JP4996085B2 - Service providing apparatus and program - Google Patents

Description

  The present invention relates to a service providing apparatus and a program, and more particularly, to a service providing apparatus that provides a predetermined service to a user who has accessed through a client terminal, and a service providing program for causing a computer to function as the service providing apparatus.

  In recent years, it has become common for a financial institution such as a bank to open a website for financial transactions for providing users with a service for accepting online execution instructions of financial transactions from users (customers of financial institutions). ing. By using this website for financial transactions, the user can operate a client terminal such as a personal computer or mobile phone installed in a home or company without going to a branch of a financial institution, etc. It is possible to instruct financial institutions to execute various financial transactions such as balance inquiry, deposit / withdrawal inquiry, account transfer, and transfer.

  In addition, on the website for financial transactions, let individual users specify restrictions such as transfer limits in advance, and instruct each user to execute financial transactions only within the scope of the previously specified restrictions. A technique for switching the contents of services that can be provided for each individual user, such as acceptance, is known.

Further, in relation to the above, as a technique for preventing unauthorized access, Patent Document 1 extracts a source IP address and a source IP address from a received packet, and the extracted source IP address is registered as a valid user terminal. If the source IP address does not match the extracted source IP address, it is determined that the access is from an unauthorized user terminal via an unauthorized proxy server, and the access is denied. Has been.
Japanese Patent Laid-Open No. 9-244974

  By the way, it is common to perform user authentication on a website that provides a predetermined service online to a user registered in advance, such as the above-described financial transaction website, based on a user ID and a password, In this case, the user can access the website from any client terminal (any access source). However, in this aspect, if the user ID and password are leaked to another person, a person who knows the user ID and password can impersonate a legitimate user and perform fraud. is there. The above-mentioned prior specification of constraints is aimed at minimizing damage in the above cases, but since the constraints specified in advance are always applied to the user himself, for example, it is expensive. Depending on the content of the service that the user receives by providing access to the website, such as setting the transfer limit to a high amount, the user may be required to loosen the restrictions. In this case, there is a problem that the effect of suppressing the damage by pre-designating the constraint condition is also reduced.

  As a technique for preventing spoofing and improving security, a technique for authenticating a client terminal using an electronic certificate prior to user authentication based on a user ID and a password is also known. If this technology is applied, even if the user ID and password are leaked to others, it is illegal unless a person who knows the user ID and password operates a client terminal with a legitimate electronic certificate installed. Can be prevented. However, in order to apply this technology, it is necessary to perform the troublesome work of installing an electronic certificate on a client terminal used for accessing a website, and even if it is a legitimate user, an authorized electronic certificate is required. Since the access to the website from the client terminal in which is not installed is denied, the convenience for the user is lowered.

  In addition, it is conceivable to authenticate the client terminal using the IP address instead of the electronic certificate using the technique described in Patent Document 1, but in this case, it is troublesome to install the electronic certificate on the client terminal. Although there is an advantage that it can be omitted, the problem that the user cannot access the website from any client terminal still remains.

  The present invention has been made in consideration of the above facts, and in providing a predetermined service to a user who has accessed through a client terminal, it is possible to ensure a certain level of security without impairing the convenience of the user. It is an object to obtain a possible service providing apparatus and service providing program.

In order to achieve the above object, a service providing apparatus according to the invention described in claim 1 is directly connected to a first computer network and is connected to an Internet layer from an unspecified client terminal via the first computer network. An IP header in which information including a source IP address is set as corresponding information, a TCP header in which information including a port number is set as information corresponding to the transport layer, and information corresponding to the application layer are set A first server computer that receives a packet including a data part, or a first server computer and a first computer connected to the first server computer and the first server computer via a second computer network 2 server computer, through a client terminal A service providing apparatus for providing a predetermined service to an accessed user, wherein a packet for requesting login among packets received by the first server computer from the client terminal via the first computer network In the first server computer, user identification information for identifying individual users, which is input via a client terminal by a user requesting login, is set in the data section. , Provided in the first server computer, extraction means for extracting a source IP address set in the IP header from a packet received from a client terminal via the first computer network, The source IP address extracted by the extracting means is received Transfer means for transferring the received data portion as received information and the user identification information of the specific user in association with the specific user when the specific user accesses from the specific access source. A plurality of types of service definition information that defines the contents of services that can be provided to the user are registered corresponding to a plurality of types of access sources used for access by a specific user, and each of the plurality of types of service specification information includes: Storage means for storing a service specification database in which a service specification table associated with access source identification information representing a transmission source IP address of a corresponding access source is registered and configured for each user; Provided in the server computer or the second server computer and transferred from the transfer means The user identification information and the transmission source IP address set in the reception information are collated with the service definition table of the user corresponding to the user identification information in the service definition database stored in the storage unit, and the corresponding service definition Service providing means for recognizing the contents of a service that can be provided to the user by extracting and referring to the information, and providing the user with a service that matches the recognized content, the service providing means, The service to be provided is a service that accepts an instruction to execute a financial transaction from a user, and each service definition table registered in the service definition database stored in the storage means includes the plurality of types of service definition information. The types of financial transactions that can be instructed to execute, the maximum amount of financial transactions that can be instructed to execute, Beauty, is characterized in that plural kinds of service specification information to be different from at least one of the instruction time zone available for the execution are respectively registered.

