JP5895285B2 - Information processing system and information processing method - Google Patents

Description

  The present invention relates to an information processing system and an information processing method.

  In recent years, with the spread of the Internet, not only computers but also various terminal devices such as mobile phones, portable information terminals, televisions, and game machines are connected to connect to the Internet. When using various contents on the Internet, a user sets security and the like according to a terminal device used by the user to prevent a failure caused by an unauthorized program. In addition, when receiving a recommendation service that provides content according to preferences based on a history of content used by a user, a user using a plurality of terminal devices receives the service for each terminal device. Have settings for.

JP 2006-040247 A

However, when using a plurality of terminal devices, the user installs software for detecting malicious programs such as computer viruses, software for receiving recommendation services, etc., and sets each software for each terminal device. The cumbersome work has become a burden on the user. Also, depending on the performance and configuration of the terminal device, the above-described software may not be installed, and sufficient convenience may not be obtained when using content on the network.
In addition, when the terminal device communicates using encryption technology such as SSL (Security Socket Layer) or HTTPS (HTTP over SSL), the content cannot be analyzed, so a service corresponding to the content is provided. In some cases, it is not possible to receive such information and sufficient convenience is not obtained when using content on the network.

  The present invention has been made to solve the above problems, and its purpose is to reduce the burden on the user when using services on the network, and to improve convenience without depending on the terminal device or communication protocol to be used. An object is to provide an information processing system and an information processing method that are improved.

  In order to solve the above problem, the present invention relays communication between a user terminal operated by a user, a service server that provides a service in response to a received request, and the user terminal and the service server. An information processing system comprising: a user agent unit that generates request information for requesting the service server to provide a service; and a destination address of the relay server for the request information. A communication unit that transmits request information encapsulated by adding header information to the relay server, wherein the relay server receives the encapsulated request information from the user terminal, and is encapsulated. Request information included in the requested information is transmitted to the service server, and content information indicating a service result corresponding to the request information is transmitted. A content communication unit that receives from the service server and transmits the received content information to the user terminal as a response to the encapsulated request information, and based on the request information or the content information, the user uses the usage information. And an additional service providing unit that provides an additional service when the service server is used via an operator terminal.

  In the invention described above, the additional service providing unit further stores in advance an instruction code string included in an unauthorized access procedure or an unauthorized program, and the access procedure or the instruction code string is It has a virus check part which determines whether it is contained in the said request information or the said content information, and transmits a determination result to the said user terminal as said additional service.

  In the invention described above, the additional service providing unit may further include information indicating the predetermined service server or a predetermined service among the services provided in the service server. Is included in the request information or the content information, and includes a content block unit that transmits a determination result to the user terminal as the additional service.

  Further, according to the present invention, in the invention described above, the additional service providing unit is further stored in a usage history storage unit that stores the request information and the content information for each user, and in the usage history storage unit. Based on the request information and the content information, the user detects the preference of the service used by the user based on the history of using the service server, and is similar to the detected preference of the service server. And a content recommendation unit that transmits information indicating a service server that provides the service to the user terminal.

  In order to solve the above problem, the present invention relays communication between a user terminal operated by a user, a service server that provides a service in response to a received request, and the user terminal and the service server. An information processing method in an information processing system comprising a relay server, wherein the user terminal generates request information for requesting the service server to provide a service, and the user terminal Transmitting request information encapsulated by adding header information destined for the relay server to the request information to the relay server; and the relay server transmits the request information encapsulated from the user terminal. The request information contained in the encapsulated request information is transmitted to the service server, and a service corresponding to the request information is transmitted. A content communication step of receiving content information indicating a result from the service server and transmitting the received content information to the user terminal as a response to the encapsulated request information; and the relay server, the request information or And an additional service providing step of providing an additional service when the user uses the service server via the user terminal based on the content information.

According to the present invention, the user terminal encapsulates request information for requesting content provision from the service server and transmits the encapsulated request information to the relay server, and the relay server receives the request information included in the encapsulated request information. Transmit to the service server and receive content from the service server. That is, the relay server can analyze information transmitted and received between the user terminal and the service server and record information history, etc. by communicating with the service server instead of the user terminal. Based on the above, it is possible to provide an additional service when a user uses the service server via the user terminal. Further, when the relay server communicates with the service server instead of the user terminal, the additional service can be provided without depending on the communication protocol used when receiving the provision of the content.
Thereby, even when a user uses a service server using a plurality of user terminals, it is possible to receive an additional service and to improve convenience. Further, even when the user uses a plurality of user terminals, it is not necessary to make settings for receiving additional services for each user terminal, so that the burden on the user can be reduced.

It is a schematic block diagram which shows the structure of the information processing system 1 in this embodiment. It is a schematic block diagram which shows the structure of the reverse proxy server 10 and the user terminal 40 in this embodiment. It is a figure which shows an example of the utilization domain information memorize | stored in the utilization domain memory | storage part 11 in this embodiment. It is a figure which shows an example of the user information memorize | stored in the user information storage part 12 in this embodiment. It is a figure which shows an example of the service authentication information memorize | stored in the service authentication information storage part 13 in this embodiment. It is a 1st sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is a 2nd sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is a 3rd sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is a 4th sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is a 5th sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is a 6th sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is a 7th sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is an 8th sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is a 9th sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is a 10th sequence diagram which shows the process which accesses the service server 30 through the authentication in the reverse proxy server 10 of this embodiment. It is a 1st sequence diagram which shows an example of the process which accesses the service server 30 after the authentication in this embodiment. It is a 2nd sequence diagram which shows an example of the process which accesses the service server 30 after the authentication in this embodiment. It is a 3rd sequence diagram which shows an example of the process which accesses the service server 30 after the authentication in this embodiment. FIG. 10 is a first sequence diagram illustrating an example of processing (disconnection processing) when ending use of the service server 30 via the reverse proxy server 10. It is a 2nd sequence diagram which shows an example of the process at the time of complete | finishing use of the service server 30 via the reverse proxy server 10 (disconnection process). It is a 3rd sequence diagram which shows an example of the process (disconnection process) at the time of complete | finishing use of the service server 30 via the reverse proxy server. FIG. 11 is a fourth sequence diagram illustrating an example of processing (disconnection processing) when ending use of the service server 30 via the reverse proxy server 10. FIG. 10 is a fifth sequence diagram illustrating an example of processing (disconnection processing) when ending use of the service server 30 via the reverse proxy server 10. The header field added to HTTP1.1 is shown. It is a figure which shows an example of the header information in the request data and response data which are used in the reverse proxy server 10 and the user terminal 40. It is a figure which shows the example of the header information of the connection request information of step S102. It is a figure which shows the example of the header information of the connection request information of step S103. It is a figure which shows the example of the header information of the authentication request information of step S104. It is a figure which shows the example of the header information of the authentication request information of step S105. It is a figure which shows the example of the header information of the information transmitted in step S107. It is a figure which shows the example of the header information of the information transmitted in step S108. It is a figure which shows the example of the header information of the authentication result information of step S110. It is a figure which shows the example of the header information of the authentication result information of step S111. It is a figure which shows the example of the header information of the access request information of step S124. It is a figure which shows the example of the header information of the access request information of step S142. It is a figure which shows the example of the header information of the authentication request information of step S148. It is a figure which shows the example of the header information of the authentication request information of step S164. It is a figure which shows the example of the header information of the authentication instruction information of step S169. It is a figure which shows the example of the header information of the authentication instruction information of step S174. It is a figure which shows the example of the header information of the authentication page information of step S180. It is a figure which shows the example of the header information of the authentication page information of step S184. It is a figure which shows the example of the header information of the authentication information of step S190. It is a figure which shows the example of the header information of the authentication information of step S195. It is a figure which shows the example of the header information of the authentication result of step S202. It is a figure which shows the example of the header information of the authentication result of step S206. It is a figure which shows the example of the header information of the transfer instruction information of step S211. It is a figure which shows the example of the header information of the transfer instruction information of step S222. It is a figure which shows the example of the header information of the initial content information of step S229. It is a figure which shows the example of the header information of the initial content information of step S245.

  Hereinafter, an information processing system and an information processing method according to an embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 is a schematic block diagram showing a configuration of an information processing system 1 in the present embodiment. As shown in FIG. 1, the information processing system 1 is connected to the reverse proxy server 10, at least one service server 30 connected to the reverse proxy server 10 via the network 20, and the reverse proxy server 10. And a user terminal 40.

  The reverse proxy server 10 as a relay server receives an access request to the service server 30 from the user terminal 40 and accesses the service server 30 according to the received access request. The reverse proxy server 10 also provides services based on information transmitted to and received from the user terminal 40, such as virus check, content check, traceability based on usage history, and recommendation of content, etc. It is provided to users who use 40.

The network 20 is, for example, the Internet.
The service server 30 is a server operated by a network service provider or a content provider, and provides services such as cloud computing and Web content to the user. The user terminal 40 is a device operated by a user, and is, for example, an information terminal such as a desktop computer, a notebook computer, or a smartphone, a mobile phone having a communication function such as a web browser, a television, and a game machine. .

  FIG. 2 is a schematic block diagram showing configurations of the reverse proxy server 10 and the user terminal 40 in the present embodiment. As shown in the figure, the reverse proxy server 10 includes a usage domain storage unit 11, a user information storage unit 12, a service authentication information storage unit 13, a terminal cooperation unit 14, a content communication unit 15, and a cooperative authentication. Unit 16 and additional service providing unit 17. The user terminal 40 includes an input unit 41, an output unit 42, a user agent unit 43, a data conversion unit 44, and a communication unit 45.

  In the use domain storage unit 11 in the reverse proxy server 10, the user who operates the user terminal 40, the domain name of the service server 30 that the user accesses via the own device (reverse proxy server 10), and the access The usage domain information associated with the session ID for identifying is stored.

