viewing the display screen of the client 301, the user of the client 301 can determine the password.

  That is, since the rewriting unit 316 determines whether or not to input the password by looking at the type attribute of the input field, the password is prevented from being displayed on the screen of the client 301 as it is.

  According to such an authentication system, it is possible to prevent a person from knowing the password from others through the display screen of the client 301.

  Next, a sixth embodiment of the present invention will be described.

  In the authentication system of the sixth embodiment, a specific function is added to the authentication system 300 of the third embodiment. For this reason, the configuration other than this is the same as that of the authentication system 300. The specific function is a function for storing the request URI and the form URI in association with each other. Further, the specific function is a function of storing in association with a set of values (a set of login information) associated with the user name of the client. Thereby, when the combination of the request URI and the form URI is specific, login information input by the user of the client can be appropriately obtained and stored.

The analysis unit 313 extracts the form response URI from the HTML analysis result included in the HTTP response. The form response URI is a destination URI of the form value, and can be acquired from the action attribute of the HTML form. Taking the message shown in FIG. 6 as an example, the aforementioned action attribute is:
It will be “http: //address.of.server1/cgi-bin/login.cgi”. When the value of the action attribute is a relative URI, the analysis unit 313 obtains an absolute URI from the request URI of the current session.

  Then, the analysis unit 313 stores the form response URI in association with the session request URI.

  Further, the analysis unit 313 searches for the URI of the HTTP request message received from the session management unit 312 from the stored form response URI, and obtains the request URI associated therewith.

  Separately from this, the analysis unit 313 has a function of analyzing the message body included in the HTTP request message and extracting the name and value of the input field. Specifically, for example, when the message body is “user ID = 333 & passwd = 777”, the names “user ID” and “passwd” of the input field are extracted from this, and “333” and “777” are extracted as the corresponding values.

  Next, the operation of this authentication system will be described.

  When the client user accesses the login page by HTTP, the authentication assistant device 303 relays the HTTP request / response message by the same operation as the authentication assistant device 303 of the third embodiment. At this time, the analysis unit 313 extracts the request URI of the login page and the form response URI obtained from the action attribute of the form included in the login page, and stores them in association with each other.

  For example, the URI of the login page is “http://example.com/login.html”, and the form response URI obtained from the action attribute of the form included therein is “http://example.com/cgi”. -bin / login.cgi ".

Next, when the user of the client performs login processing, an HTTP request is transmitted to “http://example.com/cgi-bin/login.cgi” which is a form response URI. When the analysis unit 313 receives this, the URI is extracted from the HTTP request. From the information stored earlier, it can be seen that this request is a login response to “http://example.com/login.html”.

  The analysis unit 313 analyzes the message body included in the HTTP request, and extracts the name / value pair of the input field from the message body. The group is stored in the storage unit 315 using “http://example.com/login.html”, which is the URI of the login page, as a key.

  At this time, if a value is already stored for the same URI, it is overwritten. At this time, it can be stored separately from the stored value without being overwritten.

  The authentication system can also be provided with a second selection means for allowing the client user to select whether to overwrite or store the value separately from the stored value. In this case, when a value for the same URI is already stored in the storage unit 315, the client user can select whether to overwrite or store it separately. The confirmation of the selection of the client by the user is performed, for example, in the same display as in FIG. In this case, for example, the UI 318 displays a selection screen (not shown) on the display unit of the client. Therefore, the authentication system can use the UI 318 to confirm whether the value is overwritten or stored separately for the client user.

  Furthermore, this authentication system can also be provided with a confirmation function (a function for inquiring whether or not authentication assistance is permitted) that prompts input of permission or rejection as described in the fourth embodiment. In this case, as in the fourth embodiment, it is possible to prompt the client user to input permission / prohibition for inquiring whether or not authentication assistance is permitted.

  According to such an embodiment, even if the ID and password required for login are not stored in the storage unit 315 of the authentication assistant device 303, the ID and password are automatically recorded and automatically transmitted in subsequent communications. You can enter (embed in the login page). This is because the authentication system reads and saves the ID and password input / transmitted by the user of the client during communication, and these values can be used at the next login.

