JP4586776B2 - Token-based access control system and access control method - Google Patents

Description

  The present invention relates to an access control system and an access control method for controlling access from a client to a service providing server, and in particular, an access control system and access control for controlling access using a token that embodies a user's authority as data. Regarding the method.

  A conventional access control system is an environment composed of a client and a server connected by a network, such as access control to a pay site on the Internet, access control to content of a streaming service, and a document browsing system on an intranet. Is used to control the execution contents of the application and the access range to the resource according to the authority given to the user when the client executes the application on the server or accesses the resource on the server. Yes. The user transmits a token that materializes the authority content permitted by the client as data to the server, verifies the validity of the token on the server side, analyzes the authority content, and performs access control. Further, since the token issuer can delegate the token to another rights executor, the delegated rights executor can exercise the authority described in the token as a user.

  In particular, server software that provides services on an intranet (applications, middleware, DBMS (DataBase Management System), etc.) has restrictions on simultaneous network access from clients and the number of concurrent users. Use is a license violation. For this reason, in the intranet, in addition to access control based on the authority content described in the token, the server software that provides services corresponding to the authority content uses services within the range of simultaneous network access restrictions and simultaneous user number restrictions. As described above, it is necessary to restrict access.

  Patent Document 1 discloses a conventional technique for access control using such a token. In the technique disclosed in Patent Literature 1, when a server creates a token including operation information describing processing executed on the server and distributes the token to the client, and the server receives the token from the client, The validity is verified, and when the validity is confirmed, the process described in the operation information described in the token (search under a specific condition of the database) is executed.

JP 2003-22253 A

  However, in the conventional technology described above, when access from clients is concentrated, the system capability for access control is exceeded, and the token sent for access control cannot be accepted or the token is not received. There was a problem that access was denied and access denied increased. This is because an access control system using tokens has a heavy processing load related to authorization of tokens as follows. In other words, the access control system using a token authenticates the user who sent the token, verifies the validity of the token, analyzes the details of the authority content described in the token, and based on the analysis result, It is necessary to confirm the validity of the authority contents and the consistency of the conditions described in the authority contents. Here, the user authentication process and the token validity verification process generally have a heavy load, and in particular, the encryption that requires time for the calculation process such as PKI (Public Key Infrastructure) for the user authentication and the electronic signature of the token. When the conversion method is used, these processing loads become extremely large. Furthermore, if the token control is to be made finer, the load required for the authority content analysis processing and the confirmation of the validity of the authority content and the consistency of the conditions described in the authority content also increases.

  In addition, in the above-described restrictions on the simultaneous network access using tokens in the intranet and the restriction on the number of concurrent users, if these restrictions are applied and the access refusal associated with the token processing load increases, the convenience for the user is poor. Become. For this reason, even when access from clients is concentrated, it is required to reduce token processing load and access denial while maintaining usage conditions such as simultaneous network access restriction and simultaneous user number restriction.

  An object of the present invention is to prevent the token from being accepted or to be discarded due to the processing load related to the authorization of the token when the access is concentrated in the access control system using the token, which is the conventional problem described above. It is an object of the present invention to provide an access control system and an access control method that can efficiently perform an authorization determination process without causing a high load state even if a token is used.

  A first access control system of the present invention is an access control system in which a user terminal, an access control apparatus, and a service providing apparatus are connected to each other via a communication line, and the user terminal receives user authentication information and a token. A standby request means for transmitting a standby request message including the request to the access control device, an authorization request message including a trigger identifier is transmitted to the access control device, an authorization response message is received from the access control device, and the authorization response message is received. And an authorization request means for transmitting a service start message including the trigger identifier to the service providing apparatus when the authorization determination result included in the authorization determination result is authority authorization, and the access control apparatus receives the standby from the user terminal. Receiving a request message and Standby processing means for authenticating a user based on information, confirming the validity of the token, issuing the trigger identifier, and transmitting a standby completion message including the token identifier and the trigger identifier to the service providing device; Receiving the authorization request message from the user terminal, making an authorization decision based on the token corresponding to the trigger identifier included in the authorization request message, and sending the authorization response message including the token identifier and the authorization decision result An authorization determination processing means for transmitting an authorization completion message including the token identifier and the authorization decision result to the service providing apparatus, and the service providing apparatus receives the standby completion message from the access control apparatus. Receiving the authorization completion message When receiving the service start message from the user terminal, confirm the consistency between the trigger identifier included in the service start message and the trigger identifier corresponding to the token identifier included in the authorization completion message; An authorization information processing means is provided for instructing a service application to start communication with the user terminal when consistency is confirmed.

