JP4305146B2 - Communication control device, application server, and program - Google Patents

Description

  The present invention relates to a communication control apparatus, and more particularly to a communication control apparatus that controls access from a client terminal in order to provide a predetermined service to an authenticated client terminal.

  2. Description of the Related Art Conventionally, a web server that provides various services by HTTP communication is known only to a client terminal that has received user authentication from an authentication server. In such a network system including a Web server, when a client terminal accesses the Web server, the Web server first checks whether the user operating the client terminal has already been authenticated by the authentication server. Determine. If it is determined that the user is an unauthenticated user, the client terminal is instructed to receive authentication from the authentication server. Then, after receiving notification from the client terminal that the user authentication by the authentication server has been received, the Web server establishes a session with the client terminal, and provides various services to the client terminal. provide.

  For example, Japanese Patent Laid-Open No. 2003-296277 (hereinafter referred to as Patent Document 1) discloses a system that provides various services to a client terminal for which a Web server performs user authentication using such HTTP communication. There are disclosed techniques.

  In this patent document 1, as HTTP communication, communication is performed using an HTTP GET method or POST method, and user authentication is performed using a redirect which is one of HTTP functions.

  Here, the GET method is a method used when accessing a server or the like, and is one of HTTP message formats. Specifically, it refers to a format that describes data to be sent directly to a destination in a URL (Uniform Resource Identifier) described in a header area constituting a GET method. For example, when the URL described in the header area is “http://test.fujixerox.co.jp/login?user=fuji&passwd=xerox”, the description before “?” Is the data transmission destination. The description after “?” Indicates the data to be transmitted to the transmission destination server or the like. That is, when using the GET method, if only the data described in the header area is transmitted, desired data can be transmitted to a destination server or the like. However, the amount of data that can be written to the URL of the GET method is limited, and is not suitable for transmitting a large amount of data. On the other hand, the POST method is one of methods used when accessing a server or the like, and is one of HTTP message formats. However, it differs from the GET method in that data to be transmitted to a destination server or the like is described in a body area defined separately from the header area. When the POST method is used, in addition to the header area data, the body area data needs to be transmitted to the transmission destination server or the like in HTTP communication. The POST method is used when there is a large amount of data to be transmitted, when a file is attached to a message for transmission, or when it is not desired to leave data as a log on the server by directly writing to a URL for transmission. There are many cases. Redirection refers to issuing an instruction to access another connection destination to a terminal that has accessed.

  Using such a GET method or the like, in Patent Document 1, user authentication is performed as follows.

  First, the WWW browser transmits, for example, a request message such as “GET url1 HTTP / 1.X” to the WWW application using the GET method. Here, “url1” indicates the URL of the WWW application. When receiving an access from the WWW browser, the WWW application determines whether the access is from a user who has been authenticated by the SSO server (authentication server). If the access is from a user who has not been authenticated yet, the WWW application instructs the WWW browser to redirect to the SSO server so as to receive user authentication by the SSO server.

  Then, the WWW browser that has received the redirect from the WWW application accesses the SSO server having the designated URL and makes a user authentication request in accordance with the request. When the user authentication is successful, the SSO server instructs the WWW browser to redirect to the WWW application so as to access the WWW application. The WWW browser that has received the redirect instruction accesses the WWW application again, thereby holding the session and receiving a desired service.

  In this way, when performing user authentication using HTTP redirection, if the client terminal (WWW browser) directly accesses the WWW application, then it automatically accesses the authentication server by the redirection function and performs authentication. After the success, the client terminal can establish a session with the WWW application by further redirecting. Therefore, the client terminal can be provided with a service without directly knowing the URL of the authentication server.

JP 2003-296277 A

  If the session between the client terminal and the WWW application held by the authentication server successful as described above is permanently established, the memory space of the server that performs the WWW application processing may be compressed, In general, the system is also configured to forcibly disconnect the session when there is no response from the client terminal for a certain period. However, when the redirect function is used in the system configured as described above, the following problems occur due to the definition of the redirect RFC.

  That is, as defined in RFC 2616, only the GET method can be used for redirection, and the receiving side that has received the redirection accesses the URL indicated in the redirection using the GET method. Even when accessed using the POST method, the redirect is accessed by the GET method according to the RFC specification. Then, since the body region is not defined in the GET method as described above, when the redirect is performed for the POST method, the data included in the body region of the POST method is lost due to the redirect. It will be.

