JP4527491B2 - Content provision system - Google Patents

Description

  The present invention relates to a content providing technique, and more particularly to a content providing technique for providing desired content to a user while realizing anonymity of the user.

  2. Description of the Related Art Conventionally, as one of content providing technologies in which a user accesses a content providing server from a terminal and receives provision of desired content on the Internet, the content providing server realizes anonymous access to the content providing server Has proposed a technique for controlling disclosure of items included in content in groups of users (see, for example, Patent Document 1).

  In such a communication system, an authentication server for managing a set of a user ID, a group ID of a group to which each user belongs, and a content providing server ID is provided between the user side client system and the content providing server. The user is authenticated by the following procedure and the content is provided.

First, a user ID is given to a user in advance, and a group of IDs and contents items that can be browsed by the group are managed in the content providing server.
Next, when making a content provision request, in order to search for the group ID to which the user belongs in the content provision server of the acquisition request destination, the user transmits the user ID and the content provision server ID from the client system to the authentication server. A group ID search request is made.

On the other hand, the authentication server searches the group ID of the user from the user ID and the content providing server ID included in the search request from the user, and notifies the client system of the searched group ID.
In response to this, the client system adds a group ID to the content providing server to make a content providing request, and the content providing server creates a content by searching for a viewable item from the group ID included in the request, The result is notified to the user.

  Thereby, only by managing the user ID, the user can acquire the content whose disclosure control is performed in units of groups provided by the plurality of content providing servers. Moreover, since only the group ID is notified to the content providing server, anonymous access is possible. Further, since the group ID is notified to the content providing server instead of the user ID, there is an advantage that complicated user management is not required.

The applicant has not yet found prior art documents related to the present invention by the time of filing other than the prior art documents specified by the prior art document information described in this specification.
Japanese Patent Laid-Open No. 10-320357

  However, in such a conventional technique, the content providing server receives the content providing request from the client system because the client ID of the user is notified of the group ID instead of the user ID to the content providing server in order to realize anonymous access. However, there is a problem in that it cannot be determined whether the request transmitted from the client system is made by a legitimate user. In addition, when a third party learns the group ID by any method, information that can be browsed by a user having the group ID may be easily acquired by the third party. It was.

  This invention is for solving such a problem, and it aims at providing the content provision system which can confirm the legitimacy of the access from a user, implement | achieving the anonymous access from the user to a content provision server. It is said.

  In order to achieve such an object, a content providing system according to the present invention includes one or more content providing servers that provide various types of content information on a communication network, and desired content information acquired via the communication network as a user. One or more client systems provided to the client and one or more authentication servers for confirming the validity of the client system via a communication network, the contents only for the client system whose validity is confirmed by the authentication server A content providing system for providing content information from a providing server, wherein the client system includes connection request means for transmitting a connection request including a user ID of the user to the authentication server, and session information included in the connection permission notification from the authentication server. Contain content acquisition requests that contain Content acquisition request means for acquiring desired content information by transmitting to the server providing the information, and the authentication server stores user group information consisting of a set of the user ID of the user and the group ID of the group to which the user belongs. A storage unit, client confirmation means for confirming the validity of the client system in response to a connection request from the client system, and a group ID corresponding to the user ID of the connection request from the client system for which the validity has been confirmed as a user group A connection confirmation request means for acquiring a connection confirmation request including a group ID to confirm whether or not content acquisition from the content provision server by the user of the group is possible, and a connection permission notification from the content provision server The connection requesting client A content transfer server that stores content browsing management information indicating content information that can be browsed by a user of the group for each group ID, and a connection confirmation from the authentication server. Authentication server confirmation means for confirming the validity of the authentication server in response to the request, and session information is generated for each connection confirmation request from the authentication server for which the validity is confirmed, and the session information and the connection confirmation request are generated. Session information generating means for storing a pair with the included group ID as session management information in the storage unit and transmitting a connection permission notification including this session information to the authentication server that is the connection confirmation request source, and a content acquisition request from the client system Depending on the session information and session management included in the content acquisition request The validity of the content acquisition request is confirmed by comparing with the information, the group ID corresponding to the session information of the content acquisition request for which the validity is confirmed is acquired from the session management information, and the content browsing management information is referred to Content providing means for transmitting content information that can be browsed by the group ID to the client system that is the content acquisition request source.

  Another content providing system according to the present invention confirms the validity of one or more content providing servers that provide various types of content information to a user's client system on a communication network and the client system via the communication network. One or more authentication servers, and a content providing system that provides content information only from a content providing server to a client system that has been validated by the authentication server, wherein the authentication server includes a user ID of a user A storage unit that stores user group information including a group ID of a group to which the user belongs, a client confirmation unit that confirms the validity of the client system in response to a connection request from the client system, and a validity confirmation Client systems A group ID corresponding to the user ID of the connection request from the user is acquired from the user group information, and a connection confirmation request including the group ID is transmitted to the content providing server for confirming whether or not content acquisition from the content providing server by the user of the group is possible Connection confirmation requesting means, and a notification transfer means for transferring a connection permission notification from the content providing server to the client system of the connection requesting source, and the content providing server can view the user of the group for each group ID A storage unit that stores content browsing management information indicating content information, an authentication server confirmation unit that confirms the validity of the authentication server in response to a connection confirmation request from the authentication server, and an authentication server from which the validity is confirmed Session information is generated for each connection confirmation request. Session information generating means for storing a set of information and a group ID included in the connection confirmation request in the storage unit as session management information, and transmitting a connection permission notification including the session information to the authentication server of the connection confirmation request source; In response to the content acquisition request from the client system, the session information included in the content acquisition request is compared with the session management information to confirm the validity of the content acquisition request, and the content acquisition is confirmed. Content providing means for acquiring a group ID corresponding to the requested session information from the session management information, and referring to the content browsing management information, and transmitting content information that can be browsed with the group ID to the client system of the content acquisition request source; Have.