  Further, according to this embodiment, when the ID or password stored in the authentication assistant device is wrong or old, it can be corrected. This is because, in the authentication system of this embodiment, the ID and password can be updated by the authentication assistant device automatically reading and overwriting and saving the ID and password input by the client user.

  Further, since the login information is associated with the set of values associated with the client user name and the request URI, the login information of the client user can be appropriately obtained, stored, and used.

  The login information can also be used in association with the action attribute. In this case, login information associated with the action attribute URI is stored in the storage unit 315.

  Next, a seventh embodiment of the present invention will be described with reference to FIG.

  FIG. 7 is an explanatory diagram illustrating an authentication method according to the seventh embodiment.

  The authentication method 500 of the seventh embodiment includes a monitoring step 501, an analysis step 502, a generation step 503, and a transmission step 504.

  The monitoring step 501 is a step for relaying and monitoring the communication between the server and the client.

  The analysis step 502 is a step of analyzing whether or not there is an input location of login information related to the client on the login page transmitted from the server to the client in the monitoring step 501.

  In the generation step 503, when it is analyzed that the input portion is present in the analysis step, the login information is rewritably embedded in a predetermined input portion of the login page, and information regarding the operation of the login page is maintained. This is a generation step for generating a new login page.

  The transmission step 504 is a step of transmitting this new login page to the client instead of the analyzed login page.

  According to such an authentication method 500, the authentication assistant device and the authentication system operate as already described in the first embodiment and the second embodiment.

  For this reason, according to this embodiment, the user of the client can easily log in without inputting login information. Moreover, since the login information can be rewritten, the client user can also re-enter the login information. According to this embodiment, the login information can be input and updated, and CAPTCHA and one-time password can be handled. Can do.

  The following steps may be added to the authentication method 500.

  For example, the authentication method 500 may further include a notification step of notifying the client that the generated new login page is transmitted to the client instead of the analyzed login page.

  In addition, the authentication method 500 may further include a confirmation step that prompts the user to input permission / prohibition for the notification.

  In addition, when there are a plurality of the above-described login information, the authentication method 500 can further include a selection step in which the user of the relay device can select the login information to be embedded from the plurality of login information.

  Next, an eighth embodiment of the present invention will be described.

  The program according to the eighth embodiment is a program for causing a computer to realize a monitoring function, an analysis function, a generation function, and a transmission function.

  The monitoring function is a function for relaying and monitoring communication between the server and the client.

  The analysis function is a function of analyzing whether or not a login page transmitted from the server to the client has an input location of login information related to the client.

  When the generation function is analyzed that there is an input location by the analysis function, the login information is rewritably embedded in a predetermined input location of the login page, and information related to the operation of the login page is maintained. It is a generation function that generates a simple login page.

  The transmission function is a function of transmitting the generated new login page to the client instead of the analyzed login page.

  Such a program is stored in, for example, the storage medium 600 illustrated in FIG. 2 and stored in the storage unit of the authentication assistant device 100 via an input / output device such as the drive 601. Control means (not shown) of the authentication assistant device 100 and the authentication system 200 operate according to this program. Thereby, the authentication assistant device 100 and the authentication system 200 operate as already described in the first embodiment and the second embodiment.

  For this reason, according to this embodiment, the user of the client can easily log in without inputting login information. Moreover, since the login information can be rewritten, the client user can also re-enter the login information. According to this embodiment, the login information can be input and updated, and CAPTCHA and one-time password can be handled. Can do.

  A function to be realized by a computer can be added to the program.

  For example, a notification function for notifying the user of the relay device that the generated new login page is transmitted to the client instead of the analyzed login page can be added to the program.

  In addition, a confirmation function that prompts the user to input permission or rejection can be added to the program.

  When there are a plurality of login information, a selection function that allows the user of the relay device to select login information to be embedded from the plurality of login information can be added to this program.

