Many web services are provided through the Internet. A server (web server) provides a service in response to a request from a client terminal. Specifically, for example, services provided include information providing services through websites, providing web applications (application programs), and providing other kinds of information. Some of web servers are configured to change display layouts or decide on whether to provide services on a per client-terminal basis.
A user agent (UA) given to an HTTP (HyperText Transfer Protocol) request header is often used as client terminal determination means.
A web server can refer to the UA to determine a client terminal. Specifically, the type of a web browser program being used (hereinafter, simply called a web browser or a browser as well) or the model name of a client terminal can be identified. However, for example, it cannot determine which application is to run on a web browser like a web application.
Therefore, the web server cannot make determinations on whether to provide a service to trusted applications and not to provide the service to the others. To enable such determinations, it is required a mechanism for notifying a web server of the feature of a calling application from a client terminal when the application running on the client terminal accesses the web server, i.e., for example, when the client terminal makes a connection request to the web server through the Internet under the control of an application program installed thereon. Note that the feature of an application means, for example, an origin of the application (specifically, for example, a creator of the application or an authority that has certified the creator).
The confirmation of an application feature is made through a certification process, and a signature affixed to the application is often used in the certification process. In the certification process, it is verified whether a certificate for the signature was issued by a trusted certificate authority (CA) to determine whether the application is trusted. Whether the CA is trusted is generally determined by a certificate called a root certificate issued by a root certificate authority.
As a method of notifying the web server of the application feature, there is considered a method of notifying the web server of the result of the certification process executed by the client terminal. For example, the client terminal verifies an SSL (Secure Sockets Layer) certificate sent from web server A to execute a certification process for determining whether an application provided by the web server A is trusted. Then, the application sends the result of the certification process to server B as an access destination. Based on the sent certification result, the web server B can determine whether it is a connection request from a trusted application to restrict access (restrict connection processing).
Patent Literature (PTL) 1 discloses a system equipped with an access control server for determining the advisability of a connection to a service providing server.