  The present inventors limit the client terminal used for access to a specific single client terminal when providing a predetermined service by the service providing apparatus to a user who accesses the service providing apparatus via the client terminal. In this case, the convenience of the user is impaired, but if the same content service is provided when accessing using any of the client terminals, the authentication information such as the user ID and password is leaked. In view of the possibility of suffering damage, even for the same user, the user depends on the access source (the location of the client terminal on the first computer network) used by the user for accessing the service providing apparatus. By switching the content of services provided to users, the convenience of users may be impaired. Without the security can be ensured to some extent (authentication information it is possible to suppress the damage of the case such as that had leaked) in particular was conceived. Then, it has been conceived that the access source used by the user for accessing the service providing apparatus can be determined from the source IP address set in the packet received from the client terminal.

  However, the source IP address is information of the Internet protocol (IP) that is a protocol of the Internet layer in the TCP / IP protocol, and is included in the IP header of the packet together with other information of the Internet protocol (for example, the destination IP address). In the device that has received the packet, the IP header is removed after each piece of information set in the IP header of the received packet is referenced by the processing unit that performs processing conforming to the Internet protocol. Usually, the received packet is delivered to another processing unit that performs processing in accordance with a protocol of a higher layer (transport layer or application layer). And since the process of judging the user authentication and the service to be provided to the user is a process corresponding to the application layer, even if the processing unit that performs these processes refers to the delivered packet, it is received from the client terminal. There is a problem that the source IP address set in the packet cannot be recognized.

  Further, when a computer that first receives a packet from a client terminal is different from a computer that performs processing for determining user authentication and services to be provided to the user (for convenience, the computer that first receives a packet is the first computer). The computer that performs the process of determining the user authentication and the service to be provided to the user is referred to as a second computer), and the packet is transferred from the first computer to the second computer. Since the source IP address set in the IP header of the first computer is overwritten with the IP address of the first computer, in this case as well, the second computer uses the source IP address set in the packet received from the client terminal. There is a problem that it cannot be recognized.

  Based on the above, according to the first aspect of the present invention, a service providing apparatus that provides a predetermined service to a user who has accessed through a client terminal is connected directly to a first computer network (for example, the Internet). This is realized by a server computer or a first server computer and a second server computer connected to the first server computer via a second computer network (for example, a LAN). The first server computer also includes an IP header in which information including a transmission source IP address is set as information corresponding to the Internet layer from an unspecified client terminal via the first computer network, and a transport. A packet including a TCP header in which information including a port number is set as information corresponding to a layer and a data part in which information corresponding to an application layer is set is received.

  Since the first server computer is directly connected to the first computer network, when the first server computer receives the packet from the client terminal via the first computer network, the packet of the packet The IP header is saved without being removed or overwritten with information such as the source IP address. For this reason, in the first aspect of the present invention, the first server computer is provided with extracting means, which extracts the IP header from the packet received from the client terminal via the first computer network. The source IP address set in is extracted. The first server computer is also provided with transfer means. The transfer means adds the source IP address extracted by the extraction means to the data part of the received packet, and the data part is received information. (The transfer destination is service providing means described later).

  In the invention according to claim 1, among the packets received by the first server computer via the first computer network from the client terminal, the packet requesting login includes a user who requests login as the client. When user identification information for identifying individual users input via the terminal is set in the data section, and the packet received by the first server computer from the client terminal is a packet requesting login Through the above processing, the user identification information and the source IP address are set in the reception information (data part) transferred to the service providing means. As a result, even if the IP header of the packet received by the subsequent processing is removed or the transmission source IP address set in the IP header is overwritten, the packet is received from the client terminal based on the reception information transferred by the transfer means. The service providing means can recognize the transmission source IP address set in the received packet.

  In addition, the invention according to claim 1 includes a storage unit, and the storage unit is associated with user identification information of a specific user, and the specific user is accessed when the specific user accesses from a specific access source. A plurality of types of service definition information for defining the contents of services that can be provided to a user are registered in correspondence with a plurality of types of access sources used for access by a specific user, and each of the plurality of types of service definition information A service specification database is stored in which a service specification table associated with access source identification information indicating a transmission source IP address of a corresponding access source is registered for each user. The storage means may be provided in either the first server computer or the second server computer, and is accessible from the same server computer as the service providing means via the server computer and a communication line. It may be connected.