  The user information storage unit 12 stores user information used when performing authentication, which is a determination as to whether or not the user terminal 40 has the right to access the network 20 via its own device. The user information is stored in advance in association with a user ID for identifying a user who operates the user terminal 40, an authentication type used for determination on the user, and information corresponding to the authentication type. Here, the type of authentication includes, for example, information indicating any of form authentication, SAML authentication, OpenID authentication, and the like.

  Service authentication information is stored in the service authentication information storage unit 13 in advance. The service authentication information is information in which at least one Internet service authentication information is associated with each user ID. The Internet service authentication information is information that associates, for each service server 30, a combination of the authentication type in the service server 30, the domain name of the service server 30, and the ID and PW (password) in the service server 30.

  An example of usage domain information stored in the usage domain storage unit 11, user information stored in the user information storage unit 12, and service authentication information stored in the service authentication information storage unit 13 is shown below. .

  FIG. 3 is a diagram illustrating an example of usage domain information stored in the usage domain storage unit 11 according to the present embodiment. As shown in the figure, the user information is information in which a session ID and a domain name are associated with each user ID. For example, a user with a user ID “A” has a session ID “10.0.0.1_a_20110701235547” and a domain name “www.ntt.co.jp”, a session ID “10.0.0.1_a_20110701235612”, and a domain name “www.some. com ".

  FIG. 4 is a diagram illustrating an example of user information stored in the user information storage unit 12 according to the present embodiment. As shown in the figure, the user information is information in which an authentication type is associated with information corresponding to the authentication type for each user ID. For example, the user with the user ID “A” is associated with the authentication type “802.1X” and the information “/etc/tunnel/xxx/xxx.pem” used for authentication. Here, the information corresponding to the type of authentication is a password used for authentication, a file of an electronic certificate, or the like.

  FIG. 5 is a diagram illustrating an example of service authentication information stored in the service authentication information storage unit 13 in the present embodiment. As shown in the figure, the service authentication information includes, for each user ID, the type of authentication, the domain name of the service server 30, the ID in the service server 30, and information used for authentication in the service server 30 (for example, a password). Etc.) is associated with Internet service authentication information. For example, the authentication type “OpenID” and the domain name “www.any.com” are associated with the user “B”.

Returning to FIG. 2, the description of the configurations of the reverse proxy server 10 and the user terminal 40 will be continued.
The terminal cooperation unit 14 includes an encapsulated data transfer unit 141 and a usage domain management unit 142. The encapsulated data transfer unit 141 transfers the encapsulated data transmitted / received between the user terminal 40 and the content communication unit 15. The encapsulated data transfer unit 141 outputs the encapsulated data to the additional service providing unit 17.
For each user who operates the user terminal 40, the usage domain management unit 142 obtains the domain name of the service server 30 that the user terminal 40 accesses via its own device, and the session ID as an identifier for identifying the access. The user ID of the user and the detected domain name and session ID are associated with each other and stored in the use domain storage unit 11. Further, the usage domain management unit 142 determines whether the information received from the user terminal 40 is information due to unauthorized access based on the usage domain information stored in the usage domain storage unit 11.

The content communication unit 15 includes a user authentication unit 151, an encapsulated data processing unit 152, a connection destination address conversion unit 153, and an external communication unit 154. Based on the user information stored in the user information storage unit 12, the user authentication unit 151 determines whether or not the user terminal 40 has the right to access the network 20 via its own device. . In addition, when the user terminal 40 has the right to access the network 20 via its own device, the user authentication unit 151 sends the session ID and session key used for communication with the own device to the user terminal 40. assign.
The encapsulated data processing unit 152 unencapsulates the encapsulated information by deleting the header information added to the encapsulated information input from the terminal cooperation unit 14. Also, the encapsulated data processing unit 152 encapsulates the received data by adding header information to the data received from the service server 30 via the network 20.

  The connection destination address conversion unit 153 searches for an IP address corresponding to the domain name included in the access request received from the user terminal 40. The IP address search by the connection destination address conversion unit 153 may search for an IP address corresponding to the domain name by inquiring a DNS (Domain Name System) server using a known technique, for example. The external communication unit 154 processes communication via the network 20 in the reverse proxy server 10 and outputs data received via the network 20 to the encapsulated data processing unit 152.

  For the access request to the service server 30 received from the user terminal 40, the cooperative authentication unit 16 provides services such as the user terminal 40 accessing the service server 30 to browse the cloud computing and Web content. At the time of receiving, authentication processing for determining whether or not there is a right to receive service is performed on behalf of the user terminal 40.

  The additional service providing unit 17 includes a line authentication unit 171, a virus check unit 172, a content block unit 173, a usage history storage unit 174, and a content recommendation unit 175. The line authentication unit 171 performs authentication for a line connecting the user terminal 40. As specific authentication, for example, it is determined whether or not an identifier assigned to a line with the user terminal 40 matches a predetermined line identifier. The virus check unit 172 determines whether or not an illegal program such as a computer virus is included in information transmitted to and received from the user terminal 40. For example, the virus check unit 172 stores in advance an unauthorized access procedure, an instruction code string included in an unauthorized program, or both, and information transmitted and received between the user terminal 40 and the reverse proxy server 10 includes: It is determined whether or not an unauthorized access procedure or an instruction code sequence possessed by an unauthorized program is included. Further, the virus check unit 172 may delete the computer virus when the computer virus is included in the information. If the virus checking unit 172 determines that an unauthorized program is included, the virus checking unit 172 may transmit that the unauthorized program is included to the user terminal 40.

The content block unit 173 performs a content check to determine whether information transmitted to and received from the user terminal 40 includes predetermined content, for example, information such as a domain name, an image, and a program code. Do. When the content block unit 173 detects predetermined content, the content block unit 173 replaces or deletes the content with predetermined information. Further, when the content block unit 173 detects a predetermined content, the content block unit 173 may transmit the fact that the content has been detected, or that the content block unit 173 has been replaced or deleted to the user terminal 40.
Here, the predetermined content is, for example, a harmful site, a domain name such as a phishing site, or content provided on such a site.

The usage history storage unit 174 stores information to be transmitted to and received from the user terminal 40 for each user. That is, the usage history storage unit 174 stores the usage history of the own device and the service server 30 for each user.
The content recommendation unit 175 detects each user's preference based on the usage history of each user stored in the usage history storage unit 174, and obtains information on the service server 30 that provides a service according to the detected preference. Provide to users. For example, the content recommendation unit 175 identifies the preference of each user using data mining or statistical analysis on the usage history, and detects the service server 30 that provides a service similar to the identified preference. The content recommendation unit 175 transmits information indicating the detected service server 30 to the user terminal 40.

Next, each functional unit provided in the user terminal 40 will be described.
Instruction information corresponding to a user operation is input to the input unit 41. The input unit 41 is, for example, a keyboard or a pointing device such as a mouse. The output unit 42 outputs a result obtained in accordance with a user operation. The output unit 42 is, for example, a display or a speaker.

  The user agent unit 43 has a function of receiving services such as cloud computing and web content provided in the service server 30. The user agent unit 43 also represents data indicating a connection request to the service server 30, a request for a service, a disconnection request to the service server 30, and the like based on instruction information input to the input unit 41 in response to a user operation. And the generated data is output to the data conversion unit 44. Further, the user agent unit 43 outputs data input from the data conversion unit 44, for example, data corresponding to the requested service result to the output unit 42. The user agent unit 43 is, for example, a web browser.

  The data conversion unit 44 encapsulates the data input from the user agent unit 43 by adding header information, and outputs the encapsulated data to the communication unit 45. In addition, the data conversion unit 44 unencapsulates the header information added to the data input from the communication unit 45 and outputs the unencapsulated data to the user agent unit 43. Here, the header information is the state of authentication between the reverse proxy server 10 and the own device, information about the user who uses the own device, information destined for the reverse proxy server 10, and communication used for communication with the service server 30. Including protocols.

  The communication unit 45 includes a tunnel connection unit 451 and a tunnel communication unit 452. When the connection request to the service server 30 generated by the user agent unit 43 is input, the tunnel connection unit 451 requests a connection for communication with the reverse proxy server 10 and performs an authentication process. When the connection is permitted as a result of the authentication processing, the tunnel communication unit 452 transmits the data encapsulated in the data conversion unit 44 to the reverse proxy server 10, and the data received from the reverse proxy server 10 as the data conversion unit 44. Output to.

  Next, processing (connection processing) for accessing the service server 30 through authentication in the reverse proxy server 10, processing for accessing the service server 30 after performing authentication, and processing for ending use of the service server 30 (Cut process) will be described with an example. Hereinafter, a case where the authentication type in the service server 30 is “SP-initiated” of SAML authentication will be described.

6 to 15 are sequence diagrams illustrating processing for accessing the service server 30 through authentication in the reverse proxy server 10 of this embodiment.
As shown in FIG. 6, in the user terminal 40, when an application that uses the service of the service server 30 is activated in the user agent unit 43 in response to a user operation (step S101), the user agent unit 43 generates connection request information indicating a connection request to the reverse proxy server 10 and outputs the connection request information to the data conversion unit 44. The data conversion unit 44 adds header information including the content communication unit 15 as a destination to the input connection request information, encapsulates the information, and reverses the encapsulated connection request information via the tunnel connection unit 451. It transmits to the proxy server 10 (step S102).

In the reverse proxy server 10, the encapsulated data transfer unit 141 transfers the information encapsulated in the connection request to the own device received from the user terminal 40 to the content communication unit 15 (step S103).
In the content communication unit 15, when the connection request information encapsulating the connection request to the own device is input, the user authentication unit 151 sends a user ID to the user terminal 40 that has transmitted the connection request information. Authentication request information indicating that information used for authentication is requested is output to the encapsulated data transfer unit 141 (step S104). The encapsulated data transfer unit 141 transfers the input authentication request information to the user terminal 40 (step S105).