  A second access control system of the present invention is an access control system in which a user terminal, an access control apparatus, and a service providing apparatus are connected to each other via a communication line, and the user terminal includes user authentication information, a token identifier, Standby request means for transmitting to the access control device a standby request message including authority content information and a token composed of an electronic signature, and transmitting an authorization request message including a trigger identifier to the access control device, and An authorization request means for receiving an authorization response message from the access control apparatus and transmitting a service start message including the trigger identifier to the service providing apparatus when the authorization determination result included in the authorization response message is authority authorization; The access control device includes the user The standby request message is received from the end, the user is authenticated based on the user authentication information, the validity of the token is confirmed based on the electronic signature, the trigger identifier is issued, the token identifier and the trigger identifier Standby processing means for transmitting a standby completion message including the message to the service providing device, and receiving the authorization request message from the user terminal, in the authority content information of the token corresponding to the trigger identifier included in the authorization request message An authorization decision is made, the authorization response message including the token identifier and the authorization decision result is transmitted to the user terminal, and an authorization completion message including the token identifier and the authorization decision result is transmitted to the service providing apparatus. A determination processing means for providing the service; Is configured to receive the standby completion message and the authorization completion message from the access control apparatus, and when receiving the service start message from the user terminal, the trigger identifier included in the service start message, and the authorization completion An authorization information processing unit for confirming consistency with the trigger identifier corresponding to the token identifier included in the message and instructing a service application to start communication with the user terminal when the consistency is confirmed; It is characterized by.

  According to a third access control system of the present invention, in the first or second access control system, when the standby processing unit of the access control apparatus receives the standby request message from the user terminal, the contents of the token Further generating an execution file of a control module that performs an authorization decision based on the trigger, and when the authorization decision processing means of the access control device receives the authorization request message from the user terminal, the trigger included in the authorization request message The authorization determination is performed by activating the control module from the execution file of the control module corresponding to the identifier.

  According to a fourth access control system of the present invention, in the first or second access control system, the standby request message transmitted from the user terminal to the access control device further includes a scheduled access time, and the access control device The standby processing means further generates an execution file of a control module that performs authorization judgment based on the contents of the token when the standby request message is received from the user terminal, and the authorization judgment processing means of the access control device However, when the scheduled access time approaches, the control module is activated from the control module execution file, and when the authorization request message is received from the user terminal, the trigger identifier corresponding to the trigger identifier included in the authorization request message is received. Authorization using control module And performing constant.

  A first access control method of the present invention includes a standby request message transmission step in which a user terminal transmits a standby request message including user authentication information and a token to an access control device, and the access control device receives the A service providing apparatus that receives a standby request message, authenticates a user based on the user authentication information, confirms the validity of the token, issues a trigger identifier, and provides a standby completion message including the token identifier and the trigger identifier. A standby processing step for transmitting to the device, a standby completion message receiving step for the service providing device to receive the standby completion message from the access control device, and an access request for an authorization request message including the trigger identifier by the user terminal. An authorization request message transmission step for transmitting to the device, and the access control device receives the authorization request message from the user terminal and performs an authorization decision based on the token corresponding to the trigger identifier included in the authorization request message. An authorization determination processing step of transmitting the authorization response message including the token identifier and the authorization determination result to the user terminal, and transmitting an authorization completion message including the token identifier and the authorization determination result to the service providing apparatus; An authorization response message receiving step in which the user terminal receives the authorization response message from the access control device, an authorization completion message receiving step in which the service providing device receives the authorization completion message, and the user terminal Included in response message A service start message transmission step of transmitting a service start message including the trigger identifier to the service providing apparatus when the determination result is authority authorization; and the service providing apparatus transmits the service start message from the user terminal. If received, check the consistency between the trigger identifier included in the service start message and the trigger identifier corresponding to the token identifier included in the authorization completion message, and if the consistency is confirmed, An authorization information processing step for instructing a service application to start communication with the user terminal.

  According to a second access control method of the present invention, a user terminal transmits a standby request message including user authentication information and a token including a token identifier, authority content information, and an electronic signature to the access control apparatus. A request message transmission step, wherein the access control device receives the standby request message from the user terminal, authenticates the user based on the user authentication information, confirms the validity of the token based on the electronic signature, and triggers A standby processing step for issuing an identifier and transmitting a standby completion message including the token identifier and the trigger identifier to a service providing device; and a standby completion message for the service providing device to receive the standby completion message from the access control device. Receive step And an authorization request message transmission step in which the user terminal transmits an authorization request message including the trigger identifier to the access control device, and the access control device receives the authorization request message from the user terminal, and the authorization Authorization determination is performed based on the authority content information of the token corresponding to the trigger identifier included in the request message, the authorization response message including the token identifier and the authorization determination result is transmitted to the user terminal, and the token identifier and the An authorization determination processing step of transmitting an authorization completion message including an authorization determination result to the service providing device, an authorization response message receiving step in which the user terminal receives an authorization response message from the access control device, and the service providing device , The authorization completion message An authorization completion message receiving step for transmitting, and a service for transmitting a service start message including the trigger identifier to the service providing apparatus when the authorization determination result included in the authorization response message is authority authorization. A start message transmission step, and when the service providing apparatus receives the service start message from the user terminal, the trigger identifier included in the service start message and the token identifier included in the authorization completion message And an authorization information processing step for instructing a service application to start communication with the user terminal when the consistency with the trigger identifier is confirmed and the consistency is confirmed.