  In the first aspect of the present invention, service providing means is provided in the first server computer or the second server computer, and the service providing means is set in the reception information transferred from the transfer means. The user identification information and the source IP address of the user are compared with the service definition table of the user corresponding to the user identification information in the service specification database stored in the storage means, and the corresponding service specification information is extracted and referred to Then, the content of the service that can be provided to the user is recognized, and a service that matches the recognized content is provided to the user.

  As a result, a plurality of types of service specification information determined so that the contents of services that can be provided to users are different from each other are registered in the service specification table corresponding to each user as a plurality of types of service specification information. Even when the same user accesses the service providing apparatus, the content of the service provided to the user is switched depending on the access source (source IP address) used by the user for accessing the service providing apparatus. Become. Therefore, according to the first aspect of the present invention, it is possible to ensure a certain level of security without impairing the convenience of the user when providing a predetermined service to the user who has accessed through the client terminal. .

Further, in the invention according to the first aspect, services provided by the service providing means is a service that receives an instruction to execute the financial transaction from User chromatography The, registered in the service specification database stored in the storage means individual service specification table, as a plurality of types of service specification information, the types of instructions that can be financial transaction the execution, maximum amount of steerable financial transactions to run, and, an instruction time zone available for the execution of at least 1 plural kinds of service specification information to be different from the One is that are respectively registered. Accordingly, even when a certain user accesses the service providing apparatus according to the present invention, the type of financial transaction that the user can instruct execution, the upper limit amount of the financial transaction that the user can instruct execution, the user At least one of the time periods during which the user can instruct execution differs depending on the access source used by the user for access.

In the first aspect of the present invention, authentication information preset for each individual user may be set in the data part in the packet requesting login. In this case, for example, as described in claim 2 , the storage unit also stores an authentication information database in which user identification information and authentication information are registered for each individual user, and the service providing unit is transferred from the transfer unit. When user identification information and authentication information are set in the received information, authentication for confirming whether the user is a valid user by checking the user identification information and authentication information against the authentication information database stored in the storage means It is preferable to configure so as to recognize the contents of services that can be provided to a user who has been confirmed to be a legitimate user when processing is performed and the user is confirmed to be a legitimate user by the authentication process. . Thereby, security can be improved.

Further, in the invention described in claim 2 , for example, as described in claim 3 , the authentication information database stored in the storage means is associated with the user identification information and authentication information of a specific user, and the specific information A plurality of types of authentication level specifying information for specifying the level of authentication in the authentication process when a user accesses from a specific access source is registered corresponding to a plurality of types of access sources used for access by a specific user. An authentication information table in which each of a plurality of types of authentication level defining information is associated with access source identification information representing a transmission source IP address of a corresponding access source is registered and configured for each individual user. The service providing unit, when executing the authentication process, sets the user identification information set in the reception information transferred from the transfer unit. And the source IP address should be applied by comparing with the authentication information table in which the user identification information is registered in the authentication information database stored in the storage means, and extracting and referring to the corresponding authentication level defining information. It is preferable that the authentication level is recognized and authentication processing is performed at the recognized authentication level. As a result, the authentication level in the authentication process can be switched depending on the access source used by the user to access the service providing apparatus.

  Further, as the authentication level in the authentication process increases (authentication with higher security is performed), the burden on the user may increase, such as the number of types of information to be input by the user increases. For example, the access level from the access source with high security is relatively low, and the access level from the access source with low security is relatively high. By setting the authentication level defining information and the access source identification information in the authentication information database, the security can be improved while suppressing the burden on the user.

Further, in the first aspect of the present invention, when the user accesses the service providing apparatus via the client terminal, a link for accessing the service providing apparatus is provided, and the link is selected. Any one of a plurality of transitionable web pages each having a function of transmitting a packet in which different transition source identification information is set in the data portion from the client terminal to the first server computer via the first computer network If the link is started by the user selecting the link of the transitionable web page that was accessed, the service specification database stored in the storage means is specified, for example as described in claim 4 The specific user in association with the user identification information of the user A plurality of types of access in which service definition information that defines the contents of services that can be provided to a specific user when accessed from a specific transitionable web page from a specific access source is used for access by the specific user Each service definition information is registered corresponding to the original and the plurality of transitionable web pages, and each service definition information corresponds to the access source identification information and the transition source identification information indicating the transmission source IP address of the corresponding access source. In addition to the user identification information and the source IP address, the service provision table is added to the user identification information and the transmission source IP address. Transition source information set in the data part of the packet received when making transition access Information can also be provided to the user by collating with the service definition table of the user corresponding to the user identification information in the service specification database stored in the storage means, and extracting and referring to the corresponding service specification information You may comprise so that the content of a service may be recognized.