  Therefore, conventionally, after a certain period of time has elapsed since the session was established between the client terminal and the WWW application, the client terminal creates data processed by the WWW application and uses the POST method to store the data. Even if you write to the body area and access the WWW application, if the session is already disconnected and redirection is performed as described above, the data written to the body area of the POST method sent from the client terminal is lost. It will be broken. Therefore, in order for the client terminal to provide and process the previously created data to the WWW application, after the user authentication is performed and the session is re-established, the same data is created again, and the POST method is used. It is necessary to resend.

  In the above, in a system that provides an application after performing authentication using redirect in HTTP communication, the session once established is disconnected due to timeout or the like, and re-authentication is performed. As an example, the data written in the body area of the method is lost. However, such data loss may occur in the same way in a system in which a session once established is disconnected due to a timeout or the like after authentication and authentication is performed again.

  The present invention has been made in view of the above problems, and an object of the present invention is to improve the convenience of an application in a system that uses an application with authentication.

Communication control apparatus according to the present invention is transmitted from the client terminal by the user, received and processed data specified service processing apparatus for processing, the including information data and a service identifier for identifying the specified service processor receiving means for, if the user of the client terminal transmitting the information data received by the receiving means has not received the authorization of a predetermined authentication device associated with the service identifier contained in the client terminal and the information data Te, a holding means for the processing object data included in the information data to retain, if the user of the client terminal transmitting the information data received by the receiving means has not received the authentication of the authentication device, the client the terminal, an authentication request instruction means for instructing an authentication request to the authentication device, client Waiting for the preparative terminal for receiving a notification indicating that they are done authentication against the instruction of the authentication request, among the processed data held in said holding means, the processing object data associated with the client terminal, as data transmitted from the client terminal, and a providing means for providing the identified service processing apparatus based on the service identifier associated with the processed data.

According to the present invention, even in the case of information data transmitted by an unauthenticated client terminal, the processing target data included in the information data is held in the holding unit, and an authenticated report notification is sent from the client terminal The providing means waits to receive the processing target data held in the holding means as data transmitted from the client terminal associated with the service target data, based on the service identifier associated with the service target data. It can be provided to the identified service processing device. As a result, for example, even if the client terminal is not authenticated when transmitting the information data, it is possible to save the trouble of transmitting the same information data again after receiving the authentication, thereby improving convenience. Can do.

In the communication control apparatus according to the present invention, the processing target data to be processed by the specified application processing apparatus transmitted from the client terminal by the user is written in the body area, and the address of the specified application processing apparatus is written in the header area. receiving means for receiving a POST method which, if the user of the client terminal transmitting the POST method received by the receiving means has not received the authorization of a predetermined authentication server, the client terminal and the header of the POST method in association with the address of the application processing apparatus written in the area, the client terminal that the processing object data written in the body region of the POST method to send a holding unit that holds, the POST method received by the receiving means Users of If not certified by the constant authentication server for the client terminal, and redirection means for performing a redirect to instruct an authentication request to the authentication server, the authentication against the client terminal to redirect the redirection means is performed waiting to receive a notification by GET method which indicates that after completion, of the processing object data held in the holding means, the processing object data associated with the client terminal, as data transmitted from the client terminal, and a providing means for providing the identified application processor based on the address associated with the processed data.

