WO2015115183A1 - アクセス制御装置、通信システム、プログラム、及びアクセス制御方法 - Google Patents
アクセス制御装置、通信システム、プログラム、及びアクセス制御方法 Download PDFInfo
- Publication number
- WO2015115183A1 WO2015115183A1 PCT/JP2015/050829 JP2015050829W WO2015115183A1 WO 2015115183 A1 WO2015115183 A1 WO 2015115183A1 JP 2015050829 W JP2015050829 W JP 2015050829W WO 2015115183 A1 WO2015115183 A1 WO 2015115183A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- application
- authentication
- access
- terminal
- communication terminal
- Prior art date
Links
- 238000004891 communication Methods 0.000 title claims abstract description 149
- 238000000034 method Methods 0.000 title claims description 98
- 238000007726 management method Methods 0.000 description 136
- 230000004913 activation Effects 0.000 description 61
- 230000005540 biological transmission Effects 0.000 description 39
- 238000010586 diagram Methods 0.000 description 34
- 238000013475 authorization Methods 0.000 description 27
- 238000012545 processing Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 12
- 238000012423 maintenance Methods 0.000 description 7
- 239000000284 extract Substances 0.000 description 4
- 230000003213 activating effect Effects 0.000 description 3
- 238000003384 imaging method Methods 0.000 description 3
- 238000002360 preparation method Methods 0.000 description 3
- 101100048435 Caenorhabditis elegans unc-18 gene Proteins 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 2
- 238000005401 electroluminescence Methods 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000001816 cooling Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 229910044991 metal oxide Inorganic materials 0.000 description 1
- 150000004706 metal oxides Chemical class 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000005236 sound signal Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
- G06F1/16—Constructional details or arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
- G06F1/16—Constructional details or arrangements
- G06F1/1613—Constructional details or arrangements for portable computers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
- G06F1/16—Constructional details or arrangements
- G06F1/1613—Constructional details or arrangements for portable computers
- G06F1/1633—Constructional details or arrangements of portable computers not specific to the type of enclosures covered by groups G06F1/1615 - G06F1/1626
- G06F1/1684—Constructional details or arrangements related to integrated I/O peripherals not covered by groups G06F1/1635 - G06F1/1675
- G06F1/1686—Constructional details or arrangements related to integrated I/O peripherals not covered by groups G06F1/1635 - G06F1/1675 the I/O peripheral being an integrated camera
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
- G06F1/16—Constructional details or arrangements
- G06F1/18—Packaging or power distribution
- G06F1/181—Enclosures
- G06F1/182—Enclosures with special features, e.g. for use in industrial environments; grounding or shielding against radio frequency interference [RFI] or electromagnetical interference [EMI]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/14—Systems for two-way working
- H04N7/141—Systems for two-way working between two video terminals, e.g. videophone
- H04N7/147—Communication arrangements, e.g. identifying the communication as a video-communication, intermediate storage of the signals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/253—Telephone sets using digital voice transmission
- H04M1/2535—Telephone sets using digital voice transmission adapted for voice communication over an Internet Protocol [IP] network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/14—Systems for two-way working
- H04N7/15—Conference systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/66—Trust-dependent, e.g. using trust scores or trust relationships
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/67—Risk-dependent, e.g. selecting a security level depending on risk profiles
Definitions
- the present invention relates to an invention for controlling access from a communication terminal to an application.
- a video conference can be realized by transmitting and receiving image data and sound data between a plurality of communication terminals (see Patent Document 1).
- the authentication methods available for each communication terminal may be different. Therefore, when access to the application is permitted based on the authentication based on the authentication method used by each communication terminal, the reliability differs for each authentication method, making it difficult to secure the security expected by the application side. A problem arises.
- an access control apparatus for controlling access to an application from a communication terminal, the authentication method being effective for authenticating an access request source to the application for each application.
- Authentication method management means for associating and managing authentication information to be shown, authentication means for authenticating a request source by an authentication method available in the communication terminal based on a request from the communication terminal, and desired application from the communication terminal
- the access request accepting means for accepting a request involving access to the access point and the authentication method management means do not manage authentication information indicating the authentication method used for the authentication in association with the desired application.
- Preventing the communication terminal from accessing the desired application In the authentication method management means, when the authentication information indicating the authentication method used for the authentication is managed in association with the desired application, the communication terminal to the desired application is managed. And an access control unit that controls access.
- the access control apparatus associates and manages, for each application, authentication information indicating an authentication method effective to authenticate an access request source to the application.
- FIG. 1 is a schematic view of a communication system according to an embodiment of the present invention. It is a flow figure showing an attestation / authorization method. It is an example of the external view of a communication terminal. It is a hardware block diagram of a communication terminal. It is a hardware block diagram of a communication terminal. It is a hardware block diagram of a communication management system and a relay apparatus. It is a software block diagram of a communication terminal. It is each functional block diagram of a communication terminal, a communication management system, and an application server. It is a conceptual diagram which shows a terminal authentication management table. It is a conceptual diagram which shows an application utilization management table. It is a conceptual diagram which shows an application URL management table. It is a conceptual diagram which shows an application authorization management table.
- FIG. 7 is a sequence diagram showing a process of requesting activation of an application. It is a figure showing an example of a screen of an application list.
- FIG. 7 is a flow diagram showing a process of determining whether or not an application can be started. It is a functional block diagram of a communication management system.
- FIG. 7 is a flow diagram illustrating a process of creating a list of applications.
- FIG. 1 is a schematic view of a communication system according to a first embodiment of the present invention.
- the communication system 1 includes a plurality of communication terminals (10aa, 10ab,...), Displays (120aa, 120ab,...) For each communication terminal (10aa, 10ab,.
- the relay apparatus (30 a, 30 b, 30 c, 30 d), the communication management system 50, the application server 80, the program providing system 90, and the maintenance system 100 are constructed.
- any of the plurality of terminals (10aa, 10ab, ...) is represented as “terminal 10"
- any of the plurality of displays (120aa, 120ab, ...) is represented as "display 120"
- any relay device is represented as "the relay device 30”.
- any of the routers (70a, 70b, 70c, 70d, 70ab, 70cd) is represented as "router 70". Note that this communication can be realized by sound, video (image), or sound and video (image).
- the plurality of routers (70a, 70b, 70c, 70d, 70ab, 70cd) select an optimal route of communication data.
- the application server 80 also manages various applications (online applications) that operate on each terminal 10. Each terminal 10 downloads various applications from the application server 80 and uses them.
- the terminals (10aa, 10ab, 10ac, ...), the relay device 30a, and the router 70a are communicably connected by the LAN 2a.
- the communication terminals (10ba, 10bb, 10bc,...), The relay device 30b, and the router 70b are communicably connected by the LAN 2b.
- the LAN 2a and the LAN 2b are communicably connected by a dedicated line 2ab including a router 70ab.
- the LAN 2a, the LAN 2b, and the dedicated line 2ab are constructed in X as an example of a company.
- the LAN 2a is built in the A office of X company
- the LAN 2b is built in the B office of X company.
- the terminals 10 owned by the company X are general-purpose terminals that can be used not only for the purpose of the video conference but also for applications not related to the video conference.
- the remaining terminals 10 owned by the company X are dedicated terminals that can be used for video conference applications.
- the dedicated terminal and the general-purpose terminal have different platforms.
- the communication terminals (10ca, 10cb, 10cc,...), The relay device 30c, and the router 70c are communicably connected by the LAN 2c.
- the communication terminals 10d (10da, 10db, 10dc,...), The relay device 30d, and the router 70d are communicably connected by a LAN 2d.
- the LAN 2 c and the LAN 2 d are communicably connected by a dedicated line 2 cd including a router 70 cd.
- the LAN 2c, the LAN 2d, and the dedicated line 2cd are constructed in Y as an example of a predetermined company.
- the LAN 2c is built in the C office of Y company
- the LAN 2d is built in the D office of Y company.
- Companies X and Y are connected communicably from the routers (70ab, 70cd) via the Internet 2i, respectively.
- the terminals (10 cc, 10 dc) are general-purpose terminals that can be used not only for video conferencing applications but also for applications unrelated to video conferencing.
- the remaining terminals 10 owned by company Y are dedicated terminals available for video conference applications.
- the dedicated terminal and the general-purpose terminal have different platforms.
- the management system 50, the application server 80, the program providing system 90, and the maintenance system 100 are connected to the Internet 2i.
- the installation locations of the management system 50, the program providing system 90, and the maintenance system 100 are not limited, and even if the respective systems are installed in the same area or in the same country, they are installed in different areas or different countries. Also good.
- the communication network 2 of the present embodiment is constructed by the LAN 2a, the LAN 2b, the dedicated line 2ab, the Internet 2i, the dedicated line 2cd, the LAN 2c, and the LAN 2d.
- the communication network 2 may have a portion where wireless communication such as WiFi (Wireless Fidelity) or Bluetooth (registered trademark) is performed as well as wired communication.
- each terminal 10 each relay device 30, management system 50, each router 70, program providing system 90, and maintenance system 100 correspond to those in general IPv4.
- the IP address is simply shown.
- the IP address of the terminal 10aa is "1.2.1.3".