The tunnel connection unit 451 outputs the authentication request information received from the reverse proxy server 10 to the user agent unit 43 via the data conversion unit 44. When the authentication request information is input, the user agent unit 43 outputs information indicating that a user ID and information used for authentication are requested from the reverse proxy server 10 to the output unit 42. In addition, the user agent unit 43 sends the content communication unit 15 to the user ID specified by the instruction information input to the input unit 41 according to the user's operation and information (password or electronic certificate) used for authentication. Is added to encapsulate the information (step S106).
The user agent unit 43 transmits the encapsulated information to the reverse proxy server 10 via the tunnel connection unit 451 (step S107).

In the reverse proxy server 10, the encapsulated data transfer unit 141 transfers the information encapsulated with the user ID and information received from the user terminal 40 to the user authentication unit 151 (step S108).
The user authentication unit 151 includes a user ID included in the encapsulated information and information used for authentication, and a user ID included in the user information stored in the user information storage unit 12 and information used for authentication. Are authenticated using a method corresponding to the type of authentication corresponding to the user ID in the user information (step S109).
That is, the user authentication unit 151 determines whether or not the user terminal 40 has the right to access the network 20 via its own device. If the user authentication unit 151 determines that the user ID has the right to access the network 20 through the user apparatus, the user information storage unit 151 stores that the user with the user ID is logged in. Store in the unit 12.

The user authentication unit 151 outputs the authentication result information to the encapsulated data transfer unit 141 (step S110). The authentication result information includes a session ID and a session key assigned to the user ID in addition to the authentication result information when it is determined that there is a right to access the network 20 via the own device.
The encapsulated data transfer unit 141 transfers the input authentication request to the user terminal 40 (step S111).

  The user terminal authentication phase in which the processes from step S101 to step S111 described above determine whether or not the user terminal 40 has the right to access the service server 30 on the network 20 via the reverse proxy server 10. It is. As a result of the authentication, if the user terminal 40 indicates that the user terminal 40 has the right to access the network 20 via the reverse proxy server 10, the processing described below is performed.

  When the user terminal 40 has the right to access the network 20 via the reverse proxy server 10, the authentication result information includes a session ID and a session key. The session ID and the session key are used when the user terminal 40 accesses the service server 30 via the reverse proxy server 10, and the user authentication unit 151 for the connection with the authenticated user terminal 40. Issued until the connection with the user terminal 40 is cut off.

  On the other hand, when there is no right to access the user terminal 40, the user agent unit 43 in the user terminal 40 again generates connection request information indicating a connection request to the reverse proxy server 10 and outputs it to the data conversion unit 44. Then, the processing after step S102 is repeated. Alternatively, the user agent unit 43 ends the process of the user terminal authentication phase.

  As shown in FIG. 7, when the authentication result information indicating that the user agent unit 43 has the right to access is input, the user agent unit 43 inputs the URL of the service server 30 that provides the service desired to be provided. The requested information is output to the output unit 42. When information such as the URL of the service server 30 is input to the input unit 41 in response to a user operation (step S121), the user agent unit 43 accesses the service server 30 based on the input information. Is generated and output to the data converter 44 (step S122). The access request information includes the domain name of the service server 30 and information for receiving service provision (such as a command).

The data conversion unit 44 adds header information to the input access request information to encapsulate the information (step S123), and transmits the encapsulated access request information to the reverse proxy server 10 via the tunnel communication unit 452. (Step S124).
Here, the header information added to the access request information in step S123 includes information destined for the content communication unit 15, the user ID of the user input in step S106, and the service server 30 included in the access request information. Domain name, session ID and session key included in the authentication result information, and line information specifying the line connecting the user terminal 40 and the reverse proxy server 10 are included. The line information is, for example, an identification number assigned in advance when the user terminal 40 is connected to the reverse proxy server 10 or an identification number assigned to the user terminal 40. When the user terminal 40 is a mobile phone, the telephone number is an identification number.

In the reverse proxy server 10, the encapsulated data transfer unit 141 receives the access request information encapsulated from the user terminal 40 (hereinafter referred to as encapsulated data), and uses the header information added to the access request information. The data is output to the line authentication unit 171 of the additional service providing unit 17 (step S125).
The line authentication unit 171 authenticates the line connecting the user terminal 40 and the own apparatus based on the line information included in the input header information (step S126), and is included in the header information. The user ID and the authentication result are output to the usage history storage unit 174 (step S127).
The usage history storage unit 174 stores the input user ID and the authentication result in association with each other (step S128), and outputs information indicating that the storage is completed to the line authentication unit 171 (step S129). When the authentication result is stored, the line authentication unit 171 outputs information indicating that the authentication is completed to the encapsulated data transfer unit 141 (step S130).

When the line with the user terminal 40 is authenticated, the encapsulated data transfer unit 141 outputs the encapsulated data received from the user terminal 40 to the usage history storage unit 174 (step S131). When the line is not authenticated, the encapsulated data transfer unit 141 transmits information indicating that the line has not been authenticated to the user terminal 40, and ends the process.
The usage history storage unit 174 stores the encapsulated data in association with the user ID included in the header information of the input encapsulated data (step S132), and indicates information indicating that the encapsulated data has been stored. The data is output to the encapsulated data transfer unit 141 (step S133).

  As shown in FIG. 8, in the terminal cooperation unit 14, when the encapsulated data is stored, the encapsulated data transfer unit 141 outputs the encapsulated data to the content block unit 173 (step S134). The content block unit 173 performs a content check on the domain name of the service server 30 and the requested content included in the access request information and header information of the encapsulated data (steps S135 and S136), and the content check And the user ID of the header information are output to the usage history storage unit 174 (step S137).

  The usage history storage unit 174 stores the input content check result in association with the user ID (step S138), and outputs information indicating that the storage of the content check result is completed to the content block unit 173 (step S138). S139). When the content check result is stored, the content block unit 173 outputs information indicating that the content check is completed to the encapsulated data transfer unit 141 (step S140).

When the content check is completed, the encapsulated data transfer unit 141 outputs the header information of the encapsulated data to the usage domain management unit 142. The usage domain management unit 142 stores the user ID, the session ID, and the domain name of the service server 30 included in the header information in the usage domain storage unit 11 in association with each other (step S141).
Further, the encapsulated data transfer unit 141 transfers the encapsulated access request information to the content communication unit 15 (step S142).

In the content communication unit 15, the encapsulated data processing unit 152 decapsulates the encapsulated data (step S143), and outputs the URL of the service server 30 included in the access request information to the connection destination address converting unit 153. The connection destination address conversion unit 153 searches for the IP address corresponding to the input URL, and outputs the search result to the encapsulated data processing unit 152 (step S144).
The encapsulated data processing unit 152 combines the unencapsulated access request information, header information, and the IP address input from the connection destination address conversion unit 153, and outputs the combined information to the external communication unit 154. The external communication unit 154 transmits access request information addressed to the input IP address using the communication protocol specified in the header information (step S145).

When the service server 30 receives the access request information from the reverse proxy server 10, the ID and password are used to perform an authentication process for determining whether the reverse proxy server 10 has a right to receive a service provided by the service server 30. The authentication request information requesting the request is returned (step S146).
In the reverse proxy server 10, the external communication unit 154 receives authentication request information from the service server 30 and outputs the received authentication request information to the encapsulated data processing unit 152. The encapsulated data processing unit 152 adds the header information to the authentication request information to encapsulate it (step S147), and outputs the encapsulated authentication request information to the encapsulated data transfer unit 141 of the terminal cooperation unit 14 (step S148). . The header information added to the authentication request information in step S147 includes information indicating the user terminal 40 and the user who transmitted the access request information corresponding to the authentication request information.

  As illustrated in FIG. 9, when the encapsulated authentication request information is input from the content communication unit 15, the encapsulated data transfer unit 141 of the terminal cooperation unit 14 uses the encapsulated authentication request information as a usage history storage unit. It outputs to 174 (step S149). The usage history storage unit 174 stores the authentication request information in association with the user ID included in the header information (step S150), and outputs information indicating that the storage of the authentication request information is completed to the encapsulated data transfer unit 141. (Step S151).

When the storage of the authentication request information is completed, the encapsulated data transfer unit 141 outputs the encapsulated authentication request information to the virus check unit 172 (Step S152). The virus check unit 172 performs a virus check on the input authentication request information (step S153), and outputs the virus check result and the user ID of the header information to the usage history storage unit 174 (step S154).
The usage history storage unit 174 stores the input virus check result in association with the user ID (step S155), and outputs information indicating that the storage of the virus check result is completed to the virus check unit 172 ( Step S156). When the virus check result is stored, the virus check unit 172 outputs information indicating that the virus check is completed to the encapsulated data transfer unit 141 (step S157).

When the virus check is completed, the encapsulated data transfer unit 141 outputs the encapsulated authentication request information to the content block unit 173 (step S158). The content block unit 173 performs a content check on the information included in the encapsulated authentication request information (step S159), and uses the information indicating the result of the content check and the user ID of the header information as the usage history storage unit 174. (Step S160).
The usage history storage unit 174 stores the input content check result in association with the user ID (step S161), and outputs information indicating that the storage of the content check result is completed to the content block unit 173 (step S161). S162). When the content check result is stored, the content block unit 173 outputs information indicating that the content check has been completed to the encapsulated data transfer unit 141 (step S163).

As shown in FIG. 10, when the content check is completed, the encapsulated data transfer unit 141 of the terminal cooperation unit 14 transmits the encapsulated authentication request information to the user terminal 40 (step S164).
In the user terminal 40, the tunnel communication unit 452 outputs the encapsulated authentication request information received from the reverse proxy server 10 to the data conversion unit 44. The data conversion unit 44 unencapsulates the header information of the encapsulated authentication request information (step S165), and outputs the authentication request information to the user agent unit 43. The user agent unit 43 outputs the input authentication request information to the output unit 42 (step S166).