  At this time, the client system is further provided with an RFID tag reader unit that reads identification information unique to the target from the RFID tag attached to the target, and the content acquisition request unit is configured to transmit the content acquisition request by the RFID tag reader unit. The read identification information is added to the content acquisition request and transmitted. When transmitting the content information, the content providing means can browse by group ID among the content information corresponding to the identification information added to the content acquisition request. You may make it transmit content information to the client system of a content acquisition request origin.

  Further, when the content providing unit provides the content information in response to the content acquisition request, the session information generating unit generates new session information corresponding to the group ID, and sets the session information and the group ID. May be stored in the storage unit, and new session information may be transmitted as session information for the next content acquisition request to the client system of the content acquisition request source together with the content information.

  According to the present invention, in response to a connection confirmation request from the authentication server based on a connection request from the client system, session information is generated for each connection confirmation request by the content providing server and notified to the client system via the authentication server. In response to the content acquisition request from the client system using the session information, after the validity is confirmed by the session information in the content providing server, the content information that can be browsed by the group ID included in the content acquisition request is The client system 1 is notified.

Further, in response to a connection confirmation request from the authentication server based on the connection request from the client system, the content providing server notifies the client system of content information that can be browsed with the group ID of the connection confirmation request.
Therefore, it is possible to confirm the legitimacy of access from the user on the content providing server based on the session information used in the content acquisition request while realizing anonymous access from the user to the content providing server by group management in the authentication server.

Next, embodiments of the present invention will be described with reference to the drawings.
[First Embodiment]
First, a content providing system according to a first embodiment of the present invention will be described with reference to FIG. FIG. 1 is a block diagram showing the configuration of the content providing system according to the first embodiment of the present invention.
The content providing system includes one or more client systems 1, one or more authentication servers 2, and one or more content providing servers 3. The client system 1, the authentication server 2, and the content Providing servers 3 are connected to each other via a communication network 4.

  The client system 1 is composed of one or more communication terminals capable of data communication via a communication network 4 and is a system used by a user to acquire desired content. The content providing server 3 is a server device that provides content that can be browsed by a group to which the user belongs among the content specified in response to a content acquisition request from the user. The authentication server 2 is a server device that confirms the validity of the client system in response to a request from the client system 1.

  In the present embodiment, the content providing server 3 is provided with session information generating means for generating session information corresponding to the group to which the client system 1 belongs, and authentication according to a connection request from the client system 1 whose validity has been confirmed. When receiving a connection confirmation request from the server 2, the content providing server 3 confirms the validity of the authentication server 2, generates session information for each connection confirmation request, and sets the group ID included in the connection request. The set is stored and notified to the client system 1 via the authentication server 2, and the session information is sent from the content providing server 3 to the client system 1 in response to the content acquisition request from the client system 1 using the session information. That can be viewed with the group ID paired with It is obtained so as to provide a Ntsu.

[Client system]
Next, the configuration of the client system 1 used in the content providing system according to the first embodiment of the present invention will be described in detail with reference to FIG. FIG. 2 is a block diagram showing a configuration of a client system used in the content providing system according to the first embodiment of the present invention. Here, the case where the client system 1 is comprised from one communication terminal is demonstrated as an example.

  The client system 1 includes an information processing apparatus that realizes various functions by performing information processing by a computer as a whole, such as a general personal computer, a PDA (Personal Digital Assistant), or a portable terminal. (Hereinafter referred to as communication I / F unit) 11, screen display unit 12, operation input unit 13, storage unit 14, information processing unit 15, and RFID (Radio Frequency IDentification) tag reader unit 16.

  The communication I / F unit 11 is a circuit unit that transmits and receives various data to and from the authentication server 2 and the content providing server 3 via the communication network 4. The screen display unit 12 includes an LCD, a CRT, and the like, and is a screen display device that displays an operation input screen and acquired content on the screen in response to an instruction from the information processing unit 15. The operation input unit 13 includes a keyboard and a mouse, and is an operation input device that detects a user operation and outputs the detected operation to the information processing unit 15. The RFID tag reader unit 16 is a circuit unit that reads identification information specific to a target from an RFID tag attached to the target via wireless communication and outputs the identification information to the information processing unit 15.

The storage unit 14 includes a hard disk and a memory, and is a storage device that stores various information and programs 14P used for processing in the information processing unit 15. The information and the program 14P are read in advance from an external device or a recording medium via the communication I / F unit 11 or other input / output interface (not shown), and stored in the storage unit 14, for example.
Main information stored in the storage unit 14 includes user management information 14A, content providing server ID information 14B, and client certificate information 14C.

As shown in FIG. 3, the user management information 14 </ b> A includes a set of a user ID (login name) of the user and its password, and is used when authenticating and confirming the user who uses the client system 1.
As shown in FIG. 4, the content providing server ID information 14B is unique identification information pre-assigned to the content providing server 3 that can acquire content from the client system 1, and makes a connection request to the authentication server 2. This is used when the content providing server 3 is designated.

The client certificate information 14C is information including information specifying the client system 1 including the domain name of the client system 1 and a hash value obtained from the information content, and includes communication data such as SSL (Secure Sockets Layer). It is similar to a client certificate used in a general encryption protocol that prevents communication interception and tampering by performing encryption and authentication.
The client certificate information 14 </ b> C is used as information for proving the validity of the client system 1 when making a connection request to the authentication server 2.