  According to a third access control method of the present invention, in the first or second access control method, when the standby processing step of the access control apparatus receives the standby request message from the user terminal, the content of the token Further generating an execution file of a control module that performs authorization determination based on the trigger, and when the authorization determination processing step of the access control apparatus receives the authorization request message from the user terminal, the trigger included in the authorization request message The authorization determination is performed by activating the control module from the execution file of the control module corresponding to the identifier.

  According to a fourth access control method of the present invention, in the first or second access control method, the standby request message transmitted from the user terminal to the access control device further includes a scheduled access time, and the access control device When the standby request message is received from the user terminal, the standby processing step further generates an execution file of a control module that performs an authorization determination based on the content of the token, and the access control device includes the scheduled access time The control module pre-starting step of starting the control module from the control module execution file, the authorization determination processing step of the access control device, when receiving the authorization request message from the user terminal, Included in authorization request message And performing authorization decision using said control module corresponding to the trigger identifier.

  The effect of the present invention is that in an access control system using a token, the processing load related to the authorization of the token can be reduced and the authorization determination process can be performed efficiently. The reason for this is that a series of processing related to authorization of tokens is performed, including preparation processing for authorization determination such as user authentication, confirmation of token validity, confirmation of authority content, and generation of a control module for authorization authorization determination, and the control. This is because the process is divided into an actual authorization determination process using a module, and a preparation process with a heavy processing load is executed in advance.

  Next, the best mode for carrying out the present invention will be described in detail with reference to the drawings, taking as an example a system for controlling access to Web servers and document files in an intranet.

  FIG. 1 is a block diagram showing the entire embodiment of the present invention. Referring to FIG. 1, the embodiment of the present invention includes a user terminal 100, an access control apparatus 200, and a service providing apparatus 300. The user terminal 100, the access control device 200, and the service providing device 300 operate by program control and are connected to each other via a network 1000 such as the Internet.

  The user terminal 100 is realized by an information processing device such as a personal computer. The user terminal 100 functions as a client when using a service provided from the service providing apparatus 300, and as shown in FIG. 2, a standby request unit 101, an authorization determination request unit 102, a token management information storage unit 111 and a service client unit 121.

  The token management information storage unit 111 stores information related to the token 401, and stores and manages the token 401, scheduled access time, trigger ID, and mode information as shown in FIG.

  Here, the token 401 represents the authority content when using the service, and is issued by the access control apparatus 200 in response to a request from the token issuer. As shown in FIG. 5, the token 401 is a token ID that uniquely identifies the token 401 in the system, authority content information in which the authority content is materialized and described as data (object), and the validity of the token 401. Consists of electronic signatures. The authority content information includes information related to the issue requester such as the user ID, user name, class (in charge, chief, section manager, general manager, etc.) and attribute (affiliation group) of the issue requester, URI (resource), authority ( (Permission information such as read permission, write permission, execution permission, full control, etc.), authority use start date / time, authority use end date / time, and information related to the authority for the access target. The electronic signature is created using the secret key of the access control device 200 when the access management device 400 issues the token 401. The validity of the token is confirmed by decrypting the electronic signature using the public key of the access control apparatus 200.

  Further, the token issue requester can delegate the token 401 to another user, and the user who has been delegated the token 401 can exercise the authority content described in the token 401.

  The scheduled access time indicates the scheduled time when the service 401 is actually started using the token 401. The trigger ID is received from the access control apparatus 200 by the standby response message 502, and uniquely identifies the service start at the scheduled access time using the token 401. The access control apparatus 200 grants the authorization It is given when the preparation for judgment is completed. The mode information indicates the state of the authorization determination preparation process, and two states are defined: “preparation mode” indicating that the preparation process is being executed and “preparation completion mode” indicating that the preparation process has been completed. .

  When the user uses the service with the authority content described in the token 401, the standby request unit 101 controls access to the standby request message 501 including the user authentication information, the token 401, and the scheduled access time for actually using the service in advance. The request is sent to the device 200 and a preparation process for authorization determination is requested. Further, the standby response message 502 is received from the access control device 200, and the trigger ID included in the standby response message 502 is stored in the token management information storage unit 111.

  When the scheduled access time is reached, the authorization determination request unit 102 transmits an authorization request message 511 including a trigger ID to the access control device 200 to request an authorization determination process. When the authorization response message 512 is received from the access control apparatus 200 and it is confirmed that the authority content is authorized, a service start message 521 is transmitted to the service providing apparatus 300, and the service client unit 121 is communicated with the service providing apparatus 300. Instruct to start communication.