- IPv6 may be used instead of IPv4, IPv4 is used to simplify the description.
- each terminal 10 is not only communication between a plurality of business establishments, communication between different rooms within the same business establishment, communication within the same room, communication with outdoor and indoor or outdoor and outdoor. It may be used. When each terminal 10 is used outdoors, wireless communication such as a cellular phone communication network is performed.
- Each terminal 10 illustrated in FIG. 1 is a terminal that realizes user communication by transmitting and receiving communication data, and is, for example, a video conference terminal. Furthermore, the terminal 10 transmits and receives communication data using a predetermined communication method (a call control method for connecting or disconnecting a communication destination and an encoding method for converting communication data into IP packets). Do.
- a predetermined communication method a call control method for connecting or disconnecting a communication destination and an encoding method for converting communication data into IP packets.
- SIP Session Initiation Protocol
- H.323 H.323
- protocol extended SIP (4) instant messenger protocol
- SIP MESSAGE method (6) Internet relay chat protocol (IRC (Internet Relay Chat)
- IRC Internet Relay Chat
- a protocol which is an extension of the instant messenger protocol and the like.
- (4) the protocol of instant messenger is, for example, (4-1) Extensible Messaging and Presence Protocol (XMPP), or (4-2) ICQ (registered trademark), AIM (registered trademark), or Skype (registered trademark) It is a protocol used by (trademark) etc.
- (7) a protocol that is an extension of the instant messenger protocol is, for example, Jingle.
- the terminal 10 downloads and uses an application for a video conference or another application from the application server 80 based on the operation of the user.
- the application includes a communication and a message application, and in addition to the video conference application, for example, Skype, Google Talk, LINE, FaceTime, KakaoTalk, Tango (registered trademark or unregistered trademark), and the like can be mentioned.
- the management system 50 manages information necessary for authentication / authorization of the terminal 10, and has a function of an access authorization system for authenticating the terminal 10 and authorizing access to an application.
- the application server 80 is a server that hosts a Uniform Resource Identifier (URI), which is an entity of an application.
- URI Uniform Resource Identifier
- the terminal 10 can use various applications via the communication network 2.
- the terminal 10 obtains a URI to the application server 80 hosting the application, and accesses the same.
- an authentication / authorization scheme as shown in FIG. 2 can be used when using these applications.
- FIG. 2 is a flowchart showing the authentication and authorization method.
- step S101 it is confirmed whether the authentication is successful, and in the case of NO the flow is ended.
- step S102 authorization information is created in step S102.
- step S103 the authorization information is transmitted.
- the application is activated in step S104. This is the end of the flow.
- the terminal 10 sends an authentication request to the management system 50. If the authentication is successful, the management system 50 creates authorization information such as an access token indicating that access to the application is authorized, and transmits the authorization information to the terminal 10. The terminal 10 accesses the application and transmits the authorization information to the application server 80 to activate the application.
- the management system 50 creates authorization information such as an access token indicating that access to the application is authorized, and transmits the authorization information to the terminal 10.
- the terminal 10 accesses the application and transmits the authorization information to the application server 80 to activate the application.
- the management system 50 receives an authentication request from the terminal 10 of various platforms such as a dedicated terminal and a general-purpose terminal, and collectively authenticates the terminal 10 on behalf of the application side.
- each application can reduce the cost required for authentication.
- the authentication methods available to each terminal 10 are different. For this reason, even when the terminal 10 is authorized to access the application by a properly authenticated account, the reliability expected by the application may not be secured depending on the used authentication method. Therefore, in the communication system 1 of the present embodiment, the account method for using the application is limited when app usage is authorized by managing the account (terminal 10), account authentication method, and application authorization information in association with each other. , Secure the security.
- the terminal 10 includes a video conference dedicated terminal (dedicated terminal) that realizes a video conference between the terminals 10 using a call application, and a PC that can use the call application and can be used for applications not related to a video conference ( And a Personal Computer) (general purpose terminal).
- a video conference dedicated terminal dedicated terminal
- PC that can use the call application and can be used for applications not related to a video conference
- a Personal Computer General purpose terminal
- FIG. 3 is an external view of the terminal 10 according to the present embodiment.
- the terminal 10 includes a housing 1100, an arm 1200, and a camera housing 1300.
- the front wall surface 1110 of the housing 1100 is provided with a suction surface (not shown) formed by a plurality of suction holes
- the rear wall surface 1120 of the housing 1100 is formed with a plurality of exhaust holes.
- An exhaust surface 1121 is provided.
- a sound collection hole 1131 is formed on the right side wall surface 1130 of the housing 1100, and a sound such as voice, object sound, and noise can be collected by a built-in microphone 114 described later.
- An operation panel 1150 is formed on the right wall surface 1130 side of the housing 1100.
- the operation panel 1150 is provided with a plurality of operation buttons (108a to 108e) to be described later, a power switch 109 to be described later, and an alarm lamp 119 to be described below.
- a sound output surface 1151 formed by a plurality of sound output holes for passing therethrough is formed.
- a housing portion 1160 as a concave portion for housing the arm 1200 and the camera housing 1300 is formed.
- the right wall surface 1130 of the housing 1100 is provided with a plurality of connection ports (1132 a to 1132 c) for electrically connecting a cable to an external device connection I / F 118 described later.
- the left wall surface 1140 of the housing 1100 is provided with a connection port (not shown) for electrically connecting a cable 120 c for the display 120 to an external device connection I / F 118 described later.
- the “operation button 108” is used to indicate an arbitrary operation button among the operation buttons (108a to 108e), and the “operation button 108” is displayed to indicate an arbitrary connection port among the connection ports (1132a to 1132c). Description will be made using the connection port 1132 ".
- FIG. 3 shows a state in which the tilt angle ⁇ 1 is 90 degrees.
- the camera housing 1300 is provided with a built-in camera 112 described later, and can image a user, a document, a room, and the like. Further, a torque hinge 1310 is formed in the camera housing 1300. The camera housing 1300 is attached to the arm 1200 via a torque hinge 1310.
- the camera housing 1300 is attached to the arm 1200 via the torque hinge 1310, and the camera housing 1300 is at a pan angle ⁇ 2 of ⁇ 180 ° with the state shown in FIG. In the range of ⁇ 45 degrees, and in the range of the tilt angle ⁇ 3, it is configured to be rotatable in the vertical and horizontal directions.
- the appearance view of FIG. 3 is merely an example, and the present invention is not limited to this appearance.
- the terminal 10 may be, for example, a general-purpose PC, a smartphone, a tablet terminal, an electronic blackboard, a projection device such as a projector, a car navigation terminal mounted on a car, an image forming device such as a multifunction machine or a printer, or a wearable terminal.
- the camera and the microphone do not necessarily have to be built-in and may be external.
- the general-purpose terminal, the management system 50, the program providing system 90, and the maintenance system 100 among the terminals 10 are the same as the appearance of a general server computer, and thus the description of the appearance is omitted.
- FIG. 4 is a hardware configuration diagram of the terminal 10 according to the present embodiment.
- the terminal 10 of the present embodiment includes a program used to drive the CPU 101 such as a central processing unit (CPU) 101 that controls the overall operation of the terminal 10 and an initial program loader (IPL).
- CPU central processing unit
- IPL initial program loader
- SSD solid state drive
- the operation button 108 operated by the user, the power switch 109 for switching ON / OFF the power of the terminal 10, and the network I / F (Interface) 111 for performing data transmission using the communication network 2 are provided. .
- the terminal 10 also has a built-in camera 112 that captures an object and obtains image data according to control of the CPU 101, an imaging device I / F 113 that controls driving of the camera 112, a built-in microphone 114 that inputs sound, and sound A built-in speaker 115 for outputting the sound, an audio input / output I / F 116 for processing input / output of an audio signal between the microphone 114 and the speaker 115 under the control of the CPU 101, and image data to the external display 120 under the control of the CPU 101
- the display I / F 117 for transmission, the external device connection I / F 118 for connecting various external devices, the alarm lamp 119 for notifying abnormality of various functions of the terminal 10, and the above respective components are shown.
- Bus lines 110 such as an address bus and a data bus for electrically connecting Eteiru.
- the display 120 is a display unit configured by liquid crystal or organic electroluminescence (EL) that displays an image of a subject, an operation, and the like.
- the display 120 is also connected to the display I / F 117 by a cable 120c.
- the cable 120c may be a cable for analog RGB (VGA) signals or a cable for component video, or may be a high-definition multimedia interface (HDMI (registered trademark)) or digital video (DVI) (Interactive) signal cable may be used.
- the camera 112 includes a lens and a solid-state imaging device that converts light into electric charge to digitize an image (image) of a subject, and as a solid-state imaging device, a complementary metal oxide semiconductor (CMOS) or a charge coupled device (CCD) Etc. are used.
- CMOS complementary metal oxide semiconductor
- CCD charge coupled device
- An external camera, an external microphone, an external speaker, etc. are connected to the external device connection I / F 118 by a USB (Universal Serial Bus) cable or the like inserted into the connection port 1132 of the housing 1100 shown in FIG.
- the external devices of are connectable electrically.
- the external camera is driven prior to the built-in camera 112 according to the control of the CPU 101.