In the invention described in claim 4, the service definition information registered in the service specification table corresponding to each user is the same by determining the contents of services that can be provided to the corresponding user so that they are different from each other. When the user of the user accesses the service providing apparatus, the access source (sender IP address) used for accessing the service providing apparatus and the transitional web page from which the user has made the transition Accordingly, the content of the service provided to the user is switched. Thereby, for example, when the content of the service that the user desires to be provided by the service providing apparatus according to the present invention differs depending on which of the plurality of transitionable web pages has changed, the service providing means provides to each user It becomes possible to switch the content of the service so that it matches the content of the service that the individual user desires to provide. In addition, for example, a specific transitionable web page has a limited number of users that can be browsed, while another transitionable web page can be browsed by an unspecified user. If there is a difference for each possible web page, and security is different for each transitionable web page, the content of the service provided to the user by the service providing means depends on the security of the transition source web page. Can be switched.

Thus, according to the invention described in claim 4 , in addition to the access source (source IP address), the content of the service provided to the user by considering which of the plurality of transitionable web pages has transitioned Can be switched finely, and it becomes possible to provide services with more appropriate contents in various situations.

In the invention of claim 4 , the user identification information is set in the data part of the packet requesting login, whereas the transition source identification information is accessed after accessing any of a plurality of transitionable web pages. When the user selects the link of the transitionable web page that has been accessed, and when the user starts to access the service providing apparatus via the client terminal, the client terminal starts via the first computer network. Since it is set in the data part of the packet transmitted to the first server computer, the reception timing of the user identification information and the transition source identification information is different, but the transition is performed in addition to the user identification information and the source IP address. the source identification information is also matching the service specification table, as described for example in claim 5, extract The means is configured to extract the transition source identification information set in the data part of the received packet when the user makes a transition from any of a plurality of transitionable web pages and accesses the information holding means At the same time, when the transfer unit receives the packet in which the user identification information is set in the data part, the transition source identification information is read from the information holding unit, and the read transition source identification information is extracted by the extraction unit This can be realized by adding to the data part of the packet received together with the transmission source IP address and transferring the data part as reception information.

Further, in the invention described in claim 4 , when authentication information preset for each user is also set in the data part in a packet for requesting login, for example, as described in claim 6 , a specific user In association with the user identification information and authentication information, authentication level specification information that specifies the level of authentication in the authentication process when a specific user makes a transition from a specific access source and accesses from a specific transitionable web page, Access that is registered corresponding to each of a plurality of types of access sources and a plurality of transitionable web pages used for access by a specific user, and each authentication level specifying information indicates a source IP address of the corresponding access source The authentication information table associated with the original identification information and the transition source identification information is registered for each individual user. The authentication information database configured as described above is also stored in the storage means, and when the user identification information and the authentication information are set in the reception information transferred from the transfer means, the service providing means The authentication stored in the storage means is the IP address and the transition source identification information set in the received information transferred from the transfer means when the user makes a transition from any of a plurality of transitionable web pages. Recognizing the level of authentication to be applied by comparing with the authentication information table in which the user identification information is registered in the information database, extracting and referring to the corresponding authentication level defining information, and storing the user identification information and the authentication information An authentication process for confirming whether or not the user is a valid user by comparing with an authentication information database stored in the means. Performed at Bell, when it is confirmed that a legitimate user by the authentication process may be configured to recognize the contents of the services available to the user confirming that the user is an authorized user.

  As a result, for example, when the access is from an access source with high security and the security of the transition source web page (transitionable web page) is also high, the level of authentication in the authentication process is relatively low, and security is improved. When access is from a low access source and the security of the transition source web page (transitionable web page) is low, the access level identification information is identified so that the authentication level in the authentication process is relatively high. By associating the information with the transition source identification information and setting it in the authentication information database, the security can be improved while suppressing the burden on the user.

According to a seventh aspect of the present invention, there is provided a service providing program which is directly connected to a first computer network and is transmitted from an unspecified client terminal via the first computer network as information corresponding to the Internet layer. It includes an IP header in which information including an address is set, a TCP header in which information including a port number is set as information corresponding to the transport layer, and a data portion in which information corresponding to the application layer is set. A first server computer that receives a packet, or a second server computer connected to the first server computer and the first server computer via a second computer network, Predetermined service to users accessed via client terminals A service providing program for functioning as a service providing apparatus that provides a login request among the packets received by the first server computer from the client terminal via the first computer network In the packet, user identification information for identifying individual users, which is input via a client terminal by a user requesting login, is set in the data portion, and the first server computer or the The second server computer is associated with user identification information of a specific user, and defines a service content that can be provided to the specific user when the specific user accesses from a specific access source. Regulatory information is used for multiple types of actions used for access by specific users. A plurality of types of service definition information corresponding to the service source are registered, and each of the plurality of types of service specification information is individually associated with access source identification information indicating the transmission source IP address of the corresponding access source. Storage means for storing a service regulation database registered and configured for each of the users, and the first server computer, or the first server computer and the second server computer. Extraction means provided in the first server computer for extracting a source IP address set in the IP header from a packet received from a client terminal via the first computer network; Source IP provided in one server computer and extracted by the extracting means A transfer means for adding an address to the data portion of the received packet and transferring the data portion as received information; and provided in the first server computer or the second server computer, from the transfer means The user identification information and the source IP address set in the received reception information are collated with the service definition table of the user corresponding to the user identification information in the service definition database stored in the storage means, and By extracting and referring to the service definition information to be recognized, the content of the service that can be provided to the user is recognized, and the service that matches the recognized content is made to function as a service providing unit that provides the user Yes.