  The service client unit 121 realizes a client function when using a service provided by the service providing apparatus 300. In a system that controls access to a Web server or document file in an intranet, a Web browser and a document viewer Corresponds to a word processor.

  The access control device 200 is realized by an information processing device such as a workstation server. The access control device 200 performs pre-preparation processing (standby processing) relating to the authorization determination of the token 401 and authorization determination processing at the start of the service. As shown in FIG. The processing unit 202, the user management information storage unit 211, the standby management information storage unit 212, the authority information storage unit 213, and the control module 221 are included.

  As shown in FIG. 7, the user management information storage unit 211 stores and manages a user ID and a password that uniquely identify the user in the system.

  As shown in FIG. 8, the standby management information storage unit 212 stores and manages the token 401, the trigger ID, the control module execution file, the control module execution address, and the scheduled access time.

  As shown in FIG. 9, the authority information storage unit 213 includes information on users in the system such as user ID, user name, class (in charge, chief, section manager, department manager, etc.), attribute (affiliation group), and URI ( Resource), authority (readable, writable, executable, full control, etc.) information related to authority (permission) for resources in the system is stored and managed.

  Upon receiving the standby request message 501 from the user terminal 100, the standby processing unit 201 performs user authentication, confirmation of the validity of the token 401, analysis of the contents of the token 401, and an authorization determination processing procedure (control) used in the authorization determination processing. A control module execution file that is an execution file of the module 221) is generated.

  Here, the control module execution file is based on the result of the syntax analysis of each item described in the authority content information of the token 401 (the user ID, class, attribute, authority of the issuer requester). Etc.) and the contents stored and managed in the authority information storage unit 213 (the class, attributes, authority, etc. of the user ID of the user ID) and the conditions described in the authority content information of the token 401 (the target URI exists) Or whether the authority use start date and time and the authority use end date and time are satisfied, etc.) is generated by obtaining and calculating a calculation formula for confirming when the service is actually started. When there is a simultaneous network access restriction or a simultaneous user number restriction for the target URI, a condition for confirming that the service use is within these restrictions is also added.

  The range of authority of the token issuer stored and managed in the authority information storage unit 213 differs between when the token 401 is issued and when the service using the token 401 is started due to, for example, a change of affiliation accompanying a change of user. However, as described above, the consistency between the authority content information of the token and the content stored and managed in the authority information storage unit 213 is checked using the control module 221 when the service is actually started. Accordingly, it is possible to prevent the authority content from being executed beyond the scope of the authority of the token issuer.

  The standby processing unit 201 issues a trigger ID when the preparation for authorization determination for the token 401 is completed, and a standby response message 502 and a standby completion message 503 including the trigger ID are transmitted to the user terminal 100 and the service providing device, respectively. To 300. Further, the token 401, trigger ID, control module execution file, and scheduled access time are stored in the standby management information storage unit 212.

  The authorization determination processing unit 202 activates the control module 221 using the control module execution file generated by the standby processing unit 201 when the scheduled access date and time approaches. Upon receipt of the authorization request message 511 from the user terminal 100, the authorization judgment processing unit 202 executes an authorization judgment process using the control module 221, and an authorization response including an authorization judgment result (“authorization authorization” / “authorization rejection”) A message 512 and an authorization completion message 513 are transmitted to the user terminal 100 and the service providing apparatus 300, respectively.

  The service providing apparatus 300 is realized by an information processing apparatus such as a workstation / server. The service providing apparatus 300 provides a service to the user terminal 100 and includes an authorization information processing unit 301, an authorization information storage unit 311, and a service application unit 321.

  As shown in FIG. 10, the authorization information storage unit 311 stores and manages the token 401, the trigger ID, the authorization determination result (“authorization approval” / “authorization rejection”), and the network address of the user terminal 100. Here, for the token 401, when the token 401 is issued, the token 401 is notified to the service providing apparatus 300 that provides the URI (resource) described in the token 401 and stored in the authorization information storage unit 311. Is done.

  The authorization information processing unit 301 receives the standby completion message 503 received from the access control system, the trigger ID included in the authorization completion message 513, the authorization determination result (“authorization authorization” / “authorization rejection”), and the network address as an authorization information storage unit Save to 311. Further, when the service start message 521 is received from the user terminal 100, it is checked against the contents of the authorization information storage unit 311 and if consistency is confirmed, the service application unit 321 is allowed to communicate with the user terminal 100. .

  The service application unit 321 is an application that provides a service to the user terminal 100, and corresponds to a Web server and a document file server in a system that controls access to a Web server and a document file in an intranet.

  Next, the operation of the best mode for carrying out the present invention will be described with reference to the drawings.

  FIG. 11 shows a processing flow in the embodiment of the present invention, and FIG. 12 shows a message used between the user terminal 100, the access control device 200, and the service providing device 300.