- the external microphone or the external speaker 115 is given priority over the built-in microphone 114 or the built-in speaker 115 according to the control of the CPU 101.
- External speakers drive.
- the recording medium 106 is configured to be removable from the terminal 10. Further, as long as the nonvolatile memory performs reading or writing of data according to the control of the CPU 101, not only the flash memory 104 but also EEPROM (Electrically Erasable and Programmable ROM) or the like may be used.
- EEPROM Electrical Erasable and Programmable ROM
- FIG. 5 is a hardware configuration diagram of the terminal 10 according to the present embodiment.
- the camera 112, the microphone 114, and the speaker 115 are external devices attached externally, and are connected to the external device connection I / F 118 by cables (112c, 114c, 115c), respectively.
- the general-purpose terminal is not provided with the operation button 108, and instead, a keyboard 120 and a mouse 121 are provided as means for receiving an input such as a character or a selection result from the user.
- the alarm lamp 119 is not provided in the general-purpose terminal, and the abnormality of the terminal 10 is notified by the speaker 115 or the display 120.
- FIG. 6 is a hardware configuration diagram of a management system 50 according to the present embodiment of the present invention.
- the management system 50 includes a CPU 201 that controls the overall operation of the management system 50, a ROM 202 that stores programs used to drive the CPU 201, such as IPL, a RAM 203 that is used as a work area of the CPU 201, and various programs for the management system 50.
- HD 204 for storing data
- HDD (Hard Disk Drive) 205 for controlling reading and writing of various data to HD 204 according to control of CPU 201
- media for controlling reading and writing (storage) of data to recording media 206 such as flash memory.
- a drive 207 a display 208 for displaying various information such as a cursor, a menu, a window, characters, or an image, a network I / F 209 for performing data communication using the communication network 2, characters ,
- a keyboard 211 having a plurality of keys for inputting numerical values, various instructions, etc., a mouse 212 for selecting and executing various instructions, selecting an object to be processed, moving a cursor, etc. as an example of a removable recording medium
- a CD-ROM drive 214 that controls reading and writing of various data to a CD-ROM (Compact Disc Read Only Memory) 213, and for electrically connecting the above-described components as shown in FIG.
- a bus line 210 such as an address bus or a data bus is provided.
- the relay device 30 since the relay device 30, the application server 80, the program providing system 90, and the maintenance system 100 have the same hardware configuration as the management system 50, the description will be omitted.
- FIG. 7 is a software configuration diagram of the terminal 10.
- the OS 1020, the call application 1031, the balance inquiry application 1032, and the telemedicine application 1033 operate on the work area 1010 of the RAM 103.
- the OS 1020 is installed on the terminal 10 before shipment from the factory, although not particularly limited.
- the call application 1031, balance inquiry application 1032, and telemedicine application 1033 may be acquired from the application server 80 and installed after factory shipment.
- the OS 1020 is basic software that provides basic functions and manages the entire terminal 10.
- the browser is software that operates on the OS 1020 and is used to display and view information in accordance with a certain purpose.
- the call application 1031, balance inquiry application 1032, and telemedicine application 1033 are software operating on the browser 1021 and are used for the purpose of communication with another terminal 10, inquiry of communication fee, and the like. Note that, according to an embodiment of the present invention, each of the call application 1031, the balance inquiry application 1032, and the telemedicine application 1033 may correspond to different communication protocols.
- the call application 1031, the balance inquiry application 1032, and the telemedicine application 1033 are an example, and other applications may be installed, but three types of applications have been described for the sake of simplification of the description.
- call applications of different protocols may be installed as described in (1) to (7) above.
- FIG. 8 is a functional block diagram of the terminal 10, the management system 50, and the application server 80 which constitute a part of the communication system 1 of the present embodiment.
- the terminal 10 and the management system 50 are connected to be able to perform data communication via the communication network 2.
- the terminal 10 includes a device control unit 1050 and a communication control unit 1060.
- the device control unit 1050 is realized by activating the OS 1020 and the browser 1021 shown in FIG. 7.
- the communication control unit 1060 is realized by activating any of the call application 1031, the balance inquiry application 1032, and the telemedicine application 1033 shown in FIG.
- the device control unit 1050 further includes a transmission / reception unit 11, an operation input reception unit 12, a display control unit 13, a start request unit 14, and a storage / readout unit 19. These units are functions realized by any of the components shown in FIG. 4 or FIG. 5 being operated by an instruction from the CPU 101 according to a program expanded on the RAM 103 from the flash memory 104. is there.
- the communication control unit 1060 has a transmission / reception unit 21, an activation unit 22, a display control unit 24, a function execution unit 25, and a storage / readout unit 29. These units are realized by any one of the components shown in FIG. 4 or 5 being operated by an instruction from the CPU 101 according to a call application (program) developed on the RAM 103 from the flash memory 104. Function.
- the terminal 10 further includes a storage unit 1000 constructed by the ROM 102, the RAM 103, and the flash memory 104 shown in FIG. 4 or 5.
- the storage unit 1000 of the terminal 10 stores authentication data 1001 as authentication information used to authenticate a login request source when the terminal 10 makes a login request to the management system 50.
- certificate information is stored in the dedicated terminal, and further, a password is optionally stored.
- client certificate authentication can be used on the dedicated terminal, and password authentication can optionally be used.
- a password is stored in the general-purpose terminal.
- password authentication can be used in the general-purpose terminal.
- each functional configuration of the device control unit 1050 in the terminal 10 will be described in detail using FIG. In the following, in describing each functional configuration of the device control unit 1050 in the terminal 10, among the components shown in FIG. 4 or FIG. 5, each functional configuration of the device control unit 1050 is realized. The relationship with the main components will also be described.
- the transmission / reception unit 11 of the terminal 10 shown in FIG. 8 is realized by an instruction from the CPU 101 and the network I / F 111 shown in FIG. 4 or FIG. , Send and receive various data (or information) with each device or system.
- Operation input reception unit 12 is realized by an instruction from CPU 101 shown in FIG. 4 or FIG. 5, and operation buttons (108a, 108b, 108c, 108d, 108e) shown in FIG. , Accepts various inputs or selections by the user. For example, when the user turns on the power switch 109 shown in FIG. 3, the operation input receiving unit 12 shown in FIG. 8 receives power on and turns on the power.
- the display control unit 13 is realized by an instruction from the CPU 101 shown in FIG. 4 or FIG. 5 and the display I / F 117, and transmits image data sent from the other party to the display 120 when communicating. Control the
- the storage / readout unit 19 is executed by an instruction from the CPU 101 and the SSD 105 shown in FIG. 4 or 5 or realized by an instruction from the CPU 101, and stores various data in the storage unit 1000. Processing to read out various data stored in
- the activation request unit 14 is a function realized by the browser 1021 based on an instruction from the CPU 101 shown in FIG. 4 or FIG. 5, and the call application (1031, 1032,. Request to activate 1033, 1034).
- each functional configuration of the communication control unit 1060 in the terminal 10 will be described in detail using FIGS. 4, 5 and 8.
- FIGS. 4, 5 and 8 In the following, in describing each functional configuration of the communication control unit 1060 in the terminal 10, among the components shown in FIG. 4 or FIG. 5, each functional configuration of the communication control unit 1060 is realized. The relationship with the main components will also be described.
- the transmission / reception unit 21 shown in FIG. 8 is realized by an instruction from the CPU 101 and the network I / F 111 shown in FIG. 4 or FIG. Or send and receive various data (or information) with the system etc.
- the activation unit 22 is realized by an instruction from the CPU 101 shown in FIG. 4 or 5, and when the operation input acceptance unit 12 of the device control unit 1050 accepts the selection of an application by the user, the operation input acceptance unit 12.
- the operation of the communication control unit 1060 (call application) is started based on the start request.
- the display control unit 24 is realized by an instruction from the CPU 101 shown in FIG. 4 or 5 and the display I / F 117, and performs control for transmitting screen data to the display 120.
- the function execution unit 25 is realized by an instruction from the CPU 101 shown in FIG. 4 or FIG. 5 and the camera 112, the microphone 114, the speaker 115, etc., and performs control for realizing communication by an image or sound. .
- the storage / readout unit 29 is executed by an instruction from the CPU 101 and the SSD 105 shown in FIG. 4 or 5 or realized by an instruction from the CPU 101, stores various data in the storage unit 1000, or stores the data. Processing to read out various data stored in
- the management system 50 includes a transmission / reception unit 51, an authentication unit 52, a start control unit 55, and a storage / readout unit 59. These functions are realized by any one of the components shown in FIG. 6 being operated by an instruction from the CPU 201 according to a program for the management system 50 developed on the RAM 203 from the HD 204 or It is a means.
- the management system 50 further includes a storage unit 5000 constructed by the HD 204 shown in FIG. In the storage unit 5000, DBs (5001, 5003, 5004, 5006, 5007) configured by respective tables as described below are constructed.
- FIG. 9 is a conceptual diagram showing a terminal authentication management table.
- a terminal authentication management DB 5001 configured of a terminal authentication management table as shown in FIG. 9 is constructed.