According to a seventh aspect of the present invention, there is provided a service providing program comprising: a first server computer provided with the storage means; or a first server computer provided with the storage means in any one of the first server computer and the first server computer; Since this is a program for causing the two server computers to function as the above extracting means, transferring means and service providing means, the first server computer or the first server computer and the second server computer The service providing apparatus according to claim 1, wherein the first server computer or the first server computer and the second server computer execute the service providing program according to the invention of claim 7. As in the first aspect of the present invention, the access is made through the client terminal. In providing a predetermined service to the user and, it is possible to ensure a certain degree of security without impairing the convenience for the user.

  As described above, the inventions according to claims 1 and 7 are related to user identification information of a specific user and can be provided to the specific user when the specific user accesses from a specific access source. A plurality of types of service definition information that defines the content of the service are registered corresponding to a plurality of types of access sources used for access by a specific user, and each of the plurality of types of service definition information is transmitted from the corresponding access source. The service specification table associated with the access source identification information representing the original IP address stores a service specification database registered and configured for each user in the storage means, and from the packet received from the client terminal The source IP address set in the IP header is extracted and added to the data portion of the packet, and the data And the user identification information and the source IP address set in the reception information are compared with the service specification table corresponding to the user in the service specification database, and the corresponding service specification information is extracted. By referring to the content of the service that can be provided to the user and providing the user with a service that matches the recognized content, a predetermined service is provided to the user who has accessed through the client terminal. Provides an excellent effect that it is possible to ensure a certain level of security without impairing the convenience of the user.

The invention described in claim 3 is an authentication that regulates the level of authentication when a specific user accesses from a specific access source in association with the user identification information and authentication information of the specific user in the authentication information database. A plurality of types of level definition information are registered corresponding to a plurality of types of access sources used for access by a specific user, and each of the plurality of types of authentication level specification information includes a transmission source IP address of a corresponding access source. The authentication information table associated with the access source identification information to be represented is registered for each user, and when executing the authentication process, the user identification information and the transmission source IP address set in the received reception information are Applicable by collating with the authentication information table where the user identification information is registered and extracting and referring to the corresponding authentication level specification information In addition to the above effects, the user can switch the authentication level in the authentication process depending on the access source used for accessing the service providing apparatus. It has the effect that it becomes possible.

  Hereinafter, an example of an embodiment of the present invention will be described in detail with reference to the drawings.

[First Embodiment]
FIG. 1 shows a computer system 10 according to the first embodiment. The computer system 10 according to the first embodiment includes a web server 12 and an application server 14 installed in a specific financial institution. The web server 12 includes a CPU 12A, a memory 12B including a RAM, a hard disk drive (HDD) 12C, and a network interface (I / F) unit 12D. A destination table (details will be described later) is stored in the HDD 12C, and a reception-time program for the CPU 12A to perform reception-time processing described later is installed.

  The network I / F unit 12D of the web server 12 is a computer network in which a large number of web servers are connected to each other via a communication line (Internet: corresponding to the first computer network according to the present invention). 16 is also directly connected to an intranet (LAN: corresponding to the second computer network according to the present invention) 26 installed in a specific financial institution. Connected to the Internet 16 are a large number of client terminals 18 each consisting of a personal computer (PC), a PDA having a function of accessing the Internet, and a mobile terminal such as a mobile phone. In addition, the connection form of each client terminal 18 to the Internet 16 is directly connected to the Internet 16 like a client terminal (PC) denoted by reference numeral “18A” (for details, an Internet service provider (Internet connection). Connected to the Internet 16 via the wireless communication network 20 such as a client terminal (portable terminal) labeled with “18B”. For example, a client terminal (PC) labeled with “18C” may be installed in a company and connected to the Internet 16 via the proxy server 22.