  It is assumed that the user terminal 100 has already acquired the token 401 issued by the access control device 200 at the request of the issue requester and stores it in the token management information storage unit 111 together with the scheduled access date and time. Further, when the access control apparatus 200 issues the token 401, the token 401 is notified to the service providing apparatus 300 that provides the URI (resource) described in the token 401, and is stored in the authorization information storage unit 311. It shall be.

  For example, the authority information storage unit 213 of the access control apparatus 200 stores information related to the user as shown in FIG. 13 and information related to the authority (permission) for the resources in the system. It is assumed that the management information storage unit 111 and the authorization information storage unit 311 of the service providing apparatus 300 store the token 401 of the authority content information shown in FIG. 14 issued by the user whose user ID is 1001.

  First, the user terminal 100 requests the access control device 200 for authorization determination preparation processing (standby) according to the following procedure.

  The standby request unit 101 of the user terminal 100 sends a user ID to the access control apparatus 200 (step A101), the standby processing unit 201 of the access control apparatus 200 generates a random number R used for user ID authentication, and the user terminal 100 (Step B101). The standby request unit 101 of the user terminal 100 combines the user password with the random number R, takes a hash value with a one-way hash function, and generates user authentication information. Further, a standby request message 501 including a user ID, user authentication information, token 401, and scheduled access date and time is created and transmitted to the access control apparatus 200 (step A102). The standby request unit 101 sets the mode information of the token 401 in the token management information storage unit 111 to “preparation mode” (step A103).

  When receiving the standby request message 501 from the user terminal 100, the standby processing unit 201 of the access control apparatus 200 searches the user management information storage unit 211 using the user ID included in the standby request message 501 as a key, and corresponds to the user ID The user is authenticated by creating a hash value from the password and the random number R and confirming that it is the same as the user authentication information included in the standby request message 501 (step B102).

  The standby processing unit 201 confirms the validity of the token 401 by verifying the electronic signature of the token 401 (step B103), analyzes the content of the token 401, and makes an authorization determination based on the authority content information An execution file (control module execution file) of the authorization determination processing procedure (control module 221) is generated (step B104).

  For example, the standby processing unit 201 generates an execution file of the control module 221 that performs an authorization determination process using the calculation formula shown in FIG. 15 for the token 401 of the authority content information shown in FIG.

  Next, the standby processing unit 201 generates a trigger ID that uniquely identifies the combination of the token 401 and the scheduled access time (step B105). The standby processing unit 201 stores the token, trigger ID, control module execution file, and scheduled access date and time in the standby management information storage unit 212 (step B106). The standby processing unit 201 encrypts the token ID and the trigger ID, and transmits the encrypted token ID and trigger ID to the user terminal 100 as the standby response message 502 and to the service providing apparatus 300 as the standby completion message 503 (step B107).

  When receiving the standby response message 502 from the access control apparatus 200, the standby request unit 101 of the user terminal 100 decrypts the token ID and the trigger ID, searches the token management information storage unit 111 using the token ID as a key, and sets the trigger ID. Save and change the preparation mode to "preparation complete mode" (step A104).

  Upon receiving the standby completion message 503 from the access control device 200, the authorization information processing unit 301 of the service providing device 300 decrypts the token ID and trigger ID, searches the authorization information storage unit 311 using the token ID as a key, and trigger ID Is stored (step C101).

  Note that encrypted communication such as IPsec communication, SSL communication, or SSH communication may be used for transmission of the standby response message 502 and the standby completion message 503.

  Next, the user terminal 100 requests authorization determination from the access control apparatus 200 in the following procedure, and starts using the service.

  In the user terminal 100, when a service request using the token 401 occurs at the scheduled access time, the authorization determination request unit 102 searches the token management information storage unit 111 using the token ID of the token 401 as a key, and the token 401 It is confirmed that the mode information is “ready mode” (step A105). The authorization determination request unit 102 transmits the token ID to the access control apparatus 200 (step A106), and the authorization determination processing unit 202 of the access control apparatus 200 generates a random number S used for authentication of the trigger ID, and sends it to the user terminal 100. Transmit (step B110). The authorization determination request unit 102 generates a trigger authentication information by combining the trigger ID with the random number S and taking a hash value with a one-way hash function. Further, an authorization request message 511 including a user ID, a token ID, and trigger authentication information is created and sent to the access control apparatus 200 (step A107).

  The authorization determination processing unit 202 of the access control device 200 periodically checks the scheduled access date and time for each trigger ID stored in the standby management information storage unit 212 by the system timer (step B108), and the current time is accessed. For the trigger ID approaching the scheduled date and time, the control module 221 is activated using the control module execution file for the trigger ID. When the authorization determination processing unit 202 becomes ready to execute the authorization determination processing of the control module 221, the control module execution address is stored in the standby management information storage unit 212 (step B109). The time at which the control module 221 is activated with respect to the scheduled access date and time is controlled from the control module execution file in consideration of the processing performance of the access control device 200, the processing load, the load of the activation processing of the control module 221 and the like It is determined by the time required to activate the module 221 and to be ready for execution.