- a password for authentication and information indicating permission / prohibition of client certificate authentication are managed in association with each terminal ID of all the terminals 10 managed by the management system 50.
- the terminal 10aa whose terminal ID is "01aa” can use password authentication and the password for password authentication is "aaaa”.
- the terminal 10ab whose terminal ID is "01ab” can use client certificate authentication.
- the terminal 10ac whose terminal ID is "01ac” can use password authentication and client certificate authentication, and it is shown that the password for password authentication is "cccc".
- the terminal ID may be any information that can specify the terminal 10 of the communication destination, and may be information that is not unique to the terminal 10 other than the information unique to the terminal 10. For example, it may be information identifying a user who uses the terminal 10, or identification information stored in a recording medium readable by the terminal 10.
- FIG. 10 is a conceptual diagram showing an application usage management table.
- an application usage management DB 5003 configured of an application usage management table as shown in FIG. 10 is constructed.
- the availability information indicating availability of applications is associated and managed. . Note that the availability information “On” indicates that the availability is available, and the availability information “Off” indicates that the availability is not available.
- the condition when the application can be used, the condition can be added and managed.
- the call application identified by the application ID "a001” and the application ID identified by "a002” It is indicated that the balance inquiry application to be used can be used, and the remote medical application identified by the application ID “a 003” can not be used.
- the usable period of the call application is from "January 1, 2014" to "September 30, 2014".
- FIG. 11 is a conceptual diagram showing an application URL management table.
- an application URL management DB 5004 configured by an application URL management table as shown in FIG. 11 is constructed.
- URL information in the communication network 2 of icon data of these applications and URL information in the communication network 2 of these applications are managed in association with each of a plurality of application IDs.
- FIG. 12 is a conceptual diagram showing an application authorization management table.
- an application authorization management DB 5006 configured by an application authorization management table as shown in FIG. 12 is constructed.
- an authentication method effective as an authentication method of the activation request source of this application is associated and managed.
- the management system 50 receives a request for activating a desired application from the terminal 10, the management system 50 authorizes access to the application under the condition that the terminal 10 is authenticated by the effective authentication method in the desired application. It is possible to In the application authorization management table shown in FIG.
- the call application identified by the application ID “a 001” has access to the application. It has been shown to be approved. Also, in the application authorization management table, the remote medical application identified by the application ID “a 003” indicates that access to the application is authorized when the activation request source is authenticated by client certificate authentication. It is done.
- FIG. 13 is a conceptual diagram showing an access token management table.
- an access token management DB 5007 configured by the access token management table as shown in FIG.
- an access token as authorization information indicating that access to the application has been authorized is performed. It associates and manages. For example, in the access token management table shown in FIG. 13, when the terminal 10aa identified by the terminal ID "01aa" is authorized to access the call application identified by the application ID "a001", access is made as the authorization information It is shown that the token "abcdefg" is issued.
- each functional configuration of management system 50 will be described in detail.
- the main components for realizing the respective functional configurations of the communication management system 50 will be described. The relationship is also explained.
- the transmission / reception unit 51 is executed by an instruction from the CPU 201 shown in FIG. 6 and the network I / F 209 shown in FIG. 6 and transmits various terminals (devices or systems) and various data (or Send and receive information).
- the authentication unit 52 is realized by an instruction from the CPU 201 shown in FIG. 6, and searches the terminal authentication management table (see FIG. 9) using the terminal ID and password received by the transmission / reception unit 51 as search keys. Terminal authentication is performed by determining whether the same terminal ID and password are managed in the terminal authentication management table.
- the activation control unit 55 is realized by an instruction from the CPU 201 shown in FIG. 6, determines whether or not to activate the application according to the activation request, and controls the activation of the application.
- Storage / readout unit 59 is implemented by an instruction from CPU 201 shown in FIG. 6 and HDD 205 shown in FIG. 6 or realized by an instruction from CPU 201, and stores various data in storage unit 5000, and a storage unit A process of extracting various data stored in 5000 is performed.
- the application server 80 includes a transmission / reception unit 81 and a storage / readout unit 89. These functions are realized by any of the components shown in FIG. 6 being operated by an instruction from the CPU 201 according to a program for the application server 80 developed on the RAM 203 from the HD 204 or It is a means. Further, the application server 80 has a storage unit 8000 constructed by the HD 204 shown in FIG.
- an application hosting DB 8001 is constructed.
- the app hosting DB stores and manages the apps uploaded to the app server 80.
- the transmission / reception unit 81 is executed by an instruction from the CPU 201 shown in FIG. 6 and the network I / F 209 shown in FIG. 6 and transmits various terminals (devices or systems) and various data (or Send and receive information).
- the storage / readout unit 89 is executed by an instruction from the CPU 201 shown in FIG. 6 and the HDD 205 shown in FIG. 6, or realized by an instruction from the CPU 201, stores various applications in the storage unit 8000, and a storage unit. A process of extracting various applications stored in 8000 is performed.
- FIG. 14 is a conceptual diagram showing the state of transmission and reception of various information in the communication system 1.
- the management system 50 (an example of the access control apparatus) controls the activation of the application based on a request from the terminal 10 (an example of control of access from the communication terminal to the application).
- the application authorization management DB 5006 (an example of authentication method management means) of the management system 50 is an effective authentication for authenticating the activation request source (an example of an access request source) of this application for each application ID for identifying the application.
- Manage methods an example of authentication information in association with each other.
- the authentication unit 52 (an example of the authentication unit) of the management system 50 authenticates the terminal 10 which is the login request source by an authentication method available in the terminal 10 based on the login request from the terminal 10.
- the transmission / reception unit 51 (an example of an access request receiving unit) of the management system 50 receives a request for activation of a desired application (an example of a request involving access to a desired application) from the terminal 10.
- the activation control unit 55 an example of the access control means ) Is controlled so as not to access the above-mentioned desired application.
- the activation control unit 55 selects the terminal 10. By notifying the terminal 10 of the URI of the desired application described above, the terminal 10 is controlled to be accessible to the desired application.
- the management system 50 authenticates each terminal 10 by any authentication method, if the authentication method is not a valid authentication method for authenticating the application activation request source, the management system 50 Since it is possible to prevent access, it is easy to secure the security that the app expects.
- the application usage management DB 5003 (an example of application management means) of the management system 50 is an application ID of an application that can be used in this terminal 10 for each terminal ID of the terminal 10 that is an application activation request source (an example of an access request source). Associate and manage (an example of application information).
- the activation control unit 55 is a desired application when the application ID indicating the desired application is not managed in the application usage management DB 5003 in association with the terminal ID of the terminal 10 that is the request source of the activation of the desired application. Control the app not to launch.
- the application ID indicating the desired application is managed in the application usage management DB 5003 in association with the terminal ID of the terminal 10 which is the request source of the activation of the desired application, the desired application is activated. Control. In this case, security can be improved because access to the application can be controlled based on both the availability of the application and the validity of the authentication method.
- the application usage management DB 5003 associates and manages a period (an example of period information) in which an application can be used, for each of the terminal ID of the terminal 10 that is the start request source of the application and the application ID. As a result, it becomes possible to set an available period for each application available on the terminal 10.
- the application hosting DB 8001 (an example of a storage unit) in the application server 80 of the communication system 1 stores an application operating on the terminal 10.
- the start control unit 55 of the management system 50 can control the start of the application in the terminal 10 by notifying the terminal 10 of a URI (an example of access information) for accessing the application stored in the application hosting DB 8001. it can.
- a URI an example of access information
- FIG. 15 is a sequence diagram showing processing of a preparation phase for starting communication.
- the operation input receiving unit 12 shown in FIG. 8 receives power ON, and activates the terminal 10 (step S1).
- the transmission / reception unit 11 makes a login request to the management system 50 via the communication network 2 by the authentication method available in the terminal 10, using the reception of the power ON as a trigger (step S2).
- the transmitting and receiving unit 51 of the management system 50 receives a login request.
- the login request may be triggered by an instruction input by the user of the terminal 10 of the login request source.
- the login request includes authentication information for authenticating the login request source according to the terminal ID for identifying the terminal 10 as the request source and the authentication method available in the terminal 10. There is.
- the authentication information may be a password or client certificate information.
- the terminal ID and the authentication information are data read from the storage unit 1000 via the storage / readout unit 19 and sent to the transmission / reception unit 11.
- the terminal ID and the password may be input by the user of the terminal 10 of the login request source. Further, when login request information is transmitted from the terminal 10 to the management system 50, the management system 50 on the receiving side can acquire the IP address of the terminal 10 on the transmitting side.
- the authentication unit 52 of the management system 50 authenticates the terminal 10 as the login request source based on the terminal ID and the authentication information included in the login request information received via the transmission / reception unit 51 (step S3).
- the terminal authentication management table (see FIG. 9) of the storage unit 5000 is searched using the password transmitted from the terminal 10 as a search key, and this terminal authentication management is performed. Terminal authentication is performed by determining whether the same terminal ID and password are managed in the table.
- the terminal authentication management table (see FIG. 9) of the storage unit 5000 is searched using the terminal ID transmitted from the terminal 10 as a search key, and this terminal Refer to whether or not 10 client certificate authentication is permitted.