On the other hand, the application server 14 includes a CPU 14A, a memory 14B including a RAM, an HDD 14C, and a network I / F unit 14D. The HDD 14C stores an authentication information database (authentication information DB) and a transaction condition database (transaction condition DB) (both will be described later in detail), and corresponds to the storage means according to the present invention. The HDD 14C is installed with an authentication / determination program for the CPU 14A to perform an authentication / determination process to be described later. The authentication / determination program corresponds to the service providing program according to claim 7 together with the reception program installed in the HDD 12C of the web server 12, and the web server 12 executes the reception program, When the server 14 executes the authentication / determination program, the web server 12 and the application server 14 function as a service providing apparatus according to the present invention. The network I / F unit 14D of the application server 14 is connected to an intranet 26, and a billing system 28 is connected to the intranet 26.

  Next, the operation of the first embodiment will be described. The specific financial institution according to the present embodiment is an online financial service that is operated by the web server 12 and the application server 14 as a service that enables a user who has opened an account with a specific financial institution to perform financial transactions online. An online financial transaction reception service is provided that receives an online financial transaction execution instruction from a user using a transaction website. In the financial transaction using this online financial transaction reception service, the user browses the web page of the online financial transaction website via the client terminal 18 and inputs necessary information on the web page so that the user can Information for instructing the execution of the desired financial transaction (financial transaction instruction information) is transmitted from the client terminal 18 to the web server 12. Then, the financial transaction instruction information is transferred from the web server 12 to the account system 28 connected to the intranet 26, so that the financial transaction instructed by the user based on the financial transaction instruction information is performed. To be executed by.

  A user who uses an online financial transaction acceptance service applies to a specific financial institution in advance to use the service. The specific financial institution assigns a user ID (corresponding to the user identification information according to the present invention) to the user every time when the user applies for the use of the service, and the password set by the user (the present invention) And the authentication information DB stored in the HDD 14C of the application server 14 is registered. In the online financial transaction reception service according to the present embodiment, a plurality of passwords (first password and second password) are input to the user in user authentication executed when the user accesses the online financial transaction website. In some cases, authentication processing (authentication processing with a higher authentication level) for determining whether or not each of the plurality of input passwords is correct may be performed. For this reason, when there is a possibility that authentication processing using a plurality of passwords may be performed at the time of user authentication, the user sets the first password and the second password at the time of application for use of the online financial transaction reception service. As a result, the first password and the second password are registered in the authentication information DB (see also FIG. 2A).

  In addition, in the online financial transaction reception service according to the present embodiment, the user receives an online financial transaction reception for each access source (location of the client terminal 18 on the Internet 16) where the user accesses the online financial transaction website. Users can set the conditions of financial transactions that can be instructed to execute using the service (types of financial transactions that can be instructed to execute, upper limit for transactions, available time zone, etc.) and authentication levels for the above-mentioned user authentication It is said that. The access source of the user is identified by checking the source IP address set in the packet received by the web server 12 from the client terminal 18 with the IP address or IP address range (group) registered in advance. (Details will be described later). For this reason, the transmission source IP address set in the packet transmitted from the client terminal 18 and received by the web server 12 among the individual client terminals 18 is compared with the range (group) of IP addresses registered in advance. Access may be based on the source IP address, although it may not be possible to specify the access source strictly, for example, the client terminals 18 within the same range (belonging to the same group) are recognized as the same access source. You can at least narrow down the origin.

  For example, in a connection form such as a client terminal 18A that is directly connected to the Internet 16, the IP address (global IP address) of the client terminal 18A is fixed in advance by a contract with a provider, and every time it connects to the Internet 16. In some cases, an indefinite IP address is assigned by the provider. When the IP address of the client terminal 18A is fixed, other client terminals 18 that can transmit the same packet as the source IP address of the client terminal 18A set in the packet received by the web server 12 Since the IP address of the client terminal 18A is registered in advance and the source IP address set in the received packet is checked against the IP address registered in advance, the access source is the client terminal 18A. Whether or not can be identified uniquely.

  Further, when an indefinite IP address is assigned to the client terminal 18A, it is not possible to uniquely identify whether the access source is the client terminal 18A, but the IP address assigned to the client terminal 18A is assigned by the provider for assignment. It is one of IP addresses within a certain range secured in advance, and the range of IP addresses secured for allocation is different for each provider. For this reason, the IP address range reserved in advance by the provider used for connection of the client terminal 18A to the Internet 16 is registered in advance, and the source IP set in the received packet is registered. Whether the access source is the client terminal 18A or another client terminal 18 connected to the Internet 16 by the same provider as the client terminal 18A by collating the address with a pre-registered IP address range. The access source can be narrowed down.