According to the present invention, when the client terminal that has transmitted the POST method in which the processing target data to be processed by the application processing apparatus is written in the body area has not been authenticated by the predetermined authentication server, Even if the redirect is made, the holding means temporarily holds the processing target data written in the body area of the POST method, and waits for the providing means to receive an authenticated report notification by the GET method from the client terminal. The processing target data is provided to the application processing apparatus. Therefore, for example, even if the client terminal that sent the POST method in which the processing target data is written in the body area has not been authenticated by a predetermined authentication server, even if the authentication request is redirected, Since the processing target data is provided to the application processing apparatus without being discarded, the client terminal can save the trouble of retransmitting the POST method in which the same processing target data is written in the body area, thereby improving convenience. Connected.
The application server according to the present invention is an application server comprising: a communication control unit that controls access from a client terminal; and a service processing unit that executes a service process of an application service specified by the client terminal that has accessed the server. A communication control means is a receiving means for receiving information data transmitted from a client terminal by a user and including processing target data for the service processing means to execute service processing and a service identifier for specifying a designated application service. And if the user of the client terminal that transmitted the information data received by the receiving means has not been authenticated by a predetermined authentication server, it is associated with the client terminal and the service identifier included in the information data. If the user of the client terminal that has transmitted the information data received by the receiving unit and the holding unit that holds the processing target data included in the information data is not authenticated by the authentication device, the information data is transmitted. Waiting for receiving an authentication request instruction means for instructing an authentication request to the authentication server from the client terminal, and a notification indicating that the authentication for the authentication request instruction has been completed from the client terminal. In order to execute the service processing of the application service identified based on the service identifier associated with the processing target data, the processing target data associated with the client terminal is processed. Data sent from the client terminal associated with , And a providing means for providing to said service processing unit.
The program according to the present invention is a receiving means for receiving information data including processing target data to be processed by a designated service processing device and a service identifier for identifying the designated service processing device, transmitted from a client terminal by a user. If the user of the client terminal that transmitted the information data received by the receiving means has not been authenticated by a predetermined authentication device, the information is associated with the client terminal and the service identifier included in the information data. Holding means for holding the processing target data included in the data in the holding unit; if the user of the client terminal that sent the information data received by the receiving means has not been authenticated by the authentication device, send the information data Authentication that instructs an authentication request to the authentication device to the client terminal The processing target data associated with the client terminal among the processing target data held by the holding unit after waiting for the notification indicating that the authentication request instruction is authenticated from the client terminal. As a data transmitted from the client terminal, the computer is caused to function as providing means for providing the service processing device specified based on the service identifier associated with the processing target data.

  Embodiments of the present invention (hereinafter referred to as embodiments) will be described below with reference to the drawings. FIG. 1 is a diagram showing a system configuration in the present embodiment. In FIG. 1, a WWW browser 10, a WWW application 20, and an authentication server 30 communicate with each other using a protocol such as HTTP via a network 40. In the present embodiment, only one WWW browser, WWW application, and authentication server exist on the system. Of course, a system that includes many WWW browsers, WWW applications, and authentication servers may be used.

  The WWW browser 10 is software that runs on a client terminal (not shown), and receives various services and information through the network 40 by HTTP communication. The client terminal is any terminal that can be connected to a network, such as a desktop computer, a laptop computer, a PDA, or a mobile phone, and can provide an environment in which a WWW browser operates.

  The WWW application 20 provides various services to the WWW browser 10. The WWW application 20 is software that provides a service to the WWW browser 10 on a network device (server) such as a computer. The WWW application 20 provides a service only to users who have been authenticated.

  The authentication server 30 performs user authentication for access from the WWW browser 10 and returns a user authentication result in response to a request from the WWW application 20.

  Here, the WWW application 20 and the authentication server 30 will be further described.

  The WWW application 20 includes a communication control unit 21 and a processing unit 22. The communication control unit 21 receives access from the WWW browser 10 via the network 40 and performs corresponding processing. For example, when an access from an unauthenticated WWW browser 10 is accepted, it is determined whether or not a user using the WWW browser 10 has been authenticated. If the result of the determination is that it is unauthenticated, a request ID used for determining authentication is issued, and the WWW browser 10 is redirected to the authentication server 30. As a result, the WWW browser 10 is authenticated by the authentication server 30. If the access is from the authenticated WWW browser 10, the request ID issued first is received and the processing unit 22 is caused to perform the service. In addition, when the communication control unit 21 receives an authenticated report notification from the WWW browser 10 by redirection, the communication control unit 21 holds a session with the WWW browser 10 for a certain period. However, the session is disconnected after a certain period of time, and when the user accesses again after that, the WWW browser 10 is redirected to the authentication server 30 again.

  Furthermore, the communication control unit 21 in the present embodiment, when the accessing WWW browser 10 is unauthenticated and access is performed using the POST method, the authenticated report using the GET method associated with redirection Until the notification is received, the data written in the body area of the POST method is temporarily held. Then, after receiving the authenticated report using the GET method from the WWW browser 10, the communication control unit 21 emulates the GET method so that it becomes the POST method in which the temporarily stored data is written in the body area. And pass to the processing unit 22. As a result, even when the WWW browser 10 accessed using the POST method is an access from an unauthenticated user, the data written in the body area of the POST method is not discarded and is sent to the processing unit 22. Provided.