- terminal authentication is performed by determining whether the client certificate information transmitted from the terminal 10 is valid.
- the storage / readout unit 59 associates the authentication method used for authentication in association with the terminal ID of the terminal 10 of the login request source, stores the management method in the storage unit 5000 (Ste S4). Then, the transmission and reception unit 51 of the management system 50 transmits the authentication result information indicating the authentication result obtained by the authentication unit 52 to the login request source terminal 10 via the communication network 2 (step S5). . Thereby, the transmission / reception unit 11 of the terminal 10 of the login request source receives the authentication result information. Subsequently, a case where it is determined by the authentication unit 52 that the terminal has a valid usage right will be described below.
- FIG. 16 is a sequence diagram showing processing until the application icon is displayed.
- the transmission / reception unit 11 of the terminal 10 requests the management system 50 via the communication network 2 for a list of available application candidates (Step S31). Thereby, the transmitting and receiving unit 51 of the management system 50 receives the request for the usable application.
- This request includes the terminal ID of the terminal 10 of the list request source.
- the storage / readout unit 59 of the management system 50 searches the application usage management table (see FIG. 10) using the terminal ID of the terminal 10 of the list request source received in step S31 as a search key,
- the application ID corresponding to the terminal ID and the use conditions (the effective period start date and the effective period end date) are read out (step S32).
- the storage / readout unit 59 is within the valid period at the time of this processing (valid date to effective end date Period) is extracted, and using the extracted application ID as a search key, the application URL management table (see FIG. 11) is searched to read out the URL information of the icon corresponding to the application ID (step S33) .
- the transmitting / receiving unit 11 transmits available application information as a list of available application candidates to the terminal 10 of the list request source via the communication network 2 (step S34).
- the available application information includes the URL information of the icon read in step S33.
- the transmission / reception unit 11 of the terminal 10 of the list request source receives the usable application information.
- the transmission / reception unit 11 of the terminal 10 accesses a resource in the application hosting DB 8001 indicated by the URL of the icon received in step S34, and requests acquisition of icon image information (step S35).
- the transmitting and receiving unit 81 of the application server 80 receives an acquisition request for image information of an icon.
- the storage / readout unit 89 of the application server 80 reads out the image information of the icon requested at step S35 from the application hosting DB 8001 of the storage unit 8000 (step S36). Then, the transmission / reception unit 81 transmits the image information of the icon to the acquisition request source terminal 10 via the communication network 2 (step S37). Thereby, the transmission / reception unit 11 of the terminal 10 of the request source receives the image information of the icon.
- FIG. 18 is a diagram showing an example of the application list screen.
- icons of applications within the effective period are displayed.
- icons (141, 142, 143) of three applications indicated by three application IDs (a001, a002, a003) are displayed.
- FIG. 17 is a sequence diagram showing a process of requesting activation of an application.
- operation input reception unit 12 of terminal 10 receives the selection of the application icon by the user (step S41). ). Subsequently, the transmission / reception unit 11 of the terminal 10 transmits activation request information indicating a request for activation of the selected application to the management system 50 via the communication network 2 (step S42).
- the activation request information includes the terminal ID of the activation request source terminal 10 and the application ID of the selected application.
- the transmission / reception unit 51 of the management system 50 receives the activation request information to receive the activation request.
- the activation control unit 55 of the management system 50 determines whether or not the application according to the activation request can be activated (step S43). The process of step S43 will be described in detail using FIG. FIG. 19 is a flowchart showing a process of determining whether or not an application can be activated.
- the storage / readout unit 59 of the management system 50 extracts the authentication method used by the start request source terminal 10 by searching the storage unit 5000 using the terminal ID of the start request source terminal 10 as a search key. (Step S43-1). Subsequently, the storage / readout unit 59 extracts the corresponding authentication method by searching the application authorization management table (see FIG. 12) using the application ID of the application concerning the activation request as a search key (step S43-2). ).
- the activation control unit 55 determines whether the authentication method extracted in step S43-2 includes the authentication method extracted in step S43-1 (step S43-3). If the authentication method extracted in step S43-2 includes the authentication method extracted in step S43-1 (YES in step S43-3), the activation control unit 55 permits the application activation request. , And control the activation of the application (step S43-4).
- the activation control unit 55 searches for the access token management table (see FIG. 13) using the terminal ID of the terminal 10 of the activation request source and the application ID of the application for the activation request as a search key. Are extracted (step S43-5). Subsequently, the activation control unit 55 reads out the URL information of the corresponding application by searching the application URL management table (see FIG. 11) using the application ID of the application related to the activation request as a search key (step S43- 6).
- step S43-2 when the authentication method extracted in step S43-2 does not include the authentication method extracted in step S43-1 (NO in step S43-3), the activation control unit 55 requests an application activation. Reject (step S43-7). In this case, the transmitting / receiving unit 51 ends the process by transmitting an error message to the start request source terminal 10 (step S43-8).
- the transmission / reception unit 51 of the management system 50 transmits activation availability information indicating permission of activation of an application to the activation request source terminal 10 (step S44). If the activation is permitted in step S43-4, the access token extracted in step S43-5 and the information extracted in step S43-6 are used as information for accessing the application related to the activation request. The app's URL information will also be sent.
- the display control unit 13 causes the display 120 to display activation availability information indicating activation availability.
- the activation request unit 14 of the device control unit 1050 shown in FIG. 8 instructs the activation unit 22 of the communication control unit 1060 to activate, whereby the communication control unit 1060 is activated. (Step S45). That is, the application selected by the user is activated. The processing before this is processing by the device control unit 1050, but after this, it is processing by the communication control unit 1060.
- the transmission / reception unit 21 transmits the access token transmitted in step S44 to the application server 80, and accesses the URL of the application included in the activation permission information to request download of the application (step S46). ).
- the storage and readout unit 89 reads the application specified by the URL (step S47).
- the read application is transmitted by the transmission / reception unit 81 to the terminal 10 of the download request source.
- the terminal 10 as the activation request source can operate the application on the browser 1021.
- the communication system 1 of the second embodiment is different from that of the first embodiment in that the management system 50 has a list creation unit 56 as shown in FIG.
- FIG. 20 is a functional block diagram of the management system 50.
- the list creation unit 56 creates a list of applications that can be requested to be activated on the terminal 10.
- FIG. 21 is a flow diagram showing a process of creating a list of applications.
- the process of step S32 in the first embodiment is changed to a series of processes shown in FIG.
- the storage / readout unit 59 of the management system 50 searches the application usage management table (see FIG. 10) using the terminal ID of the terminal 10 of the list request source as a search key, and thereby the application ID corresponding to this terminal ID. , Effective period start date, and effective period end date are read (step S32-1). Subsequently, the list creation unit 56 identifies application candidates to be included in the list by excluding application IDs that are not within the valid period at the time of processing from the read application IDs (step S32-2).
- the storage / readout unit 59 extracts the authentication method used by the terminal 10 of the list request source by searching the storage unit 5000 using the terminal ID of the terminal 10 of the list request source as a search key (step S32) -3). Furthermore, the storage / readout unit 59 extracts the corresponding authentication method by searching the application authorization management table (see FIG. 12) using the application ID of each candidate application identified in step S32-2 as a search key. (Step S32-4).
- the list creation unit 56 determines, for each candidate application, whether the authentication method extracted in step S32-3 matches the authentication method extracted in step S32-4 (step S32). -5).
- step S32-5 the list creation unit 56 determines to include the candidate application in the list of applications that can be requested to be activated (step S32-6). If the authentication methods do not match (NO in step S32-5), it is determined that the candidate application is not included in the list of applications that can be requested to be activated (step S32-7).
- the list creation unit 56 creates a list of applications that can be requested to be activated on the terminal 10 based on the application ID determined to be included in the list (step S32) -8)
- the storage / readout unit 59 searches the application URL management table (see FIG. 11) using each application ID included in the list created in step S32 as a search key to obtain this application ID.
- the URL information of the icon corresponding to is read out (step S33).
- the subsequent processing is the same as that of the first embodiment, so the description will be omitted.
- the relay device 30, the management system 50, the program providing system 90, and the maintenance system 100 in the above embodiment may be constructed by a single computer, or each part (function or means) is divided and arbitrarily assigned. It may be built by multiple computers. Also, in the case where the program providing system 90 is constructed by a single computer, the program sent by the program providing system 90 may be divided into a plurality of modules and may be sent separately. It may be sent. Furthermore, when the program providing system 90 is constructed by a plurality of computers, the plurality of modules may be transmitted from each computer in a separated state.
- a recording medium such as a CD-ROM storing the terminal program, the relay apparatus program, or the transmission management program according to each of the above embodiments, the HD 204 storing these programs, and a program including the HD 204
- the providing system 90 is used as a program product (Program Product) when the terminal program, the relay device program, and the transmission management program are provided to the user or the like domestically or abroad.
- each ID in the above embodiment indicates identification information such as a language, characters, symbols, or various marks used to uniquely identify each.
- each ID may be identification information in which at least two of the language, characters, symbols, and various marks are combined.
- the application ID is an example of application identification information
- the application identification information includes the name of the application as well as the application ID.