  Upon receiving the authorization request message 511 from the user terminal 100, the authorization determination processing unit 202 of the access control apparatus 200 holds the network address of the user terminal 100 and uses the token ID included in the authorization request message 511 as a key for standby management information. By searching the storage unit 212, reading the trigger ID corresponding to the token ID, creating a hash value from the trigger ID and the random number S, and confirming that it is the same as the trigger authentication information included in the authorization request message 511 The trigger ID is authenticated (step B111). The authorization determination processing unit 202 searches the standby management information storage unit 212 using the trigger ID as a key, reads the control module execution address of the activated control module 221, executes the authorization determination by the control module 221, and determines the authorization The result (“authorization granted” / “authorization denied”) is determined (step B112). The authorization judgment processing unit 202 creates an authorization completion message 513 including the user ID of the user, the token ID, the network address of the user terminal 100, and the authorization judgment result, and transmits the authorization completion message 513 to the access destination service providing apparatus 300 (step B113). . Also, an authorization response message 512 including the token ID and the authorization determination result is sent to the user terminal 100 (step B114).

  For example, when the authorization determination is performed using the token 401 of the authority content information in FIG. 14 and the control module 221 in FIG. 15, the class, attribute, and authority of the token issue requester (user ID = 1001) described in the token 401 are: 13 is consistent with the contents of the authority information storage unit 213 in FIG. 13, the URI described in the token 401 exists at the time of determination, and the authority use start date / time and authority use end described in the token 401 are present. If it is within the date and time range, the authorization judgment result is “authorization authorization”.

  When the authorization determination request unit 102 of the user terminal 100 receives the authorization response message 512 from the access control apparatus 200 and confirms that the authorization determination result is “authorization authorization”, the token management information storage unit 111 uses the token ID as a key. , The trigger ID is read, and a service start message 521 including the trigger ID is transmitted to the service providing apparatus 300 (step A108). Further, it instructs the service client unit 121 to start communication with the service providing apparatus 300.

  Upon receiving the authorization completion message 513 from the access control device 200, the authorization information processing unit 301 of the service providing device 300 searches the authorization information storage unit 311 using the token ID as a key, and obtains the network address of the user terminal 100 and the authorization determination result. Save (step C102). Next, when the service start message 521 is received from the user terminal 100, the authorization information storage unit 311 is searched using the trigger ID as a key, and the authorization determination result and the network address of the user terminal 100 are read. When the authorization determination result read from the authorization information storage unit 311 is “authorization authorization”, the service providing apparatus 300 reads the network address of the user terminal 100 read from the authorization information storage unit 311 and the user terminal 100 in the service start message 521. If the two match, the consistency between the trigger ID of the service start message 521 and the trigger ID corresponding to the token ID of the authorization completion message 513 has been confirmed. Judgment is made (step C103). The authorization information processing unit 301 searches the authorization information storage unit 311 using the trigger ID as a key, reads the URI (resource) and authority (permission) from the authority content information of the token 401, and sends the URI to the service application unit 321. By permitting access from the user terminal 100 within the range of authority, mutual communication between the user terminal 100 and the service providing apparatus 300 is started (step A109, step C104).

  For example, when the authorization determination is performed using the token 401 of the authority content information in FIG. 14 and the control module 221 in FIG. 15, the user terminal 100 manages the URI managed by the service providing apparatus 300, a file under \\ market \ doc \ yamada Can be accessed with full control authority.

  When the mutual communication between the user terminal 100 and the service providing apparatus 300 is started, the authorization determination request unit 102 of the user terminal 100 searches the token management information storage unit 111 using the token ID as a key, and obtains the trigger ID and mode information. Delete (step A110).

  Thus, the operation of the embodiment of the present invention is completed.

  According to the embodiment of the present invention, in an access control system using a token, it is possible to reduce the processing load related to the authorization of the token and realize a smooth authorization determination process. The reason for this is that a series of processes related to authorization of tokens includes user authentication, confirmation of token validity, confirmation of authority content information, and authorization determination preparation processing such as generation of a control module for authority authorization determination, This is because the process is divided into actual authorization determination processing using the control module, and preparatory processing with heavy processing load is executed in advance.

  In addition, according to the embodiment of the present invention, as described above, access control is provided for a user who uses a service by reducing the processing load related to authorization of tokens and realizing a smooth authorization determination process. When access control requests by tokens are concentrated on the system, it is possible to reduce an event that a service cannot be received due to the access control system. In addition, for service providers, loss of business opportunities due to the inability to provide services to users can be reduced.