The user agent unit 43 generates authentication instruction information based on the instruction information input to the input unit 41 in accordance with a user operation (step S167). The data conversion unit 44 adds header information to the authentication instruction information generated by the user agent unit 43 to encapsulate the authentication instruction information (step S168), and transmits the encapsulated authentication instruction information to the reverse proxy server 10 (step S168). S169).
Here, the header information in step S168 includes information destined for the content communication unit 15, the user ID of the user input in step S106, the domain name of the service server 30, and the session ID included in the authentication result information. And a session key. Further, the authentication instruction information includes information indicating that the service server 30 is authenticated through the cooperative authentication unit 16.

  In the reverse proxy server 10, the encapsulated data transfer unit 141 receives the authentication instruction information encapsulated from the user terminal 40 and outputs the header information added to the authentication instruction information to the usage domain management unit 142. The usage domain management unit 142 determines whether the combination of the user ID, the session ID, and the domain name of the service server 30 included in the input header information is stored in the usage domain storage unit 11, The result is output to the encapsulated data transfer unit 141 (step S170).

The encapsulated data transfer unit 141 stores the combination of the user ID, the session ID, and the domain name included in the header information in the use domain storage unit 11 as the determination result input from the use domain management unit 142 Is output to the usage history storage unit 174 (step S171).
When the input determination result indicates that the combination of the user ID, the session ID, and the domain name is not stored in the usage domain storage unit 11, the encapsulated data transfer unit 141 encapsulated authentication instruction information Is regarded as an unauthorized access request and discarded without forwarding.

The usage history storage unit 174 stores the input encapsulated authentication instruction information in association with the user ID included in the header information (step S172), and the storage of the encapsulated authentication instruction information is completed. Is output to the encapsulated data transfer unit 141 (step S173).
When the encapsulated authentication instruction information is stored, the encapsulated data transfer unit 141 outputs the encapsulated authentication instruction information to the content communication unit 15 (step S174).

  In the content communication unit 15, the encapsulated data processing unit 152 uncapsulates the encapsulated authentication instruction information input from the terminal cooperation unit 14 (step S 175), and the cooperation authentication unit 16 included in the authentication instruction information. The URL is output to the connection destination address conversion unit 153. The connection destination address conversion unit 153 searches for the IP address corresponding to the input URL, and outputs the search result to the encapsulated data processing unit 152 (step S176).

  The encapsulated data processing unit 152 outputs the authentication instruction information to the cooperative authentication unit 16 (step S177). When the authentication instruction information is input, the cooperation authentication unit 16 performs an authentication process for determining whether or not the user identified by the user ID has the right to use the cooperation authentication for the service server 30. Then, authentication page information indicating an authentication page requesting a password or the like is output to the encapsulated data processing unit 152 (step S178).

  As shown in FIG. 11, the encapsulated data processing unit 152 of the content communication unit 15 adds the header information to the authentication page information to encapsulate it (step S179), and the encapsulated authentication page information is converted into the terminal cooperation unit. 14 to the encapsulated data transfer unit 141 (step S180). The header information added to the authentication page information in step S179 includes information indicating the user terminal 40 and the user who transmitted the authentication instruction information corresponding to the authentication page information.

The encapsulated data transfer unit 141 outputs the encapsulated authentication page information to the usage history storage unit 174 (step S181). The usage history storage unit 174 stores the authentication page information in association with the user ID included in the header information (step S182), and outputs information indicating that the storage of the authentication page information is completed to the encapsulated data transfer unit 141. (Step S183).
When the storage of the authentication page information is completed, the encapsulated data transfer unit 141 transmits the encapsulated authentication page information to the user terminal 40 (Step S184).

  In the user terminal 40, the tunnel communication unit 452 outputs the encapsulated authentication page information received from the reverse proxy server 10 to the header conversion unit 44. The header conversion unit 44 unencapsulates the header information of the encapsulated authentication page information (step S185), and outputs the authentication page information to the user agent unit 43. The user agent unit 43 outputs the input authentication page information to the output unit 42 (step S186).

The user agent unit 43 generates authentication information based on the instruction information input to the input unit 41 according to the user's operation (Steps S187 and S188). The data conversion unit 44 adds header information to the authentication information generated by the user agent unit 43 to encapsulate the authentication information (step S189), and the authentication information encapsulated in the reverse proxy server 10 via the tunnel communication unit 452. Is transmitted (step S190).
Here, the header information in step S189 includes information destined for the content communication unit 15, the user ID of the user input in step S106, the domain name of the service server 30, and the session ID included in the authentication result information. And a session key. The authentication information includes the domain name of the cooperative authentication unit 16 and the user ID and PW (password, etc.) used for authentication processing in the cooperative authentication unit 16.

  In the reverse proxy server 10, the encapsulated data transfer unit 141 receives the authentication information encapsulated from the user terminal 40, and outputs the header information added to the authentication information to the usage domain management unit 142. The usage domain management unit 142 determines whether the combination of the user ID, the session ID, and the domain name of the service server 30 included in the input header information is stored in the usage domain storage unit 11, The result is output to the encapsulated data transfer unit 141 (step S191).

As illustrated in FIG. 12, the encapsulated data transfer unit 141 of the terminal cooperation unit 14 includes a user ID, a session ID, and a domain in which the determination result input from the usage domain management unit 142 is included in the header information. When it indicates that the combination of names is stored in the usage domain storage unit 11, the encapsulated authentication information is output to the usage history storage unit 174 (step S192).
When the input determination result indicates that the combination of the user ID, the session ID, and the domain name is not stored in the usage domain storage unit 11, the encapsulated data transfer unit 141 displays the encapsulated authentication information. It is regarded as an unauthorized access request and discarded without forwarding.

The usage history storage unit 174 stores the input encapsulated authentication information in association with the user ID included in the header information (step S193), and indicates that the storage of the encapsulated authentication information has been completed. Information is output to the encapsulated data transfer unit 141 (step S194).
When the encapsulated authentication information is stored, the encapsulated data transfer unit 141 outputs the encapsulated authentication information to the content communication unit 15 (step S195).

  In the content communication unit 15, the encapsulated data processing unit 152 uncapsulates the encapsulated authentication information input from the terminal cooperation unit 14 (step S 196), and sets the URL of the cooperation authentication unit 16 included in the authentication information. The data is output to the connection destination address conversion unit 153. The connection destination address conversion unit 153 searches for the IP address corresponding to the input URL, and outputs the search result to the encapsulated data processing unit 152 (step S197).

The encapsulated data processing unit 152 outputs the authentication information to the cooperative authentication unit 16 (step S198). The cooperative authentication unit 16 performs an authentication process for the user based on the input authentication information and the service authentication information stored in the service authentication information storage unit 13 (step S199), and converts the authentication result into an encapsulated data process. The data is output to the unit 152 (step S200).
The encapsulated data processing unit 152 adds header information to the input authentication result to encapsulate it (step S201), and outputs the encapsulated authentication result to the encapsulated data transfer unit 141 (step S202). Here, the header information in step S201 includes information indicating the user terminal 40 and the user who transmitted the authentication information corresponding to the authentication result.

The encapsulated data transfer unit 141 outputs the encapsulated authentication result to the usage history storage unit 174 (step S203). The usage history storage unit 174 stores the authentication result in association with the user ID included in the header information (step S204), and outputs information indicating that the storage of the authentication result is completed to the encapsulated data transfer unit 141 ( Step S205).
When the storage of the authentication result is completed, the encapsulated data transfer unit 141 transmits the encapsulated authentication result to the user terminal 40 (Step S206).

  As illustrated in FIG. 13, in the user terminal 40, the tunnel communication unit 452 outputs the encapsulated authentication result received from the reverse proxy server 10 to the header conversion unit 44. The header conversion unit 44 unencapsulates the header information of the encapsulated authentication result (step S207), and outputs the authentication result to the user agent unit 43. The user agent unit 43 outputs the input authentication result to the output unit 42 (step S208).

The user agent unit 43 generates transfer instruction information indicating that the authentication result is transferred to the service server 30 based on the instruction information input to the input unit 41 in accordance with a user operation (step S209). The data conversion unit adds the header information to the transfer instruction information generated by the user agent unit 43 to encapsulate the transfer instruction information (step S210), and the transfer encapsulated in the reverse proxy server 10 via the tunnel communication unit 452. Instruction information is transmitted (step S211).
Here, the header information in step S210 includes information destined for the content communication unit 15, the user ID of the user input in step S106, the domain name of the service server 30, and the session ID included in the authentication result information. And a session key. The transfer instruction information also includes the received authentication result.

  In the reverse proxy server 10, the encapsulated data transfer unit 141 receives the transfer instruction information encapsulated from the user terminal 40, and outputs the header information added to the transfer instruction information to the use domain management unit 142. The usage domain management unit 142 determines whether the combination of the user ID, the session ID, and the domain name of the service server 30 included in the input header information is stored in the usage domain storage unit 11, The result is output to the encapsulated data transfer unit 141 (step S212).

The encapsulated data transfer unit 141 stores the combination of the user ID, the session ID, and the domain name included in the header information in the use domain storage unit 11 as the determination result input from the use domain management unit 142 Is output to the usage history storage unit 174 (step S213).
When the input determination result indicates that the combination of the user ID, the session ID, and the domain name is not stored in the use domain storage unit 11, the encapsulated data transfer unit 141 encapsulated transfer instruction information Is discarded without being transferred.

The usage history storage unit 174 stores the input encapsulated transfer instruction information in association with the user ID included in the header information (step S214), and the storage of the encapsulated transfer instruction information has been completed. Is output to the encapsulated data transfer unit 141 (step S215).
When the encapsulated transfer instruction information is stored, the encapsulated data transfer unit 141 outputs the encapsulated transfer instruction information to the content block unit 173 (step S216). The content block unit 173 performs a content check on the domain name of the service server 30 included in the header information of the encapsulated transfer instruction information (step S217), information indicating the result of the content check, and header information The user ID is output to the usage history storage unit 174 (step S218).