- the terminal ID is an example of terminal identification information, and the terminal identification information includes the serial number of the terminal 10, the user ID assigned to the user of the terminal 10, and the like in addition to the terminal ID.
- the icon shown in FIG. 18 may include characters or symbols in the characters, symbols, or symbols.
- the video conference terminal was demonstrated as an example of the terminal 10, it does not restrict to this.
- the request source terminal and the destination terminal may be an IP (Internet Protocol) telephone, an Internet telephone, a PC (Personal Computer), or the like.
- IP Internet Protocol
- PC Personal Computer
- not only terminals capable of communication but also information processing terminals capable of various data communication in addition to communication may be communication terminals such as smart phones, tablet terminals, game machines, car navigation devices and the like.
- the communication management system 50 executes various processes as a communication management system.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Multimedia (AREA)
- Electromagnetism (AREA)
- Power Engineering (AREA)
- Technology Law (AREA)
- Telephonic Communication Services (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
Abstract
Description
まず、本発明の第1の実施形態について説明する。
図1は、本発明の第1の実施形態に係る通信システムの概略図である。図1に示されているように、通信システム1は、複数の通信端末(10aa,10ab,…)、各通信端末(10aa,10ab,…)用のディスプレイ(120aa,120ab,…)、複数の中継装置(30a,30b,30c,30d)、通信管理システム50、アプリケーションサーバ80、プログラム提供システム90、及びメンテナンスシステム100によって構築されている。
次に、本実施形態のハードウェア構成を説明する。まず、端末10のハードウェア構成について説明する。端末10には、通話アプリを利用して端末10間のテレビ会議を実現するテレビ会議専用端末(専用端末)と、通話アプリを利用可能であるとともにテレビ会議に関連しない用途でも利用可能なPC(Personal Computer)(汎用端末)と、が含まれている。以下、専用端末の外観について説明する。
次に、本実施形態の機能構成について説明する。図8は、本実施形態の通信システム1の一部を構成する端末10、管理システム50、及びアプリサーバ80の機能ブロック図である。図8では、端末10、及び管理システム50が、通信ネットワーク2を介してデータ通信することができるように接続されている。
端末10は、装置制御部1050及び通信制御部1060を有している。このうち、装置制御部1050は、図7に示されているOS1020およびブラウザ1021が起動することによって実現される。また、通信制御部1060は、図7に示されている通話アプリ1031、残高照会アプリ1032、遠隔医療アプリ1033の何れかが起動されることによって実現される。
端末10の記憶部1000には、端末10が管理システム50にログイン要求するときに、ログイン要求元を認証するために用いられる認証情報として認証用データ1001が記憶されている。本発明の一実施形態によると、端末10のうち、専用端末には証明書情報が記憶されており、さらに、任意にパスワードが記憶されている。これにより、専用端末ではクライアント証明書認証が利用可能であり、任意にパスワード認証が利用可能となる。汎用端末にはパスワードが記憶されている。これにより、汎用端末ではパスワード認証が利用可能となる。
次に、図8を用いて、端末10における装置制御部1050の各機能構成について詳細に説明する。なお、以下では、端末10における装置制御部1050の各機能構成を説明するにあたって、図4あるいは図5に示されている各構成要素のうち、装置制御部1050の各機能構成を実現させるための主な構成要素との関係も説明する。
次に、図4、図5、及び図8を用いて、端末10における通信制御部1060の各機能構成について詳細に説明する。なお、以下では、端末10における通信制御部1060の各機能構成を説明するにあたって、図4あるいは図5に示されている各構成要素のうち、通信制御部1060の各機能構成を実現させるための主な構成要素との関係も説明する。
管理システム50は、送受信部51、認証部52、起動制御部55、及び記憶・読出部59を有している。これら各部は、図6に示されている各構成要素のいずれかが、HD204からRAM203上に展開された管理システム50用のプログラムに従ったCPU201からの命令によって動作することで実現される機能又は手段である。また、管理システム50は、図6に示されているHD204により構築される記憶部5000を有している。この記憶部5000には、以下に示すような各テーブルによって構成されているDB(5001,5003,5004,5006,5007)が構築される。
図9は、端末認証管理テーブルを示す概念図である。記憶部5000には、図9に示されているような端末認証管理テーブルによって構成されている端末認証管理DB5001が構築されている。この端末認証管理テーブルでは、管理システム50によって管理される全ての端末10の各端末IDに対して、認証用のパスワード、及び、クライアント証明書認証の許否を示す情報が関連付けられて管理される。例えば、図9に示されている端末認証管理テーブルにおいて、端末IDが「01aa」である端末10aaは、パスワード認証を利用可能であり、パスワード認証用のパスワードは「aaaa」であることが示されている。また、端末認証管理テーブルにおいて、端末IDが「01ab」である端末10abは、クライアント証明書認証を利用可能であることが示されている。更に、端末認証管理テーブルにおいて、端末IDが「01ac」である端末10acは、パスワード認証、及びクライアント証明書認証を利用可能であり、パスワード認証用のパスワードは「cccc」であることが示されている。なお、端末10毎に利用可能な認証方式を限定することにより、端末10毎に、利用可能なアプリ全体に対して、利用可能な認証方式を限定することができる。なお、本実施形態において、端末IDは、通信先の端末10を特定可能な情報であればよく、端末10固有の情報以外に端末10に固有ではない情報であってもよい。例えば端末10を利用するユーザを識別する情報であってもよいし、端末10が読み込み可能な記録媒体に記憶された識別情報であってもよい。
図10は、アプリ利用管理テーブルを示す概念図である。記憶部5000には、図10に示されているようなアプリ利用管理テーブルによって構成されているアプリ利用管理DB5003が構築されている。このアプリ利用管理テーブルでは、端末10を識別するための端末ID及びテレビ会議用のアプリのそれぞれを識別するためのアプリID毎に、アプリの利用可否を示す利用可否情報を関連付けて管理している。なお、利用可否情報「On」は利用可能である旨を示し、利用可否情報「Off」は利用可能でない旨を示す。
図11は、アプリURL管理テーブルを示す概念図である。記憶部5000には、図11に示されているようなアプリURL管理テーブルによって構成されているアプリURL管理DB5004が構築されている。このアプリURL管理テーブルでは、複数のアプリIDのそれぞれに、これらのアプリのアイコンデータの通信ネットワーク2におけるURL情報及びこれらのアプリの通信ネットワーク2におけるURL情報を関連付けて管理している。
図12は、アプリ認可管理テーブルを示す概念図である。記憶部5000には、図12に示されているようなアプリ認可管理テーブルによって構成されているアプリ認可管理DB5006が構築されている。このアプリ認可管理テーブルでは、各アプリを識別するためのアプリID毎に、このアプリの起動要求元の認証方法として有効な認証方式を関連付けて管理している。これにより、管理システム50は、端末10から所望のアプリの起動要求を受け付けたときに、所望のアプリにおいて有効な認証方式で端末10が認証されていることを条件として、アプリへのアクセスを認可することが可能となる。なお、図12に示すアプリ認可管理テーブルでは、アプリID「a001」で識別される通話アプリは、起動要求元がパスワード認証またはクライアント証明書認証により認証されている場合には、アプリへのアクセスが認可されることが示されている。また、アプリ認可管理テーブルでは、アプリID「a003」で識別される遠隔医療アプリは、起動要求元がクライアント証明書認証により認証されている場合には、アプリへのアクセスが認可されることが示されている。
図13は、アクセストークン管理テーブルを示す概念図である。記憶部5000には、に示されているようなアクセストークン管理テーブルによって構成されているアクセストークン管理DB5007が構築されている。このアクセストークン管理テーブルでは、端末10の端末ID、及び、テレビ会議用のアプリのそれぞれを識別するためのアプリID毎に、アプリへのアクセスが認可されたことを示す認可情報としてのアクセストークンを関連付けて管理している。例えば、図13に示すアクセストークン管理テーブルでは、端末ID「01aa」で識別される端末10aaが、アプリID「a001」で識別される通話アプリへのアクセスが認可されたときに、認可情報としてアクセストークン「abcdefg」が発行されることが示されている。
次に、通信管理システム50の各機能構成について詳細に説明する。なお、以下では、通信管理システム50の各機能構成を説明するにあたって、図6に示されている各構成要素のうち、通信管理システム50の各機能構成を実現させるための主な構成要素との関係も説明する。
アプリサーバ80は、送受信部81、及び記憶・読出部89を有している。これら各部は、図6に示されている各構成要素のいずれかが、HD204からRAM203上に展開されたアプリサーバ80用のプログラムに従ったCPU201からの命令によって動作することで実現される機能又は手段である。また、アプリサーバ80は、図6に示されているHD204により構築される記憶部8000を有している。
記憶部8000には、アプリホスティングDB8001が構築されている。アプリホスティングDBは、アプリサーバ80にアップロードされたアプリを記憶して管理する。
