In recent years, XML (eXtensible Markup Language) as a structured language is used in applications such as management, messaging, databases, and the like of business documents, and its application range has increasingly spread.
Its typical example is an application to a Web service as a distributed object model that exploits XML-SOAP (Simple Object Access Protocol). With the advent of this Web service, conversion from the conventional object oriented model to a service oriented architecture (SOA) is gradually being carried out.
The SOA is an architecture that divides processes to have Web services as units, and can reuse and restructure the existing Web services. Hence, business solutions can be quickly built and provided while maintaining high reliability and low cost.
Upon providing business solutions, it is indispensable to build strong security. In the business solutions built on the network, protection of user information and user data, and personal identification and authentication have become important issues. Such issues are no exceptions even in the SOA based on the Web services. Even in an identical Web service, flexibility is required to provide different authentication and authorization processes depending on various conditions such as environments, security levels, system configurations, and the like in which that Web service is used. For example, as for user authentication, the authentication method is wide-ranging, i.e., simple password authentication, authentication using PIN codes, authentication using IC cards, biological authentication, and the like. Hence, it is important to select an appropriate user authentication method in consideration of various conditions.
Meanwhile, in order to improve the convenience and simplicity of network solutions, demands such as Single Sign-On, Federated Identity, and the like are increasing. For example, upon building and providing a new Web service by integrating a plurality of Web services, it is demanded to establish a scheme for providing an environment of Single Sign-On or the like by integrating authentication and authorization processes executed for individual Web services. For this reason, solutions that can meet incompatible requirements, i.e., implementation of strong security and building of network solutions with high convenience and simplicity without impairing the high efficiency and flexibility of the SOA, are required.
The authentication and authorization processes upon providing the conventional Web services will be explained below. FIGS. 12A and 12B are block diagrams showing examples of functional blocks in the conventional authentication and authorization processes. FIG. 12A shows a case wherein individual Web services (services A and B) respectively incorporate authentication and authorization processing units, and databases for holding user authentication information (see Japanese Patent Laid-Open No. 2003-229978 for such configuration). FIG. 12B shows a case wherein each individual Web service externally provides modules that perform authentication and authorization processes, and shares a database for holding user authentication information.
However, when different authentication and authorization processes are required depending on the use cases of Web services to be applied of those described in the prior art, the arrangement shown in FIG. 12A must rebuild the Web services according to requirements, thus imposing a heavy load on the development cost and management cost.
On the other hand, according to the arrangement shown in FIG. 12B, since the database that holds user authentication information for the authentication and authorization processes is shared, the Web services need not be rebuilt according to requirements. However, since each individual Web service individually holds the database, when a new Web service is provided by combining the already developed Web services, it becomes very difficult to provide functions such as Single Sign-On, Federated Identity, and the like, and the system becomes inconvenient for Web service users.
Each individual Web service must mount interfaces and protocols (protocols A and B) with services (authentication service A and authorization service B) that implement the authentication and authorization processes. When different authentication and authorization processes are required in accordance with the user cases of the Web services to be applied, the interfaces and protocols must be rebuilt according to such requirements, and each individual Web service must mount a plurality of interfaces and protocols. Hence, the development cost and management cost are increasing, and quick Web services cannot be provided in accordance with user's requirements.
In addition, these problems also disturb introduction of an optimal security system at an optimal timing, and then become causes of damages due to illicit use.