  Furthermore, according to the embodiment of the present invention, in the access control system using a token, when a user starts a service, the time until the start of communication can be shortened. The reason is that, as described above, a series of processing related to authorization of tokens is divided into preparation processing for authorization judgment and actual authorization judgment processing, and preparation processing for authorization judgment is executed in advance. In addition, the control module executed at the start of the service is activated before the scheduled access time, thereby speeding up the authorization determination process at the start of the service.

It is a block diagram which shows the whole embodiment of this invention. It is a block diagram which shows the structure of the user terminal 100 in embodiment of this invention. It is a block diagram which shows the structure of the access control apparatus 200 in embodiment of this invention. It is a block diagram which shows the structure of the service provision apparatus 300 in embodiment of this invention. It is a figure which shows the content of the token 401 in embodiment of this invention. It is a figure which shows the content which the token management information storage part 111 memorize | stores and manages in embodiment of this invention. It is a figure which shows the content which the user management information storage part 211 memorize | stores and manages in embodiment of this invention. It is a figure which shows the content which the standby management information storage part 212 memorize | stores and manages in embodiment of this invention. It is a figure which shows the content which the authority information storage part 213 memorize | stores and manages in embodiment of this invention. It is a figure which shows the content which the authorization information storage part 311 memorize | stores and manages in embodiment of this invention. It is a flowchart which shows operation | movement of embodiment of this invention. It is a figure which shows the content of the message transmitted / received between the apparatuses in embodiment of this invention. It is a figure which shows the example of the content memorize | stored and managed in the authority information storage part 213 in embodiment of this invention. It is a figure which shows the example of the authority content information of the token 401 in embodiment of this invention. It is a figure which shows the example of the authorization determination module 221 in embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 User terminal 101 Standby request part 102 Authorization judgment request part 111 Token management information storage part 121 Service client part 200 Access control apparatus 201 Standby processing part 202 Authorization judgment processing part 211 User management information storage part 212 Standby management information storage part 213 Authority information Storage unit 221 Control module 300 Service providing device 301 Authorization information processing unit 311 Authorization information storage unit 321 Service application unit 401 Token 501 Standby request message 502 Standby response message 503 Standby completion message 511 Authorization request message 512 Authorization response message 513 Authorization completion message 521 Service start message 1000 network

Claims (8)