  Thus, for example, in a system in which a user inputs data to each input form displayed on a WWW browser as necessary and registers it in a database managed by the WWW application, the following effects are obtained. is there. That is, after the WWW browser 10 receives user authentication, it receives a browser display screen as shown in FIG. 2 from the WWW application 20, and the user uses each keyboard to provide each input form. Enter the required information. Here, the data input to the input form is text data, document data created by other software such as a document creation tool, or attached file data such as image data. After inputting the data, the WWW browser 10 converts the data format of the input data, writes the input contents in the body area, and tries to access the WWW application 20 by the POST method. At that time, for example, because it took a long time for the user to input contents in the input form, the session between the WWW browser 10 and the WWW application 20 established by the user authentication timed out during the input. And may be cut off. In that case, the WWW application 20 causes the WWW browser 10 to be authenticated again by redirection. However, as described above, because redirection is performed using the GET method according to the RFC specification, in the conventional WWW application, the data written in the body area of the POST method received from the WWW browser 10 is discarded. I had to do it. On the other hand, the WWW application 20 in the present embodiment temporarily stores the data written in the body area of the POST method in the communication control unit 21 and confirms the authentication, and then sends the data to the processing unit 22. Therefore, after the authentication is completed, the user does not need to input the same contents again in each input form, and the convenience of the WWW application can be improved.

  The authentication server 30 includes an authentication unit 31 and a personal information management database 32. The authentication unit 31 performs an authentication process in response to an access from the WWW browser 10 and also returns an authentication result in response to an inquiry from the WWW application 20. When an access from the WWW browser 10 is received, if the user of the WWW browser 10 is not authenticated, an authentication form as shown in FIG. Receive input information such as passwords. Based on the input information, the personal information management database 32 is inquired to authenticate the user. For access from the WWW browser 10 by an authenticated user, an authentication form is not transmitted to the WWW browser, and authentication processing is not performed.

  In this example, the personal information management database 32 is illustrated as being provided in the authentication server 30, but the configuration is not limited to this, and the personal information management database 32 may be configured by a server other than the authentication server 30. In addition, each component may not match the actual device configuration. For example, a plurality of WWW applications may be mounted on one computer, or the WWW application and the authentication server may be realized on one computer. For example, the communication control unit 21 and the processing unit 22 of the WWW application 20 may be configured as separate devices.

  Next, a user authentication flow when the unauthenticated WWW browser 10 accesses the WWW application 20 in the present embodiment will be described based on the sequence diagram shown in FIG.

  When using the WWW application 20, a user using the WWW browser 10 inputs the URL (url1) of the WWW application 20 and instructs access. Then, the WWW browser 10 accesses the WWW application 20 (S101). In this HTTP request message, the “GET” method is used, and a request message such as “GET url1 HTTP / 1.x” is sent to the WWW application 20.

  When receiving the access from the WWW browser 10, the communication control unit 21 of the WWW application 20 determines whether or not a session exists with the WWW browser 10, that is, whether or not it has been authenticated (S <b> 102). The presence / absence of a session may be determined by an arbitrary method such as determining whether or not it is registered as a session object held in the WWW application 20. Here, there is no session with the WWW browser 10 until then. In order to establish a session, first, a request ID, which is a unique identifier that associates the WWW browser with the WWW application, is temporarily issued and registered as a session object (S103).

  Since the session with the WWW browser 10 does not exist, the communication control unit 21 of the WWW application 20 redirects the authentication server 30 to prompt the WWW browser 10 to perform authentication by the authentication server 30. The WWW browser 10 is instructed (S104). Specifically, when the URL of the authentication server 30 is set to sso, the code “302” at the time of response is used, and the response message is accessed by redirection, for example, “HTTP / 1.x 302 Moved Temporary Location: sso + id”. You can respond as follows. “Sso + id” is obtained by adding the request ID temporarily issued by the WWW application 20 to the URL “sso” of the authentication server 30. Further, the URL of the WWW application 20 may be added. Further, a temporary cookie for the WWW application 20 may be sent to the WWW browser 10 at the time of response.

  When receiving the response message from the WWW application 20 as described above, the WWW browser 10 automatically accesses the authentication server 30 to make an authentication request (S105). By using such a redirect, even if the user does not know the URL of the authentication server 30 or the like, if the user accesses the WWW application to be used, the authentication server 30 is automatically accessed for the first time. Can be improved.

  Further, the request message when accessing the authentication server 30 from the WWW browser 10 automatically performed specifically uses the “GET” method, and the address portion is the portion after “Location:” passed in S104, That is, “sso + id”. For example, a request message such as “GET soso + id HTTP / 1.x” is passed from the WWW browser 10 to the authentication server 30. Note that the URL of the WWW application 20 may be included in the address portion.