  Further, in a connection form such as the client terminal 18B connected to the Internet 16 via the wireless communication network 20, for example, if the wireless communication network 20 is a mobile phone network, the wireless communication network 20 and the Internet 16 are connected. The gateway server is provided, and the information transmitted from the client terminal 18B for accessing an arbitrary website such as an online financial transaction website is once received by the gateway server, and the packet conforms to the TCP / IP protocol. The IP address is set as a source IP address in the IP header, and sent to the Internet 16. Is done. In addition, the range of IP addresses reserved for allocation is different for each wireless communication carrier.

  Therefore, even when accessed in a connection form such as the client terminal 18B, it is not possible to uniquely identify whether the access source is the client terminal 18B based on the source IP address, but it is used for wireless communication of the client terminal 18B. The IP address range reserved in advance by the wireless carrier for allocation is registered in advance, and the source IP address set in the received packet is registered in advance. By collating, it is possible to determine whether the access source is the client terminal 18B or another client terminal 18 that uses the same wireless carrier as the client terminal 18B, and narrows down the access source Can do.

  Further, in a connection form such as a client terminal 18C installed in a company and connected to the Internet 16 via a proxy server 22, for example, the company (referred to as company A for convenience) acquires a unique domain and is fixed for allocation. In the case where an IP address within the range is secured in advance, the packet A transmitted from the client terminal 18C has the source IP address set in the IP header assigned by the company A for allocation by the proxy server 22 in advance. Is overwritten with one of the IP addresses within a predetermined range, and then sent to the Internet 16. For this reason, even when accessed in a connection form such as the client terminal 18C, it is not possible to uniquely identify whether the access source is the specific client terminal 18C based on the transmission source IP address, but the company A secures in advance. The IP address range is registered in advance, and the source IP address set in the received packet is checked against the pre-registered IP address range, so that the access source is in the company A It can be determined whether or not the client terminal 18C is installed, and the access source can be narrowed down.

  In the present embodiment, the user grasps an access source (location of the client terminal 18 on the Internet 16) that the user himself / herself may use for accessing the online financial transaction website, and the online finance is obtained at each access source. Usage mode when using the transaction reception service (type of financial transaction that may be instructed to be executed and time zone that may be used), safety of access from individual access sources (for example, the same access source) The number and identity of others who may operate the client terminal 18 that is recognized as such, and the convenience of the user himself / herself, etc. Condition, authentication level in user authentication is determined.

  Specifically, for example, a specific user who applies for use of the online financial transaction reception service can access a client terminal 18C installed at a company at work and a client terminal installed at home for accessing an online financial transaction website. If it is possible to use either the client terminal 18B owned by the client terminal 18A or the client terminal 18B owned by the client terminal 18C, the type of financial transaction that can be instructed to be executed for the access from the client terminal 18C with the highest safety The possible upper limit amount is also increased and the authentication level in user authentication is lowered, while the financial transaction conditions and the authentication level are determined so that the available transaction time is limited to the working time. In addition, for access from the client terminal 18A that is slightly less secure, the transaction time zone is not limited, but the types of financial transactions that can be instructed to execute are limited, and the maximum transaction amount is also low. Security is ensured by determining financial transaction conditions and authentication level so that the authentication level also increases. For access from the client terminal 18B with the lowest security, priority is given to safety over convenience, and financial transactions from all client terminals 18 (including the client terminal 18B) other than the client terminals 18A and 18C are performed. Decide not to be able to instruct execution at all.

  When financial transaction conditions and authentication levels are determined for each access source as described above, the IP address of each access source or its range (the packet transmitted from the client terminal 18 of each access source is sent to the web server 12). IP address or its range that may be set as the source IP address when received by the Internet), and for each individual access source, the examined IP address or its range, the conditions of the determined financial transaction and the user Notify the specific financial institution of the authentication level in authentication. As a result, the specific financial institution registers each piece of information notified by the user in the authentication information DB and the transaction condition DB stored in the HDD 1C of the application server 14.

As shown in FIG. 2A, the authentication information DB is configured such that an authentication information table corresponding to a single user is registered for each of all users who have applied for use of the online financial transaction reception service. In each authentication information table, the user ID and password (first password and second password) of the corresponding user are set. Each authentication information table includes access source identification information indicating an IP address or a range thereof, and an authentication level in user authentication processing when there is an access from an access source identified by the corresponding access source identification information. It is possible to register a plurality of sets of authentication level specification information to be specified, and the IP address or the range notified for each access source from the corresponding user is registered as access source identification information, and from the corresponding user. The authentication level notified for each access source is registered as authentication level defining information in association with the access source identification information. This authentication information DB corresponds to the authentication information database according to the present invention (specifically, the authentication information database according to claim 3 ).