An access control system in which a user terminal, an access control device, and a service providing device are connected to each other via a communication line,
The user terminal is
Standby request means for transmitting a standby request message including user authentication information and a token to the access control device;
When an authorization request message including a trigger identifier is transmitted to the access control apparatus, an authorization response message is received from the access control apparatus, and the authorization determination result included in the authorization response message is authority authorization, the trigger Authorization request means for transmitting a service start message including an identifier to the service providing device,
The access control device
The standby request message is received from the user terminal, the user is authenticated based on the user authentication information, the validity of the token is confirmed, the trigger identifier is issued, and the standby including the token identifier and the trigger identifier Standby processing means for transmitting a completion message to the service providing device;
Receiving the authorization request message from the user terminal, making an authorization decision based on the token corresponding to the trigger identifier included in the authorization request message, and sending the authorization response message including the token identifier and the authorization decision result An authorization determination processing means for transmitting to the service providing apparatus an authorization completion message including the token identifier and the authorization judgment result, transmitted to the user terminal;
The service providing apparatus includes:
When the standby completion message and the authorization completion message are received from the access control device, and when the service start message is received from the user terminal, the trigger identifier included in the service start message and the authorization completion message And an authorization information processing means for instructing a service application to start communication with the user terminal when the consistency with the trigger identifier corresponding to the token identifier is confirmed. Access control system. An access control system in which a user terminal, an access control device, and a service providing device are connected to each other via a communication line,
The user terminal is
Standby request means for transmitting a standby request message including user authentication information and a token configured with a token identifier, authority content information, and a digital signature to the access control device;
When an authorization request message including a trigger identifier is transmitted to the access control apparatus, an authorization response message is received from the access control apparatus, and the authorization determination result included in the authorization response message is authority authorization, the trigger Authorization request means for transmitting a service start message including an identifier to the service providing device,
The access control device
The standby request message is received from the user terminal, the user is authenticated based on the user authentication information, the validity of the token is confirmed based on the electronic signature, the trigger identifier is issued, the token identifier and the Standby processing means for transmitting a standby completion message including a trigger identifier to the service providing device;
Receiving the authorization request message from the user terminal, performing authorization determination based on authority content information of the token corresponding to the trigger identifier included in the authorization request message, and including the token identifier and the authorization determination result An authorization determination processing means for transmitting a response message to the user terminal and transmitting an authorization completion message including the token identifier and the authorization determination result to the service providing apparatus;
The service providing apparatus includes:
When the standby completion message and the authorization completion message are received from the access control device, and when the service start message is received from the user terminal, the trigger identifier included in the service start message and the authorization completion message And an authorization information processing means for instructing a service application to start communication with the user terminal when the consistency with the trigger identifier corresponding to the token identifier is confirmed. Access control system. When the standby processing means of the access control device receives the standby request message from the user terminal, it further generates an execution file of a control module that performs authorization determination based on the content of the token,
When the authorization determination processing unit of the access control apparatus receives the authorization request message from the user terminal, the authorization determination processing unit activates the control module from the execution file of the control module corresponding to the trigger identifier included in the authorization request message The access control system according to claim 1, wherein the authorization determination is performed. The standby request message transmitted from the user terminal to the access control apparatus further includes an access scheduled time,
When the standby processing means of the access control device receives the standby request message from the user terminal, it further generates an execution file of a control module that performs authorization determination based on the content of the token,
The authorization determination processing means of the access control device activates the control module from the control module execution file when the scheduled access time approaches and receives the authorization request message from the user terminal. The access control system according to claim 1, wherein the authorization determination is performed using the control module corresponding to the trigger identifier included in. A standby request message transmission step in which the user terminal transmits a standby request message including user authentication information and a token to the access control device;
The access control device receives the standby request message from the user terminal, authenticates the user based on the user authentication information, confirms the legitimacy of the token, issues a trigger identifier, the token identifier and the trigger A standby processing step of transmitting a standby completion message including the identifier to the service providing device;
A standby completion message receiving step in which the service providing apparatus receives the standby completion message from the access control apparatus;
An authorization request message transmission step in which the user terminal transmits an authorization request message including the trigger identifier to the access control device;
The access control device receives the authorization request message from the user terminal, performs authorization determination based on the token corresponding to the trigger identifier included in the authorization request message, and includes the token identifier and an authorization determination result An authorization determination processing step of transmitting an authorization response message to the user terminal, and transmitting an authorization completion message including the token identifier and the authorization judgment result to the service providing device;
An authorization response message receiving step in which the user terminal receives the authorization response message from the access control device;
An authorization completion message receiving step in which the service providing apparatus receives the authorization completion message;
A service start message transmission step for transmitting a service start message including the trigger identifier to the service providing apparatus when the user terminal determines that the authorization determination result included in the authorization response message is authority authorization;
When the service providing apparatus receives the service start message from the user terminal, the trigger identifier included in the service start message and the trigger identifier corresponding to the token identifier included in the authorization completion message An access control method comprising: an authorization information processing step of confirming consistency and instructing a service application to start communication with the user terminal when consistency is confirmed. A standby request message transmission step in which a user terminal transmits a standby request message including user authentication information and a token including a token identifier, authority content information, and an electronic signature to the access control device;
The access control device receives the standby request message from the user terminal, authenticates the user based on the user authentication information, confirms the validity of the token based on the electronic signature, issues a trigger identifier, A standby processing step of transmitting a standby completion message including the token identifier and the trigger identifier to the service providing device;
A standby completion message receiving step in which the service providing apparatus receives the standby completion message from the access control apparatus;
An authorization request message transmission step in which the user terminal transmits an authorization request message including the trigger identifier to the access control device;
The access control device receives the authorization request message from the user terminal, performs authorization determination based on authority content information of the token corresponding to the trigger identifier included in the authorization request message, and determines the token identifier and the authorization determination. An authorization determination processing step of transmitting the authorization response message including a result to the user terminal, and transmitting an authorization completion message including the token identifier and the authorization determination result to the service providing device;
An authorization response message receiving step in which the user terminal receives an authorization response message from the access control device;
An authorization completion message receiving step in which the service providing apparatus receives the authorization completion message;
A service start message transmission step for transmitting a service start message including the trigger identifier to the service providing apparatus when the user terminal determines that the authorization determination result included in the authorization response message is authority authorization;
When the service providing apparatus receives the service start message from the user terminal, the trigger identifier included in the service start message and the trigger identifier corresponding to the token identifier included in the authorization completion message An access control method comprising: an authorization information processing step of confirming consistency and instructing a service application to start communication with the user terminal when consistency is confirmed. The standby processing step of the access control device further generates an execution file of a control module that performs authorization determination based on the content of the token when the standby request message is received from the user terminal,
The authorization determination processing step of the access control device activates the control module from the execution file of the control module corresponding to the trigger identifier included in the authorization request message when the authorization request message is received from the user terminal. The access control method according to claim 5, wherein authorization determination is performed. The standby request message transmitted from the user terminal to the access control apparatus further includes an access scheduled time,
The standby processing step of the access control device further generates an execution file of a control module that performs authorization determination based on the content of the token when the standby request message is received from the user terminal,
The access control device further includes a control module pre-starting step of starting the control module from the control module execution file when the scheduled access time approaches.
The authorization determination processing step of the access control device performs an authorization determination using the control module corresponding to the trigger identifier included in the authorization request message when the authorization request message is received from the user terminal. The access control method according to claim 5 or 6.

Images