  When the authentication server 30 receives access from the WWW browser 10, there is no session with the WWW browser 10 so far, and authentication is not performed. Accordingly, the authentication unit 31 of the authentication server newly creates a session and registers it as a session object. At this time, the request ID generated by the communication control unit 21 passed in the address portion can be used. Further, when the URL portion of the WWW application 20 is included in the address portion, the URL is also stored.

  When newly accessed from the WWW browser 10, the authentication unit 31 sends an authentication form for performing authentication to the WWW browser 10 (S106). Specifically, the response code “200” is used, for example, the response header “HTTP / 1.x 200 OK” and the authentication form data may be transmitted to the WWW browser 10 as a response message. At this time, a temporary cookie for the authentication server 30 may be transmitted.

  After the user inputs the user ID and password in the column displayed on the authentication form, the user ID and password input by the user are sent from the WWW browser 10 to the authentication server 30 (S107).

  A specific request message in the case of transmitting a user ID and password from the WWW browser 10 to the authentication server 30 uses a “POST” method, for example, “POSS so HTTP / 1.x” as a request line, and a user in the body area. What is necessary is just to include the input user ID and password.

  Upon receiving the user ID and password from the WWW browser 10, the authentication unit 31 makes an inquiry to the personal information management database 32 to authenticate the user (S108). If the user ID and password are not correct, the WWW browser 10 is notified that the authentication has failed, and a re-input is received or the process is terminated.

  If the received user ID and password are correct, the user of the WWW browser 10 is authenticated as a regular user. At this time, login to the authentication server 30 is performed, and the authenticated state is registered as a session object together with the user ID of the user.

  When authentication by the authentication unit 31 of the authentication server 30 is performed, the authentication unit 31 returns a response message to the WWW browser 10 so as to redirect to the WWW application 20 (S109). Specifically, the response code “302” is used, for example, “HTTP / 1.x 302 Moved Temporary Location: url1”, and the WWW browser 10 is instructed to redirect specifying the URL (“url1”). do it.

  The WWW browser 10 that has received the redirect from the authentication server 30 uses the GET method to access the WWW application 20 in order to notify that the user authentication by the authentication server 30 has been completed (S110). The communication control unit 21 of the WWW application 20 that has received access from the WWW browser 10 requests the authenticated user name from the authentication server 30 using the previously issued request ID as a key (S111). In response, the authentication unit 31 of the authentication server 30 transmits the authenticated user name to the WWW application 20 (S112). The communication control unit 21 that has received the requested user name determines that the access is from a user for which user authentication has been performed properly, passes the data received from the WWW browser 10 to the processing unit 22, and the WWW browser 10 A service in response to a request from is provided (S113). For example, the processing unit 22 transmits the display screen form shown in FIG. 2 to the WWW browser 10 via the communication control unit 21.

  As described above, in a WWW application that provides a service only to a user who has received user authentication, the WWW browser automatically makes an authentication request to the WWW browser by using redirection. Without knowing the URL of the authentication server, it is possible to receive user authentication and receive service.

  However, after receiving the authentication, in the WWW browser 10 provided with the display screen form as shown in FIG. 2, a certain period of time elapses while the user inputs necessary items to each input form. Due to this, the session established with user authentication may be disconnected. Then, when the WWW browser 10 completes the data input by the user, in order to have the WWW application 20 perform the process of registering the input data in the database, the input data is written in the body region, and the POST method Even if the WWW application 20 is accessed using, since the session is disconnected, authentication is performed again by redirection. However, since redirection is performed only by the GET method, the data written in the body area of the POST method is discarded.

  Therefore, in the present embodiment, the WWW browser 10 uses the POST method when the session is disconnected due to the fact that the user authentication has been completed but a certain period of time has passed. 5 is executed, the data written in the body area of the POST method is prevented from being discarded.