続いて、図14を用いて本実施形態の処理または動作の概要について説明する。図14は、通信システム1における各種情報の送受信の状態を示した概念図である。管理システム50(アクセス制御装置の一例)は、端末10からの要求に基づいて、アプリの起動を制御(通信端末からアプリケーションへのアクセスの制御の一例)する。管理システム50のアプリ認可管理DB5006(認証方式管理手段の一例)は、アプリを識別するためのアプリID毎に、このアプリの起動要求元(アクセス要求元の一例)を認証するために有効な認証方式(認証情報の一例)を関連付けて管理する。管理システム50の認証部52(認証手段の一例)は、端末10からのログイン要求に基づいて、この端末10において利用可能な認証方式により、ログイン要求元である端末10を認証する。管理システム50の送受信部51(アクセス要求受付手段の一例)は、端末10から、所望のアプリの起動の要求(所望のアプリケーションへのアクセスを伴う要求の一例)を受け付ける。アプリ認可管理DB5006において、上記の所望のアプリのアプリIDに関連付けられて、上記の端末10の認証に用いられた認証方式が管理されていない場合には、起動制御部55(アクセス制御手段の一例)は、上記の所望のアプリにアクセスさせないように制御する。一方、アプリ認可管理DB5006において、上記の所望のアプリのアプリIDに関連付けられて、上記の端末10の認証に用いられた認証方式が含まれている場合には、起動制御部55は、端末10を上記の所望のアプリのURIを端末10へ通知することにより、端末10から所望のアプリへアクセス可能となるように制御する。これにより、管理システム50は、各端末10を任意の認証方式により認証していた場合でも、この認証方式が、アプリの起動要求元を認証するための有効な認証方式でない場合には、アプリへアクセスさせないようにすることが可能となるので、アプリ側が期待する安全性を担保しやすくなる。
続いて、第2の実施形態について、第1の実施形態と異なる点を説明する。第2の実施形態の通信システム1は、図20に示されているように管理システム50が、リスト作成部56を有している点で第1の実施形態とは、異なる。なお、図20は、管理システム50の機能ブロック図である。リスト作成部56は、端末10において起動の要求が可能なアプリのリストを作成する。
リストが完成すると、記憶・読出部59は、上記ステップS32によって作成されたリストに含まれる各アプリIDを検索キーとして、アプリURL管理テーブル(図11を参照)を検索することにより、このアプリIDに対応するアイコンのURL情報を読み出す(ステップS33)。以後の処理は、第1の実施形態と同様であるので説明を省略する。
上記実施形態における中継装置30、管理システム50、プログラム提供システム90、及びメンテナンスシステム100は、単一のコンピュータによって構築されてもよいし、各部(機能又は手段)を分割して任意に割り当てられた複数のコンピュータによって構築されていてもよい。また、プログラム提供システム90が単一のコンピュータによって構築されている場合には、プログラム提供システム90によって送信されるプログラムは、複数のモジュールに分けて送信されるようにしてもよいし、分けないで送信されるようにしてもよい。更に、プログラム提供システム90が複数のコンピュータによって構築されている場合には、複数のモジュールが分けられた状態で、各コンピュータから送信されるようにしてもよい。
10 通信端末
11 送受信部(アクセス要求受付手段の一例)
12 操作入力受付部
13 表示制御部
14 起動制御部
19 記憶・読出部
21 送受信部
22 起動部
24 表示制御部
25 機能実行部
29 記憶・読出部
50 通信管理システム(アクセス制御装置の一例)
51 送受信部
52 認証部(認証手段の一例)
55 起動制御部(アクセス制御手段の一例)
56 リスト作成部
59 記憶・読出部
80 アプリサーバ
81 送受信部
89 記憶・読出部
1000 記憶部
5000 記憶部
5001 端末認証管理DB
5003 アプリ利用管理DB(アプリケーション管理手段の一例)
5004 アプリURL管理DB
5006 アプリ認可管理DB(認証方式管理手段の一例)
5007 アクセストークン管理DB
8000 記憶部
8001 アプリホスティングDB(記憶手段の一例)
Claims (8)
- 通信端末からアプリケーションへのアクセスを制御するアクセス制御装置であって、
前記アプリケーション毎に、前記アプリケーションへのアクセス要求元を認証するために有効な認証方式を示す認証情報を関連付けて管理する認証方式管理手段と、
通信端末からの要求に基づいて、前記通信端末において利用可能な認証方式により要求元を認証する認証手段と、
前記通信端末から、所望のアプリケーションへのアクセスを伴う要求を受け付けるアクセス要求受付手段と、
前記認証方式管理手段において、前記所望のアプリケーションに関連付けられて、前記認証に用いられた認証方式を示す認証情報が管理されていない場合には、前記通信端末を前記所望のアプリケーションにアクセスさせないように制御し、前記認証方式管理手段において、前記所望のアプリケーションに関連付けられて、前記認証に用いられた認証方式を示す認証情報が管理されている場合には、前記通信端末から前記所望のアプリケーションへのアクセスを制御するアクセス制御手段と、
を有することを特徴とするアクセス制御装置。 - 前記アプリケーションへのアクセス要求元毎に、前記アクセス要求元において利用可能なアプリケーションを示すアプリケーション情報を関連付けて管理するアプリケーション管理手段を有しており、
前記アクセス制御手段は、前記アプリケーション管理手段において、前記所望のアプリケーションへのアクセス要求元に関連付けられて、前記所望のアプリケーションを示すアプリケーション情報が管理されていない場合には、前記通信端末を前記所望のアプリケーションにアクセスさせないように制御し、前記アクセス要求元に関連付けられて、前記所望のアプリケーションを示すアプリケーション情報が管理されている場合には、前記通信端末から前記所望のアプリケーションへのアクセスを制御することを特徴とする請求項1に記載のアクセス制御装置。 - 前記アプリケーション管理手段は、前記アクセス要求元および前記アプリケーション情報毎に、前記アプリケーションを利用可能な期間を示す期間情報を関連付けて管理することを特徴とする請求項2に記載のアクセス制御装置。
- 請求項1乃至3のいずれか一項に記載のアクセス制御装置と、
前記アプリケーションを記憶した記憶手段を有するアプリケーションサーバと、
を有することを特徴とする通信システム。 - 前記アクセス制御手段は、前記アプリケーションサーバの前記記憶手段に記憶された前記所望のアプリケーションにアクセスするためのアクセス情報を前記通信端末に通知することにより、前記所望のアプリケーションへのアクセスを制御することを特徴とする請求項4に記載の通信システム。
- 前記アクセス要求元としての通信端末を更に有することを特徴とする請求項4又は5に記載の通信システム。
- 通信端末からアプリケーションへのアクセスを制御するアクセス制御装置のプロセッサに、
前記通信端末からの要求に基づいて、前記通信端末において利用可能な認証方式により要求元を認証する認証ステップと、
前記通信端末から、前記所望のアプリケーションへのアクセスを伴う要求を受け付けるアクセス要求受付ステップと、
前記認証方式管理手段において、前記所望のアプリケーションに関連付けられて、前記認証に用いられた認証方式を示す認証情報が管理されていない場合には、前記通信端末を前記所望のアプリケーションにアクセスさせないように制御し、前記認証方式管理手段において、前記所望のアプリケーションに関連付けられて、前記認証に用いられた認証方式を示す認証情報が管理されている場合には、前記通信端末から前記所望のアプリケーションへのアクセスを制御するアクセス制御ステップと、
を実行させることを特徴とするプログラム - 通信端末からアプリケーションへのアクセスを制御するアクセス制御装置のプロセッサに、
前記通信端末からの要求に基づいて、前記通信端末において利用可能な認証方式により要求元を認証する認証ステップと、
前記通信端末から、前記所望のアプリケーションへのアクセスを伴う要求を受け付けるアクセス要求受付ステップと、
前記認証方式管理手段において、前記所望のアプリケーションに関連付けられて、前記認証に用いられた認証方式を示す認証情報が管理されていない場合には、前記通信端末を前記所望のアプリケーションにアクセスさせないように制御し、前記認証方式管理手段において、前記所望のアプリケーションに関連付けられて、前記認証に用いられた認証方式を示す認証情報が管理されている場合には、前記通信端末から前記所望のアプリケーションへのアクセスを制御するアクセス制御ステップと、
を実行させることを特徴とするアクセス制御方法。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201580005921.XA CN105940405B (zh) | 2014-01-31 | 2015-01-14 | 访问控制装置、通信系统、记录介质和方法 |
EP15743099.2A EP3101576B1 (en) | 2014-01-31 | 2015-01-14 | Access control device, communication system, program, and access control method |
CA2936055A CA2936055A1 (en) | 2014-01-31 | 2015-01-14 | Access control device, communication system, program, and method for controlling access |
JP2015559858A JP6107977B2 (ja) | 2014-01-31 | 2015-01-14 | アクセス制御装置、通信システム、プログラム、及びアクセス制御方法 |
SG11201605622UA SG11201605622UA (en) | 2014-01-31 | 2015-01-14 | Access control device, communication system, program, and method for controlling access |
US15/213,557 US10305905B2 (en) | 2014-01-31 | 2016-07-19 | Access control device, communication system, program, and method for controlling access |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2014-016922 | 2014-01-31 | ||
JP2014016922 | 2014-01-31 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/213,557 Continuation US10305905B2 (en) | 2014-01-31 | 2016-07-19 | Access control device, communication system, program, and method for controlling access |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015115183A1 true WO2015115183A1 (ja) | 2015-08-06 |
Family
ID=53756760
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2015/050829 WO2015115183A1 (ja) | 2014-01-31 | 2015-01-14 | アクセス制御装置、通信システム、プログラム、及びアクセス制御方法 |
Country Status (7)
Country | Link |
---|---|
US (1) | US10305905B2 (ja) |
EP (1) | EP3101576B1 (ja) |
JP (1) | JP6107977B2 (ja) |
CN (1) | CN105940405B (ja) |
CA (1) | CA2936055A1 (ja) |
SG (1) | SG11201605622UA (ja) |
WO (1) | WO2015115183A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2021064141A (ja) * | 2019-10-11 | 2021-04-22 | 株式会社リコー | 情報処理システム、サービス提供装置、情報処理方法及びプログラム |
JP7444197B2 (ja) | 2022-06-27 | 2024-03-06 | 大日本印刷株式会社 | 電子情報記憶媒体、暗号演算方式選択方法、及びプログラム |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6672910B2 (ja) | 2016-03-11 | 2020-03-25 | 株式会社リコー | 遠隔コミュニケーションシステム、通信端末、拡張機能提供方法および拡張機能提供プログラム |
CN112069491A (zh) * | 2020-03-07 | 2020-12-11 | 王春花 | 基于虚拟现实的终端验证方法及装置 |