The information processing unit 15 includes a microprocessor such as a CPU and its peripheral circuits, and reads and executes the program 14P in the storage unit 14 to realize various functional units by cooperating the hardware and the program. It is a functional part.
As main functional means realized by the information processing unit 15, there are a user authentication means 15A, a connection request means 15B, a content acquisition request means 15C, and a content output means 15D.

The user authentication unit 15A has a function of authenticating a user who has made a content acquisition instruction with reference to the user management information 14A.
The connection request unit 15B has a function of making a connection request for content acquisition to the authentication server 2.
The content acquisition request unit 15C has a function of acquiring desired content information from the content providing server 3 based on the session information acquired by the connection request.

[Authentication Server]
Next, the configuration of the authentication server 2 used in the content providing system according to the first embodiment of the present invention will be described in detail with reference to FIG. FIG. 5 is a block diagram showing a configuration of an authentication server used in the content providing system according to the first embodiment of the present invention.
The authentication server 2 includes a service providing server that realizes various service functions by performing information processing by a computer as a whole, and includes a communication interface unit (hereinafter referred to as a communication I / F unit) 21, a screen display unit 22, an operation input. Unit 23, storage unit 24, and information processing unit 25.

  The communication I / F unit 21 is a circuit unit that transmits and receives various data to and from the client system 1 and the content providing server 3 via the communication network 4. The screen display unit 22 includes an LCD, a CRT, and the like, and is a screen display device that displays an operation input screen and acquired content on the screen in response to an instruction from the information processing unit 25. The operation input unit 23 is an operation input device that includes a keyboard, a mouse, and the like and detects an operator's operation and outputs the operation to the information processing unit 25.

The storage unit 24 includes a hard disk and a memory, and is a storage device that stores various information and programs 24P used for processing in the information processing unit 25. The information and the program 24P are read in advance from an external device or a recording medium via the communication I / F unit 21 or another input / output interface (not shown), for example, and stored in the storage unit 24.
Main information stored in the storage unit 24 includes access-permitted client information 24A, user group information 24B, connection confirmation connection destination information 24C, and authentication server certificate information 24D.

As shown in FIG. 6, the access-permitted client information 24 </ b> A includes information unique to the client system 1 that is permitted to access the authentication server 2, for example, domain information of the client system 1, and accesses the authentication server 2. It is used to determine whether or not the client system 1 that has been accessed can be accessed and to confirm its validity.
As shown in FIG. 7, the user group information 24B includes a user ID unique to the user, a content provision server ID unique to the content provision server 3 accessible by the user, and a group ID of the group to which the user belongs. It is used when acquiring the group ID corresponding to the user ID.

As shown in FIG. 8, the connection confirmation connection destination information 24 </ b> C includes a set of content provision server ID and connection destination information used when requesting connection confirmation from the content provision server 3, and is specified by the client system 1. This is used when determining the transmission destination of the connection confirmation request according to the content providing server ID.
The authentication server certificate information 24D is information consisting of information specifying the authentication server 2 including the domain name of the authentication server 2 and a hash value obtained from the information content, and communication data such as SSL (Secure Sockets Layer). This is similar to a client certificate used in a general encryption protocol that prevents communication interception and tampering by performing encryption and authentication. The authentication server certificate information 24D is used as information for proving the validity of the authentication server 2 when making a connection confirmation request to the content providing server 3.

The information processing unit 25 includes a microprocessor such as a CPU and its peripheral circuits, and reads and executes the program 24P of the storage unit 24, thereby realizing various functional units by cooperating the hardware and the program. It is a functional part.
As main functional means realized by the information processing section 25, there are a client confirmation means 25A, a connection confirmation request means 25B, and a notification transfer means 25C.

The client confirmation unit 25A has a function of confirming the validity of the client system 1 that is the connection request source with reference to the access-permitted client information 24A.
The connection confirmation request unit 25B refers to the user group information 24B to acquire the group ID of the client system 1 that is the connection request source, and to confirm whether or not the user of the group can acquire the content from the content providing server 3. The connection confirmation request is transmitted to the content providing server 3.
The notification transfer unit 25C has a function of transferring the connection permission notification notified from the content providing server 3 to the client system 1 that is the connection request source.

[Content provision server]
Next, the configuration of the content providing server 3 used in the content providing system according to the first embodiment of the present invention will be described in detail with reference to FIG. FIG. 9 is a block diagram showing a configuration of a content providing server used in the content providing system according to the first embodiment of the present invention.
The content providing server 3 is composed of a service providing server that realizes various service functions by performing information processing by a computer as a whole, and includes a communication interface unit (hereinafter referred to as a communication I / F unit) 31, a screen display unit 32, an operation An input unit 33, a storage unit 34, and an information processing unit 35 are provided.

  The communication I / F unit 31 is a circuit unit that transmits and receives various data to and from the client system 1 and the authentication server 2 via the communication network 4. The screen display unit 32 is composed of an LCD, a CRT, or the like, and is a screen display device that displays an operation input screen or acquired content on the screen in response to an instruction from the information processing unit 35. The operation input unit 33 is an operation input device that includes a keyboard, a mouse, and the like, detects an operator's operation, and outputs the operation to the information processing unit 35.

The storage unit 34 includes a hard disk and a memory, and is a storage device that stores various types of information and programs 34P used for processing in the information processing unit 35. The information and the program 34P are read in advance from an external device or a recording medium via the communication I / F unit 31 or another input / output interface (not shown), and stored in the storage unit 34, for example.
Main information stored in the storage unit 34 includes access permission authentication server information 34A, session management information 34B, content browsing management information 34C, and content information 34D.

As shown in FIG. 10, the access-permitted authentication server information 34A includes information unique to the authentication server 2 that is permitted to access the content providing server 3, for example, domain information of the authentication server 2, and the content providing server 3 is used to determine whether or not the access to the authentication server 2 that has accessed 3 is permitted and to confirm its validity.
As shown in FIG. 11, the session management information 34B is composed of a set of session information generated for each connection confirmation request from the authentication server 2 and a group ID indicating a group to which the content providing user belongs. This is used when confirming the validity of the request based on the session information included in the content acquisition request from the user and confirming the group ID of the requesting user.

As shown in FIG. 12, the content browsing management information 34 </ b> C includes a group ID of a group to which the user belongs and information indicating whether or not each content information can be browsed by the user of the group, and the content to be provided to the client system 1. Used when selecting.
The content information 34D includes various types of content provided to the user, and includes information associated with the target identification information read from the RFID tag, for example, information such as the product name, manufacturer code, and inventory quantity of the target article. .

The information processing unit 35 includes a microprocessor such as a CPU and its peripheral circuits, and reads and executes the program 34P of the storage unit 34, thereby realizing various functional means by cooperating the hardware and the program. It is a functional part.
As main functional means realized by the information processing section 35, there are an authentication server confirmation means 35A, a session information generation means 35B, and a content provision means 35C.

The authentication server confirmation unit 35A has a function of confirming the validity of the authentication server 2 that is the connection confirmation request source with reference to the access permission authentication server information 34A.
The session management information generating unit 35B has a function of generating session information for each connection confirmation request from the authentication server 2, a function of storing a set of the group ID and session information as session management information 34B, and the session information. And a function of transmitting a connection permission notification to the authentication server 2 as a connection confirmation request source.

  The content providing unit 35C refers to the session management information 34B and confirms the validity of the content acquisition request from the client system 1, and the group corresponding to the content acquisition request session information with reference to the content browsing management information 34C. It has a function of generating content information for providing content information that can be browsed by ID from the content information 34D, and a function of transmitting the content information for provision to the client system 1 that is the content acquisition request source.

[Operation of First Embodiment]
Next, the operation of the content providing system according to the first embodiment of the present invention will be described with reference to FIG. FIG. 13 is a sequence diagram showing a content providing process of the content providing system according to the first embodiment of the present invention.

  The information processing unit 15 of the client system 1 authenticates the user by the user authentication unit 15A in response to the content acquisition instruction from the user detected by the operation input unit 13 (step 100). At this time, the user authentication unit 15A first displays a user ID and password input screen for user authentication on the screen display unit 12, and the operation input unit 13 sets a combination of the user ID and password input by the user. To detect. Then, by checking this set with each set of the user management information 14A in the storage unit 14, it is confirmed whether or not the user is a valid user who can acquire content.

  When the validity of the user is confirmed, the information processing unit 15 makes a connection request for content acquisition to the authentication server 2 by the connection request unit 15B (step 101). At this time, the connection request unit 15B acquires the content providing server ID of the content acquisition destination designated by the user operation or set in advance from the content providing server ID information 14B of the storage unit 14, and also the client of the storage unit 14 The communication I / F unit 11 acquires the certificate information 14C and sends a connection request including the information and the user ID of the user to the authentication server 2 designated by the user or associated with the client system 1 in advance. Send from.

  On the other hand, the information processing unit 25 of the authentication server 2 is the connection request source from the client confirmation unit 25A in response to a connection request from the client system 1 received by the communication I / F unit 21 via the communication network 4. The validity of the client system 1 is confirmed (step 102). At this time, the client confirmation unit 25A first compares the hash value calculated from the client certificate included in the connection request with the hash value included in the certificate to determine the client certificate and the connection request. Check validity. Then, after confirming this validity, the client system 1 accesses the authentication server 2 by comparing the access-permitted client information 24A in the storage unit 24 with the domain name of the client system 1 included in the connection request. Check if it is a valid client.

  After confirming the validity of the connection request source client system 1 in this way, the information processing unit 25 acquires content from the content providing server 3 designated by the connection request by the connection confirmation requesting unit 25B. A connection confirmation request for confirming whether or not this is possible in advance is performed (steps 103 and 104).

At this time, the connection confirmation request unit 25B first refers to the user group information 24B in the storage unit 24 and searches for a group ID corresponding to the set of the user ID and the content providing server ID included in the connection request. Then, with reference to the connection confirmation connection destination information 24C in the storage unit 24, a connection confirmation URL corresponding to the content providing server ID included in the connection request is searched (step 103).
Next, the connection confirmation requesting unit 25B acquires the authentication server certificate information 24D in the storage unit 24, and the connection confirmation request including the authentication server certificate information 24D and the group ID is designated by the connection confirmation URL. It transmits from the communication I / F unit 11 to the content providing server 3 (step 104).

On the other hand, the information processing unit 35 of the content providing server 3 receives the connection confirmation request from the authentication server 2 received by the communication I / F unit 31 via the communication network 4 by the server authentication unit 35A. The validity of the authentication server 2 is confirmed (step 105).
At this time, the server authentication means 35 first compares the hash value calculated from the authentication server certificate included in the connection confirmation request with the hash value included in the certificate, and the authentication server certificate Check the validity of the connection confirmation request. After confirming this validity, the server authentication means 35A compares the access permission authentication server information 34A in the storage unit 34 with the domain name of the authentication server 2 included in the connection confirmation request, and the authentication server 2 It is confirmed whether or not the authentication server is a legitimate authentication server that can access the content providing server 3.

After confirming the validity of the authentication server 2 that is the connection confirmation request source in this way, the information processing unit 35 uses the session information generation unit 35B to execute a session for acquiring a content for each connection confirmation request from the authentication server 2. Information is generated and notified (steps 106 and 107).
At this time, the session information generating unit 35B first compares the group ID included in the connection confirmation request from the authentication server 2 whose validity has been confirmed with the content browsing management information 34C in the storage unit 34, thereby comparing the group ID. Check the validity of the ID.

  After confirming the validity of the group ID, the session information generating unit 35B generates session information for each connection confirmation request from the authentication server 2, and sets the combination of the session information and the group ID in the session management information in the storage unit 34. 34B is stored (step 106). At this time, the session information is not generated for each group, but is generated for each connection confirmation request. Therefore, when there are parallel connection confirmation requests according to connection requests from users belonging to the same group, two session information pairs with the same group are generated and stored in the session management information 34B. Then, the session information generation unit 35B communicates a connection permission notification including this session information and a content acquisition URL that is connection destination information for content acquisition in the content providing server 3 to the authentication server 2 that is the connection confirmation request source. / F unit 31 transmits (step 107).

The information processing unit 25 of the authentication server 2 receives the connection permission notification from the content providing server 3 at the communication I / F unit 21 via the communication network 4, and the connection transfer source 25C sends the connection permission notification to the connection request source. To the client system 1 from the communication I / F unit 21 (step 108).
The information processing unit 15 of the client system 1 is included in the connection permission notification by the content acquisition request unit 15C in response to the connection permission notification from the authentication server 2 received by the communication I / F unit 11 via the communication network 4. The content acquisition request is sent to the content providing server 3 using the session information (steps 109 and 110).

  At this time, the content acquisition request unit 15C first reads identification information specific to the object from the RFID tag attached to the object via wireless communication by the RFID tag reader unit 16 (step 109). A content acquisition request including session information included in the connection permission notification is transmitted from the communication I / F unit 11 to the content providing server 3 specified by the content acquisition URL included in the connection permission notification. (Step 110).

On the other hand, in response to the content acquisition request from the client system 1 received by the communication I / F unit 31 via the communication network 4, the content providing server 3 uses the content providing unit 35C to confirm the validity of the content acquisition request and Content information is provided (steps 111 to 114).
At this time, the content providing unit 35C first compares the session information included in the content acquisition request with the session management information 34B of the storage unit 34, and verifies the validity of the content acquisition request according to the presence or absence of the registration. Confirm (step 111).

  When the validity of the content acquisition request is confirmed, the content providing unit 35C refers to the content browsing management information 34C in the storage unit 34 and confirms the content information that can be browsed with the group ID paired with the session information. To do. Subsequently, referring to the content information 34D in the storage unit 34, the content information 34D that can be browsed in the ID group is selected from the content information corresponding to the identification information included in the content acquisition request, and provided. Content information is generated (step 112).

  In addition, the content providing unit 35C generates new session information used for the next content acquisition request from the client system 1 by the session information generating unit 35B, and sets the combination of the session information and the group ID in the session of the storage unit 34. Stored in the management information 34B (step 113). Then, the content providing unit 35C transmits a content notification including the generated providing content information and new session information from the communication I / F unit 31 to the client system 1 that is the content acquisition request source (step 114).

The information processing unit 15 of the client system 1 receives the content notification from the content providing server 3 at the communication I / F unit 11 via the communication network 4, and the content output unit 15D provides the content notification included in the content notification. Content information is acquired and displayed on the screen display unit 12 (step 115).
Thereby, in the client system 1, only the content information that can be browsed by the user group among the content information corresponding to the identification information read from the RFID tag by the RFID tag reader unit 16 is displayed on the screen as information related to the target, and the user Provided to.

  As described above, in this embodiment, the authentication server 2 stores the user group information 24B for storing the group ID of the group to which each user belongs, and acquires desired content from the client system 1 to the content providing server 3. Session information generation means 35B for generating session information for authentication, and a connection including the group ID of the user acquired from the user group information 24B in the authentication server 2 in response to a connection request from the client system 1 whose validity has been confirmed A confirmation request is transmitted to the content providing server 3, and in response to the connection confirmation request from the authentication server 2 whose validity has been confirmed, the content providing server 3 generates session information for each connection confirmation request by the session information generating means 35. Set the session information and group ID. Stored as tio emission management information 34B, it is obtained so as to notify the session information through the authentication server 2 to the client system 1.

Then, in response to the content acquisition request from the client system 1 using the session information, the content providing server 3 refers to the session management information 34B to confirm the validity of the content acquisition request, and is included in the content acquisition request. The content information that can be browsed by ID is notified to the client system 1.
Therefore, while the anonymous management from the user to the content providing server 3 is realized by the group management in the authentication server 2, the content providing server 3 can confirm the legitimacy of the access from the user by the session information used in the content acquisition request.

  In the present embodiment, the client system 1 is provided with an RFID tag reader unit 16 that reads identification information specific to the target from an RFID tag attached to the target, and when a content acquisition request is transmitted from the client system 1, Among the pieces of content information corresponding to the identification information added to the content acquisition request when the content information is transmitted by the content providing server 3 when the identification information read by the RFID tag reader unit 16 is transmitted. The content information that can be browsed by the group ID is provided to the client system 1 of the content acquisition request source.

Therefore, among the content information related to the target corresponding to the identification information of the RFID tag attached to the target, it is possible to easily acquire the content information within a range that can be browsed by the group while maintaining the anonymity of the user. .
For example, when the content providing system according to the present embodiment is applied as a product management system for a supermarket store, it is only necessary to group in advance according to each job title and authority such as the store owner, store manager, employee, part-time job, For example, content browsing control of providing content information related to stock and purchase or providing only content information related to product names can be realized very easily while ensuring anonymity of the user.

  Further, in this embodiment, when providing content information in response to a content acquisition request, the content providing server 3 generates new session information for the next content acquisition request, and the new session information Since session management information consisting of a pair with a group ID is stored in the storage unit and transmitted to the client system 1 as a content acquisition request source together with new session information, generation of session information used in the next content acquisition request and It is not necessary to exchange a connection request or a connection confirmation request for notification, and the processing load can be reduced.

Further, when notifying the session information for the next content acquisition request, new session information different from the previously used session information is generated and notified, so that higher security can be obtained. Depending on the required security, the same session information as the previous session may be used as the next session information.
As a management method for session information, for example, a set of session information that has not been accessed for a certain period of time may be deleted from the session management information 34B, or when new session information is generated for each content acquisition, Information may be deleted.

  In this embodiment, when the authentication server 2 searches for a group ID corresponding to the user ID in response to a connection request from the client system 1, the group ID is searched only by the user ID without using the content providing server ID. May be. Alternatively, the group ID may be searched by adding the terminal ID of the client system 1 to the combination of the user ID and the content providing server ID, and finer content browsing control can be realized. In addition, when all the content providing servers 3 perform content browsing control using the same group ID, only the user ID can be used as a search key.

  In the present embodiment, the access permission client information 24A, the access permission authentication server information 34A, and further the client certificate and the authentication server certificate are used in order to confirm the validity of the client system and the authentication server. Means for confirming validity is not limited to these, and other validity confirmation means may be used according to the security level required for the content providing system.

[Second Embodiment]
Next, a content providing system according to the second embodiment of the present invention will be described with reference to FIG. FIG. 14 is a sequence diagram showing a content providing process of the content providing system according to the second embodiment of the present invention.
In the first embodiment described above, the case where session information is acquired prior to content acquisition has been described, but in this embodiment, a connection request and connection for session information acquisition in the first embodiment are described. In response to the confirmation request, desired content information is provided from the content providing server 3 to the client system 1 via the authentication server 2.

  The configuration of the content providing system according to the present embodiment is the same as that shown in FIG. In addition, the content acquisition request unit 15C and the session information generation unit 35B are not required among the configurations of the client system 1 (see FIG. 2), the authentication server 2 (see FIG. 5), and the content providing server 3 (see FIG. 9). Other configurations are substantially the same as those in the first embodiment, and detailed description thereof is omitted here.

[Operation of Second Embodiment]
Next, the operation of the content providing system according to the second embodiment of the present invention will be described with reference to FIG.

  The information processing unit 15 of the client system 1 authenticates the user by the user authentication unit 15A in response to the content acquisition instruction from the user detected by the operation input unit 13 (step 120). At this time, the user authentication unit 15A first displays a user ID and password input screen for user authentication on the screen display unit 12, and the operation input unit 13 sets a combination of the user ID and password input by the user. To detect. Then, by verifying this set and each set of the user management information 14A in the storage unit 14, it is authenticated whether or not the user is a valid user who can acquire content.

When the legitimacy of the user is authenticated, the information processing unit 15 uses the RFID tag reader unit 16 to read identification information specific to the target from the RFID tag attached to the target via wireless communication (step 121).
Next, the information processing unit 15 makes a connection request for content acquisition to the authentication server 2 by the connection request unit 15B (step 122).

  At this time, the connection request unit 15B acquires the content providing server ID of the content acquisition destination designated by the user operation or set in advance from the content providing server ID information 14B of the storage unit 14, and The client certificate information 14C is acquired, and a connection request including the information, the user ID of the user, and the identification information read by the RFID tag reader unit 16 is designated by the user or associated with the client system 1 in advance. Is transmitted from the communication I / F unit 11 to the existing authentication server 2.

  On the other hand, the information processing unit 25 of the authentication server 2 responds to the connection request from the client system 1 received by the communication I / F unit 21 via the communication network 4 from the client confirmation unit 25A with the client connection request source. The validity of a certain client system 1 is confirmed (step 123). At this time, the client confirmation unit 25A first compares the hash value calculated from the client certificate included in the connection request with the hash value included in the certificate to determine the client certificate and the connection request. Check validity. Then, after confirming this validity, the client system 1 accesses the authentication server 2 by comparing the access-permitted client information 24A in the storage unit 24 with the domain name of the client system 1 included in the connection request. Authenticate whether it is a valid client.

After confirming the validity of the connection request source client system 1 in this way, the information processing unit 25 acquires content from the content providing server 3 designated by the connection request by the connection confirmation requesting unit 25B. A connection confirmation request for confirming whether or not this is possible in advance is performed (steps 124 and 125).
At this time, the connection confirmation request unit 25B first refers to the user group information 24B in the storage unit 24 to search for a group ID corresponding to the user ID included in the connection request, and for connection confirmation in the storage unit 24. The connection confirmation URL corresponding to the content providing server ID included in the connection request is searched with reference to the connection destination information 24C (step 124).
Next, the connection confirmation request unit 25B acquires the authentication server certificate information 24D in the storage unit 24, and connects the connection confirmation request including the authentication server certificate information 24D, the group ID, and the identification information of the connection request. It is transmitted from the communication I / F unit 11 to the content providing server 3 specified by the confirmation URL (step 125).

On the other hand, the information processing unit 35 of the content providing server 3 receives the connection confirmation request from the authentication server 2 received by the communication I / F unit 31 via the communication network 4 by the server authentication unit 35A. The authenticity of the authentication server 2 is confirmed (step 126).
At this time, the server authentication means 35 first compares the hash value calculated from the authentication server certificate included in the connection confirmation request with the hash value included in the certificate, and the authentication server certificate Check the validity of the connection confirmation request. After confirming this validity, the server authentication means 35A compares the access permission authentication server information 34A in the storage unit 34 with the domain name of the authentication server 2 included in the connection confirmation request, and the authentication server 2 It is confirmed whether or not the authentication server is a legitimate authentication server that can access the content providing server 3.

In this manner, after confirming the validity of the authentication server 2 that is the connection confirmation request source, the information processing unit 35 confirms the validity of the content acquisition request and provides the desired content information by the content providing unit 35C ( Steps 127, 128).
At this time, the content providing unit 35C first compares the group ID included in the connection confirmation request from the authentication server 2 whose validity has been confirmed with the content browsing management information 34C in the storage unit 34, thereby comparing the group ID. Check the validity of.

  After confirming the validity of the group ID, the content providing unit 35 </ b> C refers to the content browsing management information 34 </ b> C in the storage unit 34 and confirms the content information that can be browsed with the group ID. Subsequently, referring to the content information 34D in the storage unit 34, the content information 34D that can be browsed by the ID group is selected from the content information corresponding to the identification information included in the connection confirmation request, and provided. Content information is generated (step 127). Then, the content providing unit 35C transmits a content notification including the generated providing content information from the communication I / F unit 31 to the authentication server 2 that is the connection confirmation request source (step 128).

  The information processing unit 25 of the authentication server 2 receives the content notification from the content providing server 3 by the communication I / F unit 21 via the communication network 4, and the notification transfer unit 25C sends the content notification to the connection request source client. The data is transferred from the communication I / F unit 21 to the system 1 (step 129).

The information processing unit 15 of the client system 1 receives the content notification from the authentication server 2 by the communication I / F unit 11 via the communication network 4, and is provided for provision included in the content notification by the content output unit 15D. Content information is acquired and displayed on the screen display unit 12 (step 130).
Thereby, in the client system 1, the content information corresponding to the identification information read from the RFID tag by the RFID tag reader unit 16 is displayed on the screen as information related to the target and provided to the user.

As described above, in this embodiment, the authentication server 2 stores the user group information 24B for storing the group ID of the group to which each user belongs, and responds to the connection request from the client system 1 whose validity has been confirmed. The authentication server 2 transmits a connection confirmation request including the group ID of the user acquired from the user group information 24B to the content providing server 3, and provides the content in response to the connection confirmation request from the authentication server 2 whose validity has been confirmed. The server 3 notifies the client system 1 of content information that can be browsed by the group ID of the connection confirmation request via the authentication server 2.
Accordingly, since the group management at the authentication server 2 enables anonymous access from the user to the content providing server 3, the connection confirmation request is accepted only from the authentication server 2 whose validity has been confirmed. Content information can be provided only for.

In the present embodiment, the client system 1 is provided with an RFID tag reader unit 16 that reads identification information specific to the target from an RFID tag attached to the target. When the client system 1 transmits a connection request, the RFID tag reader 16 is provided. The identification information read by the tag reader unit 16 is added to the connection request and transmitted, and when the content providing server 3 transmits the content information, it is added to the connection confirmation request from the authentication server 2 according to the connection request. Of the content information corresponding to the identification information, the content information that can be browsed by the group ID is provided to the connection requesting client system.
Therefore, among the content information related to the target corresponding to the identification information of the RFID tag attached to the target, it is possible to easily acquire the content information within a range that can be browsed by the group while maintaining the anonymity of the user. .

  Also, in this embodiment, compared with the first embodiment described above, the procedure for acquiring session information that is performed prior to content acquisition can be omitted, and the process for acquiring session information can be omitted. The burden and network load can be reduced.

  In each of the above embodiments, the case where the content providing server ID is transmitted in response to a connection request from the client system 1 has been described as an example. However, a connection confirmation URL may be transmitted instead of the content providing server ID. Good. This eliminates the need for the connection destination information 24C for connection confirmation to be managed by the authentication server 2. In this case, the content providing server ID information 14B of the client system 1 may hold the connection confirmation URL instead of the content providing server ID, and the user group information 24B of the authentication server 2 connects instead of the content providing server ID. A confirmation URL may be used.

Further, in each of the embodiments described above, the description of the processing when authentication or validity is not obtained has been omitted. However, in reality, when authentication or validity is not obtained, the processing is placed in each processing. Thus, appropriate error handling, for example, a message indicating that authentication or validity cannot be obtained is returned to the request source or the transmission source.
In each of the above embodiments, the case where user authentication is performed using a user ID and a password has been described as an example. However, for example, biometric authentication technology using user biometric information (biometrics) such as fingerprint authentication. Other authentication techniques such as may be used.

It is a block diagram which shows the structure of the content provision system concerning the 1st Embodiment of this invention. It is a block diagram which shows the structure of the client system used with the content provision system concerning the 1st Embodiment of this invention. It is an example of composition of user management information used with a client system. It is an example of composition of contents offer server ID information used with a client system. It is a block diagram which shows the structure of the authentication server used with the content provision system concerning the 1st Embodiment of this invention. It is a structural example of the access permission client information used with an authentication server. It is a structural example of the user group information used with an authentication server. It is a structural example of the connection destination information for connection confirmation used with an authentication server. It is a block diagram which shows the structure of the content provision server used with the content provision system concerning the 1st Embodiment of this invention. It is an example of a structure of the access permission authentication server information used with a content provision server. It is a structural example of the session management information used with a content provision server. It is a structural example of the content browsing management information used with a content provision server. It is a sequence diagram which shows the content provision process of the content provision system concerning the 1st Embodiment of this invention. It is a sequence diagram which shows the content provision process of the content provision system concerning the 2nd Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Client system, 11 ... Communication I / F part, 12 ... Screen display part, 13 ... Operation input part, 14 ... Memory | storage part, 14A ... User management information, 14B ... Content provision server ID information, 14C ... Client certificate information , 14P ... program, 15 ... information processing section, 15A ... user authentication means, 15B ... connection request means, 15C ... content acquisition request means, 15D ... content output means, 16 ... RFID tag reader section, 2 ... authentication server, 21 ... communication I / F unit, 22 ... screen display unit, 23 ... operation input unit, 24 ... storage unit, 24A ... access permission client information, 24B ... user group information, 24C ... connection destination information for connection confirmation, 24D ... authentication server certificate Information, 24P ... Program, 25 ... Information processing section, 25A ... Client confirmation means, 25B ... Connection confirmation request means 25C ... notification transfer means, 3 ... content providing server, 31 ... communication I / F unit, 32 ... screen display unit, 33 ... operation input unit, 34 ... storage unit, 34A ... access permission authentication server information, 34B ... session management information , 34C ... content browsing management information, 34D ... content information, 34P ... program, 4 ... communication network.

Claims (4)

One or more content providing servers that provide various types of content information on a communication network, one or more client systems that provide users with desired content information acquired via the communication network, and the communication network via the communication network And a content providing system that provides content information from the content providing server only to a client system that has been validated by the authentication server. ,
The client system transmits a connection request including a user ID of the user to the authentication server, and a content acquisition request including session information included in a connection permission notification from the authentication server to the content providing server. Content acquisition request means for transmitting and acquiring desired content information;
The authentication server includes a storage unit that stores user group information including a set of a user ID of the user and a group ID of a group to which the user belongs, and validity of the client system in response to a connection request from the client system. Client confirmation means for confirming the content, a group ID corresponding to the user ID of the connection request from the client system whose validity has been confirmed is acquired from the user group information, and the content from the content providing server by the user of the group Connection confirmation request means for transmitting a connection confirmation request including the group ID to the content providing server for confirmation of acquisition availability, and notification transfer for transferring a connection permission notification from the content providing server to the connection request source client system Means,
The content providing server includes a storage unit that stores content browsing management information indicating content information that can be browsed by a user of the group for each group ID, and an authentication server valid in response to a connection confirmation request from the authentication server. Session information is generated for each connection confirmation request from the authentication server confirmation means for confirming the authenticity and the authentication server for which the validity is confirmed, and a set of the session information and the group ID included in the connection confirmation request is obtained. Session information generating means for storing connection management information as session management information in the storage unit and transmitting a connection permission notification including the session information to the authentication server that is the connection confirmation request source, and the content according to the content acquisition request from the client system Session information included in the acquisition request and the session management information The validity of the content acquisition request is confirmed by comparing, the group ID corresponding to the session information of the content acquisition request for which the validity is confirmed is acquired from the session management information, and the content browsing management information is referred to Content providing means for transmitting content information that can be browsed by the group ID to the client system of the content acquisition request source. One or more content providing servers for providing various types of content information to a user's client system on a communication network, and one or more authentication servers for confirming the validity of the client system via the communication network, A content providing system that provides content information from the content providing server only to a client system whose validity is confirmed by an authentication server,
The authentication server includes a storage unit that stores user group information including a set of a user ID of the user and a group ID of a group to which the user belongs, and validity of the client system in response to a connection request from the client system. Client confirmation means for confirming the content, a group ID corresponding to the user ID of the connection request from the client system whose validity has been confirmed is acquired from the user group information, and the content from the content providing server by the user of the group Connection confirmation request means for transmitting a connection confirmation request including the group ID to the content providing server for confirmation of acquisition availability, and notification transfer for transferring a connection permission notification from the content providing server to the connection request source client system Means,
The content providing server includes a storage unit that stores content browsing management information indicating content information that can be browsed by a user of the group for each group ID, and an authentication server valid in response to a connection confirmation request from the authentication server. Session information is generated for each connection confirmation request from the authentication server confirmation means for confirming the authenticity and the authentication server for which the validity is confirmed, and a set of the session information and the group ID included in the connection confirmation request is used as a session. Session information generating means for storing the connection permission notification including the session information to the storage unit as management information, and transmitting the content in response to the content acquisition request from the client system Session information included in the request and the session management information The validity of the content acquisition request is confirmed by comparing, the group ID corresponding to the session information of the content acquisition request for which the validity is confirmed is acquired from the session management information, and the content browsing management information is referred to Content providing means for transmitting content information that can be browsed by the group ID to the client system of the content acquisition request source. The content providing system according to claim 1 or 2,
The client system further includes an RFID tag reader unit that reads identification information specific to the target from an RFID tag attached to the target,
When the content acquisition request means transmits the content acquisition request, the content acquisition request means adds the identification information read by the RFID tag reader unit to the content acquisition request and transmits it.
When the content providing means transmits the content information, content information that can be browsed by the group ID among the content information corresponding to the identification information added to the content acquisition request is the client system of the content acquisition request source A content providing system characterized by being transmitted to. The content providing system according to claim 1 or 2,
When providing the content information in response to the content acquisition request, the content providing means generates new session information by the session information generating means, and session management comprising a set of the new session information and the group ID Information is stored in the storage unit, and the new session information is transmitted as session information for the next content acquisition request to the content acquisition request source client system together with the content information.

Images