  The usage history storage unit 174 stores the input content check result in association with the user ID (step S219), and outputs information indicating that the storage of the content check result is completed to the content block unit 173 (step S219). S220). When the content check result is stored, the content block unit 173 outputs information indicating that the content check is completed to the encapsulated data transfer unit 141 (step S221).

As shown in FIG. 14, in the terminal cooperation unit 14, when the content check is completed, the encapsulated data transfer unit 141 outputs the encapsulated transfer instruction information to the content communication unit 15 (step S222).
In the content communication unit 15, the encapsulated data processing unit 152 uncapsulates the encapsulated transfer instruction information (step S 223), and outputs the URL of the service server 30 included in the transfer instruction information to the connection destination address conversion unit 153. To do. The connection destination address conversion unit 153 searches for the IP address corresponding to the input URL, and outputs the search result to the encapsulated data processing unit 152 (step S224).

The encapsulated data processing unit 152 combines the unencapsulated transfer instruction information, the header information, and the IP address input from the connection destination address conversion unit 153, and outputs the combined information to the external communication unit 154. The external communication unit 154 transmits the transfer instruction information to the input IP address using the communication protocol specified in the header information (step S225).
When the service server 30 receives the transfer instruction information from the reverse proxy server 10, the service server 30 confirms the authentication result included in the received transfer instruction information and performs authentication for determining whether the reverse proxy server 10 has the right to receive the service. If the reverse proxy server 10 is authenticated (step S226), initial content information indicating the content to be provided first is transmitted to the reverse proxy server 10 (step S227).

In the reverse proxy server 10, the external communication unit 154 receives initial content information from the service server 30 and outputs the received initial content information to the encapsulated data processing unit 152. The encapsulated data processing unit 152 adds header information to the initial content information to encapsulate it (step S228), and outputs the encapsulated initial content information to the encapsulated data transfer unit 141 of the terminal cooperation unit 14 (step S229). ).
When the encapsulated initial content information is input from the content communication unit 15, the encapsulated data transfer unit 141 outputs the encapsulated initial content information to the usage history storage unit 174 (step S230).

The usage history storage unit 174 stores the initial content information in association with the user ID included in the header information of the encapsulated initial content information (step S231), and indicates information indicating that the storage of the initial content information is completed. The data is output to the encapsulated data transfer unit 141 (step S232).
When the storage of the initial content information is completed, the encapsulated data transfer unit 141 outputs the encapsulated initial content information to the virus check unit 172 (Step S233). The virus check unit 172 performs a virus check on the input initial content information (step S234), and outputs the virus check result and the user ID of the header information to the usage history storage unit 174 (step S235).

  As shown in FIG. 15, the usage history storage unit 174 stores the input virus check result in association with the user ID (step S236), indicating that the storage of the virus check result has been completed. The information is output to the virus check unit 172 (step S237). When the virus check result is stored, the virus check unit 172 outputs information indicating that the virus check is completed to the encapsulated data transfer unit 141 (step S238).

  When the virus check is completed, the encapsulated data transfer unit 141 outputs the encapsulated initial content information to the content block unit 173 (step S239). The content block unit 173 performs a content check on the information included in the encapsulated initial content information (step S240), and uses the information indicating the result of the content check and the user ID of the header information as the usage history storage unit 174. (Step S241).

The usage history storage unit 174 stores the input content check result in association with the user ID (step S242), and outputs information indicating that the storage of the content check result is completed to the content block unit 173 (step S242). S243). When the content check result is stored, the content block unit 173 outputs information indicating that the content check is completed to the encapsulated data transfer unit 141 (step S244).
When the content check is completed, the encapsulated data transfer unit 141 transmits the encapsulated initial content information to the user terminal 40 (step S245).

  In the user terminal 40, the tunnel communication unit 452 outputs the encapsulated initial content information received from the reverse proxy server 10 to the data conversion unit 44. The data conversion unit 44 unencapsulates the header information of the encapsulated initial content information (step S246), and outputs the initial content information to the user agent unit 43. The user agent unit 43 outputs the initial content input from the data conversion unit 43 to the output unit 42 (step S247).

As described above, tunnel connection is established between the user terminal 40 and the reverse proxy server 10 by encapsulating and transmitting the domain name of the service server 30. Thereby, the user terminal 40 can access the service server 30 via the reverse proxy server 10 without using the internal domain name corresponding to the domain name (external domain name) of the service server 30.
Further, since the reverse proxy server 10 is configured such that the external communication unit 154 transmits and receives information to and from the service server 30 instead of the user terminal 40, even when using encryption technology or the like, Analysis of information transmitted to and received from the service server 30 and storage of information history can be performed, and additional services according to use of the service server 30 can be provided to the user.

  As a result, when the user receives a service from the service server 30 using the user terminal 40, the user accesses the service server 30 via the reverse proxy server 10 to perform additional services such as virus check and content check. When used, it is not necessary to make settings for each user terminal 40 to be used, and the burden on the user can be reduced. In addition, providing the additional service by the reverse proxy server 10 allows the user to receive the additional service without depending on the performance and configuration of the user terminal 40, thereby improving convenience.

  Moreover, since the information history is stored for each user, an additional service according to the user's usage history can be provided. For example, the content recommendation unit 175 can provide information indicating the service server 30 that provides a service similar to the service of the service server 30 used by the user in the past from the plurality of service servers 30.

Next, a process for accessing the service server 30 after performing authentication will be described.
16 to 18 are sequence diagrams illustrating an example of processing for accessing the service server 30 after authentication according to the present embodiment.
As shown in FIG. 16, in the user terminal 40, when the user agent unit 43 receives the instruction information indicating that the use of the service server 30 is requested to the input unit 41 (step S301), Access request information corresponding to the instruction information is generated (step S302).

  The data conversion unit 44 adds header information to the access request information generated by the user agent unit 43 and encapsulates it (step S303), and transmits it to the reverse proxy server 10 via the tunnel communication unit 452 (step S304). The header information added to the access request information in step S303 includes information destined for the content communication unit 15, the user ID authenticated in the user terminal authentication phase, and the domain of the service server 30 included in the access request information. The name and the session ID and session key included in the authentication result information are included.

  In the reverse proxy server 10, the encapsulated data transfer unit 141 receives the access request information (encapsulated data) encapsulated from the user terminal 40, and uses the header information of the encapsulated access request information in the use domain management. Output to the unit 142. The usage domain management unit 142 determines whether or not the combination of the user ID, the session ID, and the domain name of the service server 30 included in the input header information is stored in the usage domain storage unit 11, and the determination result is determined. The data is output to the encapsulated data transfer unit 141 (step S305).

The encapsulated data transfer unit 141 stores the combination of the user ID, the session ID, and the domain name included in the header information in the use domain storage unit 11 as the determination result input from the use domain management unit 142 Is output, the encapsulated data is output to the usage history storage unit 174 (step S306).
If the input determination result indicates that the combination of the user ID, the session ID, and the domain name is not stored in the usage domain storage unit 11, the encapsulated data transfer unit 141 accesses the encapsulated data for unauthorized access. Consider it a request and discard it without forwarding.

The usage history storage unit 174 stores the input encapsulated data in association with the user ID included in the header information (step S307), and transfers the encapsulated data information indicating that the storage of the encapsulated data is completed. The data is output to the unit 141 (step S308).
When the encapsulated data is stored, the encapsulated data transfer unit 141 outputs the encapsulated data to the content block unit 173 (step S309). The content block unit 173 performs a content check on the domain name of the service server 30 and the requested content included in the header information of the encapsulated data (steps S310 and S311), and the result of the content check is obtained. The information shown and the user ID of the header information are output to the usage history storage unit 174 (step S312).

  The usage history storage unit 174 stores the input content check result in association with the user ID (step S313), and outputs information indicating that the storage of the content check result is completed to the content block unit 173 (step S313). S314). When the content check result is stored, the content block unit 173 outputs information indicating that the content check is completed to the encapsulated data transfer unit 141 (step S315).

As illustrated in FIG. 17, in the terminal cooperation unit 14, when the content check is completed, the encapsulated data transfer unit 141 outputs the encapsulated data to the content communication unit 15 (step S316).
In the content communication unit 15, the encapsulated data processing unit 152 unencapsulates the encapsulated data (step S 317), and outputs the URL of the service server 30 included in the access request information to the connection destination address converting unit 153. The connection destination address conversion unit 153 searches for the IP address corresponding to the input URL, and outputs the search result to the encapsulated data processing unit 152 (step S318).

The encapsulated data processing unit 152 combines the unencapsulated access request information, header information, and the IP address input from the connection destination address conversion unit 153, and outputs the combined information to the external communication unit 154. The external communication unit 154 transmits access request information addressed to the input IP address using the communication protocol specified in the header information (step S319).
Upon receiving the access request information from the reverse proxy server 10, the service server 30 transmits content information indicating content corresponding to the received access request information to the reverse proxy server 10 (step S320).

In the reverse proxy server 10, the external communication unit 154 receives content information from the service server 30 and outputs the received content information to the encapsulated data processing unit 152. The encapsulated data processing unit 152 adds the header information to the content information to encapsulate it (step S321), and outputs the encapsulated content information to the encapsulated data transfer unit 141 of the terminal cooperation unit 14 (step S322).
When the encapsulated content information is input from the content communication unit 15, the encapsulated data transfer unit 141 outputs the encapsulated content information to the usage history storage unit 174 (step S323).

The usage history storage unit 174 stores the content information in association with the user ID included in the header information of the encapsulated content information (step S324) and stores information indicating that the storage of the content information is completed as the encapsulated data. The data is output to the transfer unit 141 (step S325).
When the storage of the content information is completed, the encapsulated data transfer unit 141 outputs the encapsulated content information to the virus check unit 172 (Step S326). The virus check unit 172 performs virus check on the input content information (step S327), and outputs the virus check result and the user ID of the header information to the usage history storage unit 174 (step S328).

  As shown in FIG. 18, the usage history storage unit 174 stores the input virus check result in association with the user ID (step S329), and indicates that the virus check result storage is completed. Information is output to the virus check unit 172 (step S330). When the virus check result is stored, the virus check unit 172 outputs information indicating that the virus check is completed to the encapsulated data transfer unit 141 (step S331).

  When the virus check is completed, the encapsulated data transfer unit 141 outputs the encapsulated content information to the content block unit 173 (step S332). The content block unit 173 performs a content check on the information included in the encapsulated content information (step S333), and stores the information indicating the result of the content check and the user ID of the header information in the usage history storage unit 174. Output (step S334).

  The usage history storage unit 174 stores the input content check result in association with the user ID (step S335), and outputs information indicating that the storage of the content check result is completed to the content block unit 173 (step S335). S336). When the content check result is stored, the content block unit 173 outputs information indicating that the content check is completed to the encapsulated data transfer unit 141 (step S337).

When the content check is completed, the encapsulated data transfer unit 141 transmits the encapsulated content information to the user terminal 40 (Step S338).
In the user terminal 40, the tunnel communication unit 452 outputs the encapsulated content information received from the reverse proxy server 10 to the data conversion unit 44. The data conversion unit 44 deletes the header information of the encapsulated content information, unencapsulates it (step S339), and outputs the content information to the user agent unit 43. The user agent unit 43 outputs the content input from the data conversion unit 43 to the output unit 42 (step S340).

Next, a process (disconnection process) when the use of the service server 30 is terminated will be described.
FIG. 19 to FIG. 23 are sequence diagrams illustrating an example of processing (disconnection processing) when the use of the service server 30 via the reverse proxy server 10 is terminated.
As shown in FIG. 19, in the user terminal 40, the user agent unit 43 receives instruction information indicating that the connection with the service server 30 via the reverse proxy server 10 is disconnected in the input unit. (Step S401), logout request information for requesting logout from the service server 30 is generated (Step S402). The logout request information includes, for example, the user ID in the service server 30, a command indicating logout, the URL of the service server 30, and the like.

The data conversion unit 44 encapsulates the logout request information generated by the user agent unit 43 by adding header information (step S403), and converts the encapsulated logout request information via the tunnel communication unit 452 into the reverse proxy server 10. (Step S404).
Here, the header information added to the logout request information in step S403 includes information destined for the content communication unit 15, the user ID authenticated in the user terminal authentication phase, and the service server included in the logout request information. 30 domain names and the session ID and session key included in the authentication result information are included.

In the reverse proxy server 10, the encapsulated data transfer unit 141 receives the logout request information encapsulated from the user terminal 40, and outputs the received logout request information to the usage history storage unit 174 (step S405).
The usage history storage unit 174 stores the input encapsulated logout request information in association with the user ID included in the header information (step S406), and the storage of the encapsulated logout request information has been completed. Is output to the encapsulated data transfer unit 141 (step S407).

  When the encapsulated logout request information is stored, the encapsulated data transfer unit 141 outputs the header information to the usage domain management unit 142. The usage domain management unit 142 determines whether or not the combination of the user ID, the session ID, and the domain name of the service server 30 included in the input header information is stored in the usage domain storage unit 11, and the determination result is determined. The data is output to the encapsulated data transfer unit 141 (step S408).

The encapsulated data transfer unit 141 stores the combination of the user ID, the session ID, and the domain name included in the header information in the use domain storage unit 11 as the determination result input from the use domain management unit 142 Is output to the content block unit 173 (step S409).
If the input determination result indicates that the combination of the user ID, the session ID, and the domain name is not stored in the use domain storage unit 11, the encapsulated data transfer unit 141 encapsulates the logout request information. Is regarded as an unauthorized access request and discarded without forwarding.

The content block unit 173 performs a content check on the domain name of the service server 30 included in the header information of the encapsulated logout request information and the requested content (step S410), and displays the result of the content check. The information shown and the user ID of the header information are output to the usage history storage unit 174 (step S411).
The usage history storage unit 174 stores the input content check result in association with the user ID (step S412), and outputs information indicating that the storage of the content check result is completed to the content block unit 173 (step S412). S413). When the content check result is stored, the content block unit 173 outputs information indicating that the content check is completed to the encapsulated data transfer unit 141 (step S414).

As shown in FIG. 20, in the terminal cooperation unit 14, when the content check is completed, the encapsulated data transfer unit 141 outputs the encapsulated logout request information to the content communication unit 15 (step S415).
In the content communication unit 15, the encapsulated data processing unit 152 uncapsulates the encapsulated logout request information (step S 416), and outputs the URL of the service server 30 included in the logout request information to the connection destination address conversion unit 153. To do. The connection destination address conversion unit 153 searches for the IP address corresponding to the input URL, and outputs the search result to the encapsulated data processing unit 152 (step S417).

The encapsulated data processing unit 152 combines the unencapsulated logout request information, the header information, and the IP address input from the connection destination address conversion unit 153, and outputs the combined information to the external communication unit 154. The external communication unit 154 transmits logout request information to the input IP address using the communication protocol specified in the header information (step S418).
Upon receiving the logout request information from the reverse proxy server 10, the service server 30 transmits logout information indicating a logout page corresponding to the received logout request information to the reverse proxy server 10 (step S419).

In the reverse proxy server 10, the external communication unit 154 receives logout information from the service server 30 and outputs the received logout information to the encapsulated data processing unit 152. The encapsulated data processing unit 152 adds header information to the logout information for encapsulation (step S420), and outputs the encapsulated logout information to the encapsulated data transfer unit 141 of the terminal cooperation unit 14 (step S421).
When the encapsulated logout information is input from the content communication unit 15, the encapsulated data transfer unit 141 outputs the encapsulated logout information to the usage history storage unit 174 (step S422).

The usage history storage unit 174 stores logout information in association with the user ID included in the header information of the encapsulated logout information (step S423), and stores information indicating that the logout information has been stored as the encapsulated data. The data is output to the transfer unit 141 (step S424).
When the logout information is stored, the encapsulated data transfer unit 141 outputs the encapsulated logout information to the virus check unit 172 (step S425). The virus check unit 172 performs virus check on the input logout information (step S426), and outputs the virus check result and the user ID of the header information to the usage history storage unit 174 (step S427).

  The usage history storage unit 174 stores the input virus check result in association with the user ID (step S428), and outputs information indicating that the storage of the virus check result is completed to the virus check unit 172 ( Step S429). When the virus check result is stored, the virus check unit 172 outputs information indicating that the virus check is completed to the encapsulated data transfer unit 141 (step S430).

As shown in FIG. 21, in the terminal cooperation unit 14, when the virus check is completed, the encapsulated data transfer unit 141 outputs the encapsulated logout information to the content block unit 173 (step S431). The content block unit 173 performs a content check on the information included in the encapsulated logout information (step S432), and stores the information indicating the result of the content check and the user ID of the header information in the usage history storage unit 174. Output (step S433).
The usage history storage unit 174 stores the input content check result in association with the user ID (step S434), and outputs information indicating that the storage of the content check result is completed to the content block unit 173 (step S434). S435). When the content check result is stored, the content block unit 173 outputs information indicating that the content check is completed to the encapsulated data transfer unit 141 (step S436).

When the content check is completed, the encapsulated data transfer unit 141 transmits the encapsulated logout information to the user terminal 40 (Step S437).
In the user terminal 40, the tunnel communication unit 452 outputs the encapsulated logout information received from the reverse proxy server 10 to the data conversion unit 44. The data conversion unit 44 deletes the header information of the encapsulated logout information to perform unencapsulation (step S438), and outputs the logout information to the user agent unit 43. The user agent unit 43 outputs the logout information input from the data conversion unit 43 to the output unit 42 (step S439).

  The user agent unit 43 transfers the logout information to the cooperative authentication unit 16, and generates logout transfer information for requesting logout in the cooperative authentication unit 16 (step S440). The data conversion unit adds the header information to the logout transfer information generated by the user agent unit 43 to encapsulate the logout transfer information (step S441), and logs out to the reverse proxy server 10 via the tunnel communication unit 452. The transfer information is transmitted (step S442).

  In the reverse proxy server 10, the encapsulated data transfer unit 141 receives the logout transfer information encapsulated from the user terminal 40 and outputs the header information added to the logout transfer information to the use domain management unit 142. The usage domain management unit 142 determines whether the combination of the user ID, the session ID, and the domain name of the service server 30 included in the input header information is stored in the usage domain storage unit 11, The result is output to the encapsulated data transfer unit 141 (step S443).

As illustrated in FIG. 22, in the terminal cooperation unit 14, the encapsulated data transfer unit 141 indicates that the determination result input from the usage domain management unit 142 includes the user ID, the session ID, and the header information included in the header information. When it indicates that the combination of domain names is stored in the usage domain storage unit 11, the encapsulated logout transfer information is output to the usage history storage unit 174 (step S444).
When the input determination result indicates that the combination of the user ID, the session ID, and the domain name is not stored in the usage domain storage unit 11, the encapsulated data transfer unit 141 encapsulates the logout transfer information encapsulated. Is discarded without being transferred.

The usage history storage unit 174 stores the input encapsulated logout transfer information in association with the user ID included in the header information (step S445), and the storage of the encapsulated logout transfer information has been completed. Is output to the encapsulated data transfer unit 141 (step S446).
When the encapsulated logout transfer information is stored, the encapsulated data transfer unit 141 outputs the encapsulated logout transfer information to the content communication unit 15 (step S447).

In the content communication unit 15, the encapsulated data processing unit 152 uncapsulates the encapsulated logout transfer information input from the terminal cooperation unit 14 (step S 448), and the cooperation authentication unit 16 included in the logout transfer information. The URL is output to the connection destination address conversion unit 153. The connection destination address conversion unit 153 searches for the IP address corresponding to the input URL, and outputs the search result to the encapsulated data processing unit 152 (step S449).
The encapsulated data processing unit 152 outputs logout transfer information to the cooperative authentication unit 16 (step S450). The cooperative authentication unit 16 performs logout processing for the user based on the input logout transfer information and the service authentication information stored in the service authentication information storage unit 13 (step S451), and the logout result is encapsulated data. The data is output to the processing unit 152 (step S452).

  The encapsulated data processing unit 152 adds header information to the input logout result to encapsulate it (step S453), and outputs the encapsulated logout result to the encapsulated data transfer unit 141 (step S454). Here, the header information in step S453 includes information indicating the user terminal 40 and the user who transmitted the logout transfer information corresponding to the logout result.

The encapsulated data transfer unit 141 outputs the encapsulated logout result to the usage history storage unit 174 (step S455). The usage history storage unit 174 stores the logout result in association with the user ID included in the header information (step S456), and outputs information indicating that the logout result has been stored to the encapsulated data transfer unit 141 ( Step S457).
When the logout result storage is completed, the encapsulated data transfer unit 141 transmits the encapsulated logout result to the user terminal 40 (step S458).

  As shown in FIG. 23, in the user terminal 40, the tunnel communication unit 452 outputs the encapsulated logout result received from the reverse proxy server 10 to the header conversion unit 44. The header conversion unit 44 deletes the encapsulated logout result header information to perform unencapsulation (step S459), and outputs the logout result to the user agent unit 43. The user agent unit 43 outputs the input logout result to the output unit 42 and displays a logout screen (step S460).

After outputting the logout result to the output unit 42, the user agent unit 43 stops the application that receives the service from the service server 30 (step S461), generates a session disconnection request for requesting session disconnection, and the tunnel communication unit 452 A session disconnection request is transmitted to the reverse proxy server 10 via (step S462).
Here, the session disconnection request includes information destined for the content communication unit 15, the user ID of the user input in step S106, the domain name of the service server 30, and the session ID and session included in the authentication result information. And key.

  In the reverse proxy server 10, the encapsulated data transfer unit 141 of the terminal cooperation unit 14 outputs the received session disconnection request to the usage domain storage unit 11. The usage domain storage unit 11 determines whether the combination of the user ID and the session ID included in the input session disconnection request is stored in the usage domain storage unit 11, and transfers the determination result to the encapsulated data transfer To the unit 141 (step S463).

When the encapsulated data transfer unit 141 indicates that the determination result input from the usage domain management unit 142 indicates that the combination of the user ID and the session ID included in the header information is stored in the usage domain storage unit 11 Then, the session disconnection request is output to the content communication unit 15 (step S464).
In addition, when the input determination result indicates that the combination of the user ID and the session ID is not stored in the usage domain storage unit 11, the encapsulated data transfer unit 141 determines that the session disconnection request is an illegal request. Deemed and discarded without forwarding.

In the content communication unit 15, the user authentication unit 151 performs session disconnection processing for invalidating the session ID included in the session disconnection request input from the terminal cooperation unit 14 (step S465). A session disconnection result indicating that the session is invalidated is output to the terminal cooperation unit 14 (step S466).
In the terminal cooperation unit 14, the usage domain management unit 142 deletes the combination with the user ID including the session ID included in the input session disconnection result from the usage domain storage unit 11. The encapsulated data transfer unit 141 transmits the input session disconnection result to the user terminal 40 (step S467).

Hereinafter, an implementation example of header information used in communication between the reverse proxy server 10 and the user terminal 40 will be shown. The example of the header field shown here is assumed to be added to HTTP (Hyper Text Transfer Protocol) 1.1 defined in RFC (Request For Proposal) 2616.
FIG. 24 shows header fields to be added to HTTP 1.1.
“CTOSNTT_USERID” indicates a user ID and takes a value such as “abc”, for example. “CTOSNTT_STARTTIME” indicates the date and time when the communication unit 45 establishes a connection (tunnel connection) with the terminal cooperation unit 14 and the content communication unit 15, and takes a value such as “20110701 23: 55: 47GMT”.

“CTOSNTT_SESSIONID” indicates a session ID assigned when the tunnel connection is established, and takes a value such as “10.0.0.1_abc_2011071235547”, for example. “CTOSNTT_SESSIONKEY” indicates a key assigned when the tunnel connection is established, and takes a value such as “Sie82, x {] as-09so”.
“CTOSNTT_LASTCONNECTTIME” indicates the date and time when the communication unit 45 and the content communication unit 15 last communicated, and takes a value such as “20110701 23: 56: 02GMT”, for example. “CTOSNTT_DIRECTION” indicates a communication direction and takes a value of “up” or “down”. As for the communication direction, the direction toward the reverse proxy server 10 is the up direction “up”, and the direction toward the user terminal 40 is the down direction “down”.

“CTOSNTT_SEQUENSE” indicates a sequence number at the time of communication between the reverse proxy server 10 and the user terminal 40, and takes a value such as “102”, for example. “CTOSNTT_SOURCEADDRESS” indicates the IP address of the transmission source, and takes a value such as “10.0.0.1”, for example. “CTOSNTT_DESTADDRESS” indicates an IP address of a transmission destination (destination), and takes a value such as “10.0.0.2”, for example.

  “CTOSNTT_TTYPE” indicates the type of communication, and takes one of the values “preauth”, “auth”, “authorize”, and “connected”. “Preauth” indicates that authentication is not performed in the reverse proxy server 10, “auth” indicates that authentication processing is being performed, “authorize” indicates that authentication has been performed, and “connected” indicates that authentication has been performed. Indicates transmission / reception.

  “CTOSNTT_TPROTOCOL” indicates a communication protocol, and takes values such as “http” and “https”, for example. “CTOSNTT_TPORT” indicates a communication port number, and takes a value such as “443”, for example. “CTOSNTT_TURI” indicates a communication destination that is the service server 30 that provides a service that the user wants to use, and takes a value such as a domain name or URL such as “www.nttwest.co.jp”. “CTOSNTT_ENCODING” indicates encoding of encapsulated information or data, and takes a value such as “chunk”, for example.

  FIG. 25 is a diagram illustrating an example of header information in request data and response data used in the reverse proxy server 10 and the user terminal 40. FIG. 25 (a) shows an example of frequently used Method GET and POST. FIG. 25B shows an example of response data as a reply. Here, among the fields shown in FIG. 24, the fields “CTOSNTT_STARTTIME”, “CTOSNTT_DIRECTION”, “CTOSNTT_SOURCEADDRESS”, and “CTOSNTT_DSTADDRESS” are used.

  Hereinafter, in the process of accessing the service server 30 through authentication in the reverse proxy server 10 shown in FIGS. 6 to 15, between the user terminal 40 and the terminal cooperation unit 14, and between the terminal cooperation unit 14 and the content communication unit 15 shows an example of header information used for transmission / reception to / from 15. Here, an IP address “10.0.0.2” is assigned to the terminal cooperation unit 14 in the reverse proxy server 10, an IP address “10.0.0.3” is assigned to the content communication unit 15, and an IP address is assigned to the user terminal 40. A case where the address “10.0.0.1” is assigned will be described.

  FIG. 26 is a diagram illustrating an example of header information of the connection request information in step S102. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the user terminal 40 to the terminal cooperation unit 14. In addition, the field value of “CTOSNTT_TTYPE” is “preauth”, indicating that it is before authentication.

FIG. 27 is a diagram illustrating an example of header information of the connection request information in step S103. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the content communication unit 15. In addition, “CTOSNTT_SEQUENSE” indicating the sequence number of communication between the reverse proxy server 10 and the user terminal 40 is increased to “2”.
FIG. 28 is a diagram illustrating an example of header information of authentication request information in step S104. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the content communication unit 15 to the terminal cooperation unit 14. In addition, the field value of “CTOSNTT_DIRECTION” is “down”, indicating that the transmission is to the user terminal 40.
FIG. 29 is a diagram illustrating an example of header information of the authentication request information in step S105. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the user terminal 40.

FIG. 30 is a diagram illustrating an example of header information of information to be transmitted in step S107. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the user terminal 40 to the terminal cooperation unit 14. Also, “CTOSNTT_TTYPE” is “auth” indicating that authentication is in progress. Moreover, the value of the field “CTOSNTT_DIRECTION” is “up”, indicating that the transmission is directed to the reverse proxy server 10.
FIG. 31 is a diagram illustrating an example of header information of information to be transmitted in step S108. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the content communication unit 15.

FIG. 32 is a diagram illustrating an example of header information of the authentication result information in step S110. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the content communication unit 15 to the terminal cooperation unit 14. In addition, the value of the field “CTOSNTT_TTYPE” is “authorize” indicating that the field is authenticated. In addition, the field value of “CTOSNTT_DIRECTION” is “down”, indicating that the transmission is to the user terminal 40.
FIG. 33 is a diagram illustrating an example of header information of authentication result information in step S111. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the user terminal 40.

FIG. 34 is a diagram illustrating an example of the header information of the access request information in step S124. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the user terminal 40 to the terminal cooperation unit 14. In addition, the field value of “CTOSNTT_TTYPE” is “connected” indicating that transmission / reception is performed after authentication. Further, the values of the fields “CTOSNTT_SESSIONID” and “CTOSNTT_SESSIONKEY” include the session ID “10.0.0.1_abc_201107010001030001” assigned in the user terminal authentication phase (step S101 to step S111) and the session key “Sie82, x {] as− 09so ". Further, “CTOSNTT_TURI” is “www.nttwest.co.jp” indicating the service server 30 as an access destination.
FIG. 35 is a diagram illustrating an example of the header information of the access request information in step S142. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the content communication unit 15.

FIG. 36 is a diagram illustrating an example of header information of authentication request information in step S148. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the content communication unit 15 to the terminal cooperation unit 14. In addition, the field value of “CTOSNTT_DIRECTION” is “down”, indicating that the transmission is to the user terminal 40. Further, “copuseldata” includes authentication request information from the service server 30.
FIG. 37 is a diagram illustrating an example of header information of the authentication request information in step S164. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the user terminal 40. Similarly to the header information shown in FIG. 36, “copuseldata” includes authentication request information from the service server 30.