JP2022181335A (ja) * | 2021-05-26 | 2022-12-08 | キヤノン株式会社 | 通信装置、通信装置の制御方法、およびプログラム |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003256376A (ja) * | 2002-02-27 | 2003-09-12 | Hitachi Ltd | 安全性保証付き生体認証方法及び認証サービスを行う装置 |
JP2006251868A (ja) * | 2005-03-08 | 2006-09-21 | Hitachi Ltd | Id管理システム及びid管理方法 |
JP2008227577A (ja) | 2007-03-08 | 2008-09-25 | Konica Minolta Holdings Inc | テレビ会議システム |
JP2011100268A (ja) * | 2009-11-05 | 2011-05-19 | Ntt Comware Corp | サービス提供システム、認証装置、サービス提供装置、制御方法、及びプログラム |
JP2012134940A (ja) | 2010-11-30 | 2012-07-12 | Ricoh Co Ltd | アクセス対象管理システム、プログラム、プログラム提供システム、及びメンテナンスシステム |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090094164A1 (en) * | 1999-07-09 | 2009-04-09 | Bally Gaming, Inc. | Remote access verification environment system and method |
US6766353B1 (en) * | 2000-07-11 | 2004-07-20 | Motorola, Inc. | Method for authenticating a JAVA archive (JAR) for portable devices |
US7428411B2 (en) * | 2000-12-19 | 2008-09-23 | At&T Delaware Intellectual Property, Inc. | Location-based security rules |
US7103772B2 (en) * | 2003-05-02 | 2006-09-05 | Giritech A/S | Pervasive, user-centric network security enabled by dynamic datagram switch and an on-demand authentication and encryption scheme through mobile intelligent data carriers |
US7647625B2 (en) * | 2005-10-04 | 2010-01-12 | Disney Enterprises, Inc. | System and/or method for class-based authorization |
US8032922B2 (en) * | 2006-12-18 | 2011-10-04 | Oracle International Corporation | Method and apparatus for providing access to an application-resource |
CN101145903B (zh) * | 2007-10-24 | 2010-06-16 | 中兴通讯股份有限公司 | 一种用户认证方法 |
JP5089621B2 (ja) | 2009-01-16 | 2012-12-05 | 日本電信電話株式会社 | サービス連携処理システム及び方法 |
CN102110200A (zh) * | 2009-12-25 | 2011-06-29 | 凹凸电子(武汉)有限公司 | 计算机可执行的认证方法 |
CN102685093B (zh) * | 2011-12-08 | 2015-12-09 | 陈易 | 一种基于移动终端的身份认证系统及方法 |
JP6111757B2 (ja) | 2013-03-14 | 2017-04-12 | 株式会社リコー | 通信システム、通信端末、および端末プログラム |
JP2014233068A (ja) | 2013-04-30 | 2014-12-11 | 株式会社リコー | 通信管理システム、通信管理方法、及びプログラム |
CN103546887A (zh) * | 2013-10-29 | 2014-01-29 | 小米科技有限责任公司 | 一种应用软件传输方法、装置、终端及服务器 |
-
2015
- 2015-01-14 JP JP2015559858A patent/JP6107977B2/ja not_active Expired - Fee Related
- 2015-01-14 WO PCT/JP2015/050829 patent/WO2015115183A1/ja active Application Filing
- 2015-01-14 SG SG11201605622UA patent/SG11201605622UA/en unknown
- 2015-01-14 EP EP15743099.2A patent/EP3101576B1/en active Active
- 2015-01-14 CA CA2936055A patent/CA2936055A1/en not_active Abandoned
- 2015-01-14 CN CN201580005921.XA patent/CN105940405B/zh not_active Expired - Fee Related
-
2016
- 2016-07-19 US US15/213,557 patent/US10305905B2/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003256376A (ja) * | 2002-02-27 | 2003-09-12 | Hitachi Ltd | 安全性保証付き生体認証方法及び認証サービスを行う装置 |
JP2006251868A (ja) * | 2005-03-08 | 2006-09-21 | Hitachi Ltd | Id管理システム及びid管理方法 |
JP2008227577A (ja) | 2007-03-08 | 2008-09-25 | Konica Minolta Holdings Inc | テレビ会議システム |
JP2011100268A (ja) * | 2009-11-05 | 2011-05-19 | Ntt Comware Corp | サービス提供システム、認証装置、サービス提供装置、制御方法、及びプログラム |
JP2012134940A (ja) | 2010-11-30 | 2012-07-12 | Ricoh Co Ltd | アクセス対象管理システム、プログラム、プログラム提供システム、及びメンテナンスシステム |
Non-Patent Citations (1)
Title |
---|
See also references of EP3101576A4 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2021064141A (ja) * | 2019-10-11 | 2021-04-22 | 株式会社リコー | 情報処理システム、サービス提供装置、情報処理方法及びプログラム |
JP7400324B2 (ja) | 2019-10-11 | 2023-12-19 | 株式会社リコー | 情報処理システム、サービス提供装置、情報処理方法及びプログラム |
JP7444197B2 (ja) | 2022-06-27 | 2024-03-06 | 大日本印刷株式会社 | 電子情報記憶媒体、暗号演算方式選択方法、及びプログラム |
Also Published As
Publication number | Publication date |
---|---|
EP3101576B1 (en) | 2019-12-18 |
JPWO2015115183A1 (ja) | 2017-03-23 |
SG11201605622UA (en) | 2016-08-30 |
US20160330202A1 (en) | 2016-11-10 |
US10305905B2 (en) | 2019-05-28 |
CN105940405B (zh) | 2019-11-26 |
EP3101576A4 (en) | 2017-01-04 |
CA2936055A1 (en) | 2015-08-06 |
JP6107977B2 (ja) | 2017-04-05 |
EP3101576A1 (en) | 2016-12-07 |
CN105940405A (zh) | 2016-09-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6136174B2 (ja) | 通信システム及び通信方法 | |
JP6398343B2 (ja) | 通信管理システム、通信管理方法、及びプログラム | |
JP2014233068A (ja) | 通信管理システム、通信管理方法、及びプログラム | |
JP6011000B2 (ja) | 伝送管理装置、伝送システム、伝送管理方法およびプログラム | |
JP6304372B2 (ja) | 管理システム、記録媒体、及び管理方法 | |
JP6361268B2 (ja) | 通信管理システム、通信管理方法、及びプログラム | |
JP6375682B2 (ja) | 通信管理システム、通信管理方法、及びプログラム | |
JP6107977B2 (ja) | アクセス制御装置、通信システム、プログラム、及びアクセス制御方法 | |
JP2015056870A (ja) | 伝送管理システム、管理方法、及びプログラム | |
EP2992433B1 (en) | Communications management system and communications management method | |
JP6244942B2 (ja) | 起動制御装置、通信システム、プログラム、及び起動制御方法 | |
JP6439283B2 (ja) | 通信管理システム、通信管理方法、及びプログラム | |
WO2017017872A1 (en) | Communication terminal, communication system, communication management method, and medium | |
JP2016072970A (ja) | 伝送管理装置、通信端末、通信システム、伝送方法、及びプログラム | |
WO2015174436A1 (en) | Management system, program, management method, and communication system | |
JP6358303B2 (ja) | 伝送システム、伝送管理方法およびプログラム | |
JP6244941B2 (ja) | 起動制御装置、通信システム、プログラム、及び起動制御方法 | |
JP6572655B2 (ja) | 通信管理システム、通信システム、通信管理方法、及びプログラム | |
JP6589436B2 (ja) | 通信システム、通信管理方法、及びプログラム | |
JP2015133652A (ja) | 管理システム、管理方法及びプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15743099 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2936055 Country of ref document: CA |
|
ENP | Entry into the national phase |
Ref document number: 2015559858 Country of ref document: JP Kind code of ref document: A |
|
REEP | Request for entry into the european phase |
Ref document number: 2015743099 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015743099 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |