1. Field of the Invention
The present invention relates to a peripheral device corresponding to a network, an information processing device for controlling this peripheral device, an information processing method, and a program thereof.
2. Description of the Related Art
In recent years, XML (eXtensible Markup Language) which is a structured language, has been used in a broad range of fields in business document management, messaging, and databases, and the application range thereof continues to increase. A noteworthy example is the application to a Web service which is a distributed object model utilizing XML-SOAP (Simple Object Access Protocol). Further, since the advent of this Web service, conversions from the conventional object oriented model to a service oriented architecture (SOA: Service Oriented Architecture) have been gradually occurring.
Here, the term “service orientated architecture” refers to an architecture for promptly building and providing a business solution, which divides the process into units of services, while maintaining high reliability and low cost, by reusing and modifying existing services.
On one hand, powerful security is being required for business solutions. Particularly with business solutions which are built on a network, user information, protection of user data, and further, the identification and authentication of an individual has been a crucial issue. On the other hand, in order to improve convenience and facilitation of network solutions, requests have increased for single sign-on, Federated Identity, and the like.
Even a service orientated architecture which uses Web services as an infrastructure is not an exception, and even with the same service, depending on the environment in which the service is used, the security level, and system configuration, flexible handling such as different authentication and authorization processing for each becomes necessary. For example, for one user authentication, there are a wide range of methods such as a simple password authentication, a personal identification number (PIN) code authentication, an integrated circuit (IC) card authentication, biometrics, and so forth. Also, in the case of integrating multiple services, and building and providing a new service, the various differing authentication and authorization units are requested to be integrated, and the establishment of units to provide an environment of a single sign-on and the like is demanded (for example, see Japanese Patent Laid-Open No. 2003-228509).
In other words, a solution has become necessary for fulfilling the conflicting demands of realizing powerful security, while retaining the efficiency and flexibility of the service orientated architecture.
Considering an authentication model with a conventional service, first, as illustrated in FIG. 18A, a configuration can be considered into which a database is built, in which the various services (service A or service B) store the individual authentication processing, authorization processing, and user authentication information. With this configuration, in the case that the required authentication and authorization processing is different depending on the use of the applicable service, according to this requirement, the entire service needs to be remodeled to perform the database changes for the purpose of these authentications and to perform change processing of the access restrictions and restrictive conditions, and the burden of development cost thereof and maintenance cost is high. Further, multiple services individually maintain the authentication-authorization database, and therefore in the case of combining previously developed services and providing a new service, providing a function such as single sign-on, Federated Identity, and the like, is extremely difficult.
Also, a case will be described wherein an external device (authentication processing device) is provided which performs authentication and authorization processing externally from the multiple devices (services A and B) which provide the services as illustrated in FIG. 18B. In this case, realizing the sharing of an authentication and authorization database with multiple services with an external device is possible, but the devices which provide the various services must each implement interfacing and protocol processing with the external device performing the authentication and authorization processing. Thus, in the case that the requested authentication and authorization processing differs depending on the use of the applicable service, it becomes necessary to modify the interface and protocol according to the request thereof, or for multiple interfaces and protocols to be implemented in the individual services, and therefore similar to the former example, the burden of the development cost and the maintenance cost is high, and providing prompt corresponding service according to the user request has been extremely difficult.
Also, in the case that we focus on the realization of the use limitations and access restrictions of the service in FIG. 18B, for example, there is a conventional method wherein a pre-existing, or automatically generated, token (a packet which circulates through the network) which describes the service use and access restrictions corresponding to the user information registered in the authentication database of the external device is notified to the service. Thus, by limiting one portion or all of the provided service by having the service interpreted by the token, the use limitations and access restrictions of the service have been realized. Therefore, in the case of combining multiple services to build a new service, in order to define and generate the token according to the new service, the new service needs to have a newly implemented function for interpreting and processing the new token, and the development cost and the maintenance cost have been extremely high.
This has become a hindrance for introducing the most appropriate security system at the most appropriate timing, and increased the possibility of incorrect use.