FIG. 38 is a diagram illustrating an example of header information of the authentication instruction information in step S169. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the user terminal 40 to the terminal cooperation unit 14. Further, the values of the fields “CTOSNTT_SESSIONID” and “CTOSNTT_SESSIONKEY” include the session ID “10.0.0.1_abc_201107010001030001” assigned in the user terminal authentication phase (step S101 to step S111) and the session key “Sie82, x {] as− 09so ". Further, “CTOSNTT_TURI” is “www.nttwest-idp.co.jp” indicating the cooperation authentication unit 16 as an access destination. Also, since it is information related to authentication, “CTOSNTT_TPROTOCOL” is “https”.
FIG. 39 is a diagram illustrating an example of header information of the authentication instruction information in step S174. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the content communication unit 15.

FIG. 40 is a diagram illustrating an example of header information of the authentication page information in step S180. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the content communication unit 15 to the terminal cooperation unit 14. In addition, the field value of “CTOSNTT_DIRECTION” is “down”, indicating that the transmission is to the user terminal 40. Further, “copuseldata” includes the authentication page information from the cooperative authentication unit 16.
FIG. 41 is a diagram illustrating an example of header information of authentication page information in step S184. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the user terminal 40. Similarly to the header information shown in FIG. 40, “copuseldata” includes authentication request information from the service server 30.

FIG. 42 is a diagram illustrating an example of the header information of the authentication information in step S190. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the user terminal 40 to the terminal cooperation unit 14. The values of the fields “CTOSNTT_SESSIONID” and “CTOSNTT_SESSIONKEY” are “10.0.0.1_abc_201107010001030001” and “Sie82, x {] as-09so”. Also, since it is information related to authentication, “CTOSNTT_TPROTOCOL” is “https”.
FIG. 43 is a diagram illustrating an example of header information of authentication information in step S195. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the content communication unit 15.

FIG. 44 is a diagram illustrating an example of header information of the authentication result in step S202. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the content communication unit 15 to the terminal cooperation unit 14. In addition, the field value of “CTOSNTT_DIRECTION” is “down”, indicating that the transmission is to the user terminal 40. Further, “copuseldata” includes the authentication result from the cooperative authentication unit 16.
FIG. 45 is a diagram illustrating an example of header information of the authentication result in step S206. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the user terminal 40. Similarly to the header information shown in FIG. 44, “copuseldata” includes authentication request information from the service server 30.

FIG. 46 is a diagram illustrating an example of the header information of the transfer instruction information in step S211. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the user terminal 40 to the terminal cooperation unit 14. The values of the fields “CTOSNTT_SESSIONID” and “CTOSNTT_SESSIONKEY” are “10.0.0.1_abc_201107010001030001” and “Sie82, x {] as-09so”. Further, “CTOSNTT_TURI” is “www.nttwest.co.jp” indicating the service server 30 as an access destination. Also, since it is information related to authentication, “CTOSNTT_TPROTOCOL” is “https”.
FIG. 47 is a diagram illustrating an example of header information of the transfer instruction information in step S222. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the content communication unit 15.

FIG. 48 is a diagram illustrating an example of header information of the initial content information in step S229. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the content communication unit 15 to the terminal cooperation unit 14. In addition, the field value of “CTOSNTT_DIRECTION” is “down”, indicating that the transmission is to the user terminal 40. Further, “copuseldata” includes initial content information from the service server 30.
FIG. 49 is a diagram illustrating an example of header information of the initial content information in step S245. As shown in the figure, the values of the fields “CTOSNTT_SOURCEADDRESS” and “CTOSNTT_DESTADDRESS” indicate transmission from the terminal cooperation unit 14 to the user terminal 40. Similarly to the header information shown in FIG. 48, “copuseldata” includes the initial content information from the service server 30.

Using the header information as described above, information indicating a request for using the service server 30 in the user terminal 40 is encapsulated and transmitted to the reverse proxy server 10 to establish a tunnel connection, and the domain of the service server 30 The user terminal 40 can access the service server 30 via the reverse proxy server 10 without using the internal domain name corresponding to the name (external domain name).
Further, information transmitted and received between the user terminal 40 and the service server 30 is encapsulated using header information, and the external communication unit 154 of the reverse proxy server 10 transmits and receives with the service server 30 instead of the user terminal 40. To do. Thus, analysis of information transmitted and received between the user terminal 40 and the service server 30 and storage of history can be performed for each user, and additional services corresponding to the use of the service server 30 can be provided for each user. Can be provided.

In the above-described embodiment, an example in which the reverse proxy server 10 and the user terminal 40 are directly connected has been described as an example. However, the present invention is not limited thereto, and the reverse proxy server 10 and the user terminal 40 are The network 20 may be connected via another network.
In the above-described embodiment, the reverse proxy server 10 has been described as one device including the terminal cooperation unit 14, the content communication unit 15, the cooperation authentication unit 16, and the additional service providing unit 17. However, without being limited to this configuration, the terminal cooperation unit 14, the content communication unit 15, the cooperation authentication unit 16, and the additional service providing unit 17 are provided as independent devices, and each device performs a reverse operation by performing communication. The proxy server 10 may be operated.

  Moreover, in the above-mentioned embodiment, the reverse proxy server 10 demonstrated the structure provided with the utilization domain memory | storage part 11, the user information storage part 12, and the service authentication information storage part 13. FIG. However, the present invention is not limited to this, and a database server including the use domain storage unit 11, the user information storage unit 12, and the service authentication information storage unit 13 may be provided separately from the reverse proxy server 10.

  A program for realizing the functions of the reverse proxy server (relay server) 10 and the user terminal 40 in the present invention is recorded on a computer-readable recording medium, and the program recorded on the recording medium is stored in a computer system. Are read and executed, the use domain storage unit 11, the user information storage unit 12, the service authentication information storage unit 13, the terminal cooperation unit 14, the content communication unit 15, the cooperation authentication unit 16, the additional service providing unit 17, the user The agent unit 43 and the data conversion unit communication unit 45 may be performed. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

1 ... Information processing system 10 ... Reverse proxy server (relay server)
DESCRIPTION OF SYMBOLS 11 ... Usage domain memory | storage part 12 ... User information memory | storage part 13 ... Service authentication information memory | storage part 14 ... Terminal cooperation part 15 ... Content communication part 16 ... Cooperation authentication part 17 ... Additional service provision part 20 ... Network 30 ... Service server 40 ... User terminal 141 ... Encapsulated data transfer unit 142 ... Use domain management unit 151 ... User authentication unit 152 ... Encapsulated data processing unit 153 ... Connection destination address conversion unit 154 ... External communication unit 171 ... Line authentication unit 172 ... Virus check Unit 173 ... content block unit 174 ... usage history storage unit 175 ... content recommendation unit 451 ... tunnel connection unit 452 ... tunnel communication unit

Claims (5)

An information processing system comprising: a user terminal operated by a user; a service server that provides a service in response to a received request; and a relay server that relays communication between the user terminal and the service server. And
The user terminal is
A user agent unit that generates request information for requesting the service server to provide a service;
A communication unit for transmitting request information encapsulated by adding header information destined for the relay server to the request information to the relay server;
With
The relay server is
A terminal cooperation unit that performs transmission and reception with the user terminal;
Receives encapsulated request information from the user terminal via the terminal cooperation unit, transmits the request information included in the encapsulated request information to the service server, and services according to the request information A content communication unit that receives content information indicating a result from the service server, and transmits the received content information to the user terminal as a response to the encapsulated request information;
Based on the header information added to the request information, authenticate the line with the user terminal of the transmission source, and based on the request information or the content information, the user passes the user terminal through the user terminal. An additional service providing unit that provides an additional service when using the service server ,
The terminal cooperation unit transmits the content information to the user terminal when the line is authenticated, and does not transmit the content information to the user terminal when the line is not authenticated.
An information processing system characterized by this. The information processing system according to claim 1,
The additional service providing unit further includes:
An instruction code string included in an unauthorized access procedure or an unauthorized program is stored in advance, it is determined whether the access procedure or the instruction code string is included in the request information or the content information, and the determination result is An information processing system comprising: a virus checker that transmits to the user terminal as an additional service. The information processing system according to claim 1,
The additional service providing unit further includes:
Determining whether information indicating the predetermined service server or information indicating a predetermined service among the services provided in the service server is included in the request information or the content information. An information processing system comprising: a content block unit that transmits a determination result to the user terminal as the additional service. The information processing system according to claim 1,
The additional service providing unit further includes:
A usage history storage unit that stores the request information and the content information for each user;
Based on the request information and the content information stored in the usage history storage unit, the service server detects preference of the service used by the user based on a history of use of the service server by the user. A content recommendation unit that transmits information indicating a service server that provides a service similar to the detected preference to a user terminal. Information in an information processing system comprising a user terminal operated by a user, a service server that provides a service in response to a received request, and a relay server that relays communication between the user terminal and the service server A processing method,
The user terminal generating request information for requesting the service server to provide a service; and
A transmission step in which the user terminal transmits request information encapsulated by adding header information destined for the relay server to the request information to the relay server;
The relay server receives the request information encapsulated from the user terminal, transmits the request information included in the encapsulated request information to the service server, and obtains a service result corresponding to the request information. A content communication step of receiving content information indicating from the service server and transmitting the received content information to the user terminal as a response to the encapsulated request information;
The relay server, based on the request information or the content information, possess the additional service providing step of the user to provide additional services when using the service server through the user terminal,
In the content communication step,
Based on the header information added to the request information, authenticates the line with the user terminal of the transmission source, and when the line is authenticated, transmits the content information to the user terminal, Is not authenticated, the content information is not transmitted to the user terminal.
An information processing method characterized by the above.

Images