  That is, in FIG. 5, after data input by the user is completed, the WWW browser 10 writes the input data in the body area using the POST method, and accesses the WWW application 20 (S201). The communication control unit 21 of the WWW application 20 receives the access and determines whether or not the WWW browser 10 has received user authentication (S202). Here, since it is assumed that the user authentication is once successful due to a timeout or the like and the established session is disconnected, the communication control unit 21 determines that the WWW browser 10 is unauthenticated. To do. Therefore, in order to newly perform user authentication, a temporary request ID is issued again (S203) and registered as a session object. Further, as a feature of the present embodiment, the communication control unit 21 is written in the body area of the POST method received from the WWW browser in association with the request ID that is a unique identifier that associates the WWW browser with the WWW application. Data is temporarily stored in a storage unit (not shown) such as a RAM held by the communication control unit 21 (S204).

  Subsequently, the communication control unit 21 instructs the WWW browser 10 to redirect to the authentication server 30 in order to prompt the WWW browser 10 to perform authentication by the authentication server 30 (S205). This instruction is performed by the GET method according to the RFC specification as described above for redirection. Therefore, conventionally, data written in the body area of the POST method from the WWW browser 10 is discarded due to redirection by the WWW application. However, according to the present embodiment, the data written in the body area of the POST method in S205 is temporarily stored in association with the request ID, so that it does not have to be discarded.

  Then, the WWW browser 10 that has received the redirect from the WWW application 20 executes the same processing as S <b> 105 to S <b> 109 shown in FIG. 4 with the authentication server 30 in S <b> 206 to S <b> 210. Further, when the authentication by the authentication server 30 is successful, the WWW browser 10 causes the WWW application 20 to notify the WWW application 20 that the authentication by the authentication server 30 has been completed by redirecting from the authentication unit 31 of the authentication server 30. (S211). In response to access from the WWW browser 10, the communication control unit 21 of the WWW application 20 performs the same processing as S111 to S112 in the case shown in FIG. It is confirmed to the authentication server 30 that it has been completed.

  After confirming the authentication with the authentication server 30, in the present embodiment, as a characteristic process, the communication control unit 21 determines whether there is data that is associated with the request ID and temporarily held (S214). ). Here, since the data temporarily held earlier exists, the WWW application 20 restores the temporarily held data, creates a wrapper that emulates the request object after the POST method, and passes it to the processing unit 22 ( S215). Since the processing unit 22 restores the data temporarily stored by the communication control unit 21 and performs processing using the emulated POST method, the body of the POST method when accessed using the POST method in S201. The data written in the area is processed in the processing unit 22 without being discarded, and the processing result is provided to the WWW browser 10 via the communication control unit 21 (S216).

  Therefore, for example, in the WWW browser 10 provided with the display screen form as shown in FIG. 2, a certain time elapses while the user inputs necessary items in each input form. Even if the session established with the user authentication is disconnected and the authentication is performed again by redirection, the data when the communication control unit 21 is accessed using the POST method before the redirection. Is provided to the processing unit 22, so that the user can save the trouble of inputting the same data again after authentication, leading to an improvement in the convenience of the WWW application.

  Note that the user authentication method described in this embodiment is merely an example, and any authentication method may be used as long as the system includes a WWW application that performs authentication using redirection. In this embodiment, the request ID used for user authentication is used together when temporarily storing the data written in the body area of the POST method. However, a unique ID may be issued separately from the request ID, and data may be retained and restored based on the ID.

  In the present embodiment, in the system that provides an application after performing authentication using redirect in HTTP communication, the session once established is disconnected due to timeout or the like, and re-authentication is performed. As an example, the data written in the body area of the POST method is lost. However, even if the system is not a system using the POST method in HTTP communication, if authentication is performed again after authentication, the session once established is disconnected due to a timeout or the like. This can be realized by temporarily storing data to be received in advance and restoring the data before the authentication after the authentication confirmation.

  Furthermore, in this embodiment, instead of temporarily storing the data written in the body area of one POST method in association with one session established between the WWW browser 10 and the WWW application 20, In association with a request ID issued in association with the WWW browser 10 and the WWW application 20, data written in the body area of the POST method is temporarily stored. Therefore, a plurality of data written in the body area of the POST method can be held for one established session.

  In addition, since a plurality of data written in the body area of the POST method can be held in one session, in a screen divided into a plurality of input forms in a frame as shown in FIG. Even when a plurality of data is input by the POST method, it is possible to appropriately manage and restore the data input to each frame without data conflict.

  In addition, since the present embodiment can be realized by simply improving the processing content performed by the communication control unit 21 of the WWW application 20, the processing content in the processing unit 22 and the processing content in the WWW browser 10 are conventionally compared. May be the same. Therefore, in order to realize this embodiment, it is not necessary to change the system of the WWW application significantly or to change the specification of the WWW browser, and it can be easily introduced into the current system.