  Although the present invention has been described with reference to the embodiments, the present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

  The present invention can be applied to an authentication assistant device or an authentication system in which the authentication assistant device is installed in the middle of a communication path between a client and a server. Thus, the present invention can provide a function that assists the authentication procedure between the client and the server. This authentication assistant device can be applied to proxy servers, access points, wireless base stations, routers, gateways, and the like.

DESCRIPTION OF SYMBOLS 100 Authentication assistance apparatus 101 Client 102 Server 103 Network 104 Network 106 Analysis means 107 Generation means 108 Transmission means 112 Server 200 Authentication system 300 Authentication system 301 Client 302 Server 303 Authentication assistance apparatus 303A Authentication assistance apparatus 304 Network 305 Network 311 Communication part 312 Session Management unit 313 Analysis unit 314 Search unit 315 Storage unit 316 Rewrite unit 317 Communication unit 318 UI
410 Notification screen 411 OK button 412 Mouse pointer 420 Notification screen 421 OK button 422 Cancel button 423 Mouse pointer 430 Selection screen 431 Selection button 432 Selection button 433 Mouse pointer 434 OK button 435 Cancel button 436 Login page 437 Input location 438 Input location 439 OK Button 500 Authentication method 501 Monitoring step 502 Analysis step 503 Generation step 504 Transmission step 600 Storage medium 601 Drive A operation B operation

Claims (11)

An authentication assistant device that is installed in the middle of the communication path between the client and the server and relays communication between the two,
Analyzing means for analyzing whether or not there is an input location of login information related to the client and requested for login in the login page transmitted from the server to the client;
When it is analyzed that the input location is present, the login information obtained from the authentication assistant device is rewritably embedded in a predetermined input location of the login page, and the client user is notified of the execution of authentication assistance. Processing means for processing the login page to add a display, and generating means for generating a new login page in which information on the operation of the login page is maintained;
A transmission means for transmitting the new login page to the client instead of the analyzed login page;
Further comprising storage means for storing login information input to the login page;
The login information embedded so as to be rewritable is determined from the storage means using a URI as a key,
The analysis unit analyzes a message body included in the HTTP request, extracts a pair of a name and a value of an input field, stores it in the storage unit in association with the URI of the HTTP request including a form response URI,
The analysis unit extracts a URI of a login page from an HTTP request received from the client, and extracts a form response URI from an HTML analysis result of the login page included in an HTTP response of the server in response to an HTTP request received from the client. Second storage means for storing the login page URI and the form response URI in association with each other;
The analysis unit obtains login information from an HTTP request received from a client, and further searches the form response URI stored in the second storage unit and the URI of the login page using the form response URI as a key, and the login information And the retrieved form response URI and the URI of the login page are stored in the storage means in association with each other. The authentication assistant device according to claim 1, further comprising notification means for notifying a user of the authentication assistant device of execution of authentication assistance. The authentication assistant device according to claim 2, further comprising a confirmation unit that prompts an input of permission or non-acceptance of authentication assistance for the notification. 4. The apparatus according to claim 1, further comprising a selection unit that allows a user of the authentication assistant device to select login information to be embedded from the plurality of login information when there are a plurality of the login information. 5. Authentication assistant device. When login information is input from the client user to the predetermined input location and a value is already stored in the storage means for the same URI, the client user overwrites this value. The authentication assistant device according to claim 1, further comprising: a second selection unit that can select whether the data is stored separately without being overwritten. 6. The authentication assistant device according to claim 1, wherein the login information is information associated with a set of values associated with a user name of the client and a URI. The authentication assistance apparatus according to claim 6, wherein the URI is a request URI or a form response URI in an HTTP session. 8. The authentication assistance according to claim 1, wherein the login information is obtained by analyzing a message body included in an HTTP request and extracting a pair of a name and a value of an input field. apparatus.   9. The authentication assistant device according to claim 1, wherein the login information is a login ID and a password. The authentication assistant device according to claim 9 , further comprising a determination unit that determines whether to embed the password based on an HTML type attribute related to an input location of a login page. A server and a client connected to the network, and an authentication assistant device arranged in the middle of a communication path between the server and the client,
11. An authentication system using the authentication assistant device according to claim 1 as the authentication assistant device.

Images