It is a system configuration figure in this embodiment. It is a figure which shows an example of the display screen which the WWW application of this embodiment provides to a WWW browser. It is an example of the authentication form which the authentication server of this embodiment provides to a WWW browser in order to perform user authentication. It is a figure which shows the sequence of the user authentication in this embodiment. In this embodiment, it is a figure which shows the sequence when the WWW browser which transmitted the POST method is not authenticated.

Explanation of symbols

  10 WWW browser, 20 WWW application, 21 communication control unit, 22 processing unit, 30 authentication server, 31 authentication unit, 32 personal information management database, 40 network.

Claims (4)

Transmitted from the client terminal by the user, a receiving unit and processed data specified service processing apparatus for processing, and a service identifier for identifying the specified service processor receives the including information data,
When the user of the client terminal transmitting the information data received by the receiving means has not received the authorization of a predetermined authentication device, in association with the service identifier contained in the client terminal and the information data, the information data a holding unit that holds the processing object data included in,
Authentication request instruction means for instructing an authentication request to the authentication apparatus to the client terminal when the user of the client terminal that has transmitted the information data received by the receiving means has not received authentication of the authentication apparatus When,
Waiting for the client terminal to receive a notification that they are done authentication against the instruction of the authentication request, among the processed data held in said holding means, the processing object data associated with the client terminal, as data transmitted from the client terminal, and providing means for providing the identified service processing apparatus based on the service identifier associated with the processed data,
A communication control device comprising: Receiving means for receiving a POST method transmitted from a client terminal by a user, in which processing target data to be processed by a specified application processing apparatus is written in a body area, and an address of the specified application processing apparatus is written in a header area When,
When the user of the client terminal transmitting the POST method received by the receiving means has not received the authorization of a predetermined authentication server, the address of the application processing apparatus written in the header area of the client terminal and the POST method the association, and retaining means for the processing target data written in the body region of the POST method to retain,
When the user of the client terminal that has transmitted the POST method received by the receiving means has not received authentication of a predetermined authentication server, the client terminal is redirected to instruct an authentication request to the authentication server. Redirection means,
Waiting for the client terminal to be notified by the GET method to indicate against that after completion authentication redirect said redirected unit has performed, among the processed data held in said holding means, associated with the client terminal processing the object data, and providing means for the data transmitted from the client terminal, provides to the specified application processing apparatus based on the address associated with the processed data,
A communication control device comprising: In an application server comprising communication control means for controlling access from a client terminal, and service processing means for executing service processing of an application service designated by the accessed client terminal,
The communication control means includes
Receiving means for receiving information data transmitted from a client terminal by a user, including processing target data for the service processing means to execute service processing , and a service identifier for specifying a specified application service;
When the user of the client terminal transmitting the information data received by the receiving means has not received the authorization of a predetermined authentication server, in association with the service identifier contained in the client terminal and the information data, the information data a holding unit that holds the processing object data included in,
When the user of the client terminal that has transmitted the information data received by the receiving means has not received authentication by the authentication device, the client terminal that has transmitted the information data is instructed to perform an authentication request to the authentication server. Authentication request instruction means for
Waiting for the client terminal for receiving a notification indicating that authentication after completion relative indication of the authentication request, among the processed data held in said holding means, the processing object data associated with the client terminal, the process to execute a service process identified application services based on the service identifier associated with the target data, as data transmitted from the client terminal associated with the processing data, and providing means for providing to said service processing unit ,
An application server comprising Transmitted from the client terminal by the user, the process target data specified service processing apparatus for processing, receiving means and a service identifier for identifying the specified service processor receives the including information data,
When the user of the client terminal transmitting the information data received by the receiving means has not received the authorization of a predetermined authentication device, in association with the service identifier contained in the client terminal and the information data, the information data holding means for holding the processing object data included in the hold section,
If the user of the client terminal that has transmitted the information data received by the receiving means has not received authentication of the authentication device, the client terminal that has transmitted the information data is instructed to request authentication from the authentication device. Authentication request instruction means to perform,
Waiting for the client terminal to receive a notification that they are done authentication against the instruction of the authentication request, among the processed data to which the holding portion is held, the process target data associated with the client terminal, as data transmitted from the client terminal, providing means for providing the identified service processing apparatus based on the service identifier associated with the processed data,
As a program to make the computer function.

Images