  2A corresponds to the above-described example of the specific user, the access source having the highest security among the access sources available for the specific user (201.189.xxx.001 to the source IP address). For access from an access source whose IP address in the range of 256 is set in the packet, the authentication level is set low (authentication level = 1: authentication using only the first password), and the access is slightly less secure The authentication level is set high for access from the source (the access source in which the IP address in the range of 128.401.xxx.001 to 256 is set in the packet as the source IP address) (authentication level = 2: first password) And authentication using the second password), and access from other access sources (access sources in which an IP address outside the above range is set in the packet as the source IP address) Examples of access source identification information and the authentication level definition information to deny access is registered against is shown. In place of authentication using a plurality of passwords, for example, authentication using a single password and authentication using a contractor card or an IC card distributed beforehand to individual users by a specific financial institution are combined. You may make it perform.

In addition, as shown in FIG. 2B, the transaction condition table corresponding to a single user is also registered and configured for all users who have applied for the use of the online financial transaction reception service. Yes. The user ID of the corresponding user is set in each transaction condition table. Each transaction condition table includes access source identification information indicating an IP address or a range thereof, and financial transactions that can be instructed to be executed when accessed from an access source identified by the corresponding access source identification information. It is possible to register multiple sets of transaction condition regulation information that stipulates conditions (executable transaction type, tradeable upper limit amount, tradeable time zone, etc.), and an IP address notified for each individual access source from the corresponding user Alternatively, the range is registered as access source identification information, and the transaction condition regulation information is generated based on the financial transaction conditions notified from the corresponding user for each individual access source. Each transaction condition regulation information is registered in association with access source identification information. The transaction conditions DB corresponds to the service specification database according to the present invention, terms and conditions specified information corresponds to the service definition information according to the present invention.

  In FIG. 2B, corresponding to the above-described example of the specific user, among the access sources that can be used by the specific user, the access source having the highest security (201.189.xxx.001 to the source IP address). There is no limit on feasible transactions and the upper limit of the transaction is high (10 million yen) for access from an access source that has 256 IP addresses set in the packet. Access source limited to working hours (9:00 to 17:00) and slightly less secure access (access IP address in the range of 128.401.xxx.001 to 256 as the source IP address) There is a limit on feasible transactions for access from Yuan), and the maximum transaction amount is low (100,000 yen), but the transaction period is not limited (0: 00-24: 00) ), Other access sources (source IP address outside the above range) IP address is shown an example of access source identification information and transaction condition specified information is registered to prohibit transactions to the access from the access source) which is set in the packet.

  Next, referring to FIG. 3 and FIG. 4, the reception process realized by executing the reception program installed in the HDD 12C when the web server 12 receives some packet via the Internet 16 will be described. I will explain. When the web server 12 receives some packet via the Internet 16 (see also (1) in FIG. 4), the received packet is temporarily stored in the reception buffer, and the reception process is started in response to this.

  As shown in FIG. 4, the packet received by the web server 12 via the Internet 16 is provided with areas such as an IP header, a TCP header, and a data portion. The IP header is an area in which information corresponding to the Internet layer in the TCP / IP protocol is set. Specifically, information such as a destination IP address indicating a packet destination and a source IP address is set. The TCP header is an area in which information corresponding to the transport layer in the TCP / IP protocol is set. Specifically, information such as a TCP port number is set. The data part is an area in which information corresponding to the application layer in the TCP / IP protocol is set. For example, in the case of an authentication request packet described later, a user ID or password input by the user via the client terminal 18 is set. The

  As shown in FIG. 3, in the process at the time of reception, first, in step 50, a packet received via the Internet 16 is fetched from the reception buffer into the memory 12B. In addition to extracting the IP address, the TCP port number is extracted from the TCP header (see also (2) in FIG. 4). In step 54, the extracted destination IP address and TCP port number are collated with the destination table stored in the HDD 12C, so that the received packet corresponds to the authentication request packet ("packet requesting login" according to the present invention). ) (See also (3) of FIG. 4).

  An online financial transaction website is a collection of a large number of web pages linked to each other by links, and by following the links from the home page of the website, conditions of financial transactions that the user desires to execute The financial transaction execution instruction page that can be instructed to be executed is displayed, but the user ID and password (first password and second password) are entered on the home page of the online financial transaction website. An input field is provided, and a message for prompting the user to perform a login operation (input of a user ID and a password) is also displayed. Then, when the user inputs a user ID and password in the corresponding input fields of the homepage and instructs transmission, an authentication request packet is transmitted from the client terminal 18 operated by the user. In this authentication request packet, As the destination IP address and TCP port number, the destination of the authentication request packet is an application program (authentication program installed in the HDD 14C of the application server 14) that performs user authentication in response to a login request to the online financial transaction website. Certain data indicating that the data is a determination program) in the IP header and the TCP header when the packet is transmitted from the client terminal 18 (in the case of the client terminal 18B, when the packet is transmitted from the gateway server of the wireless communication network 20). Set automatically It is.

  In the destination table, the above-mentioned fixed data (the destination IP address and TCP port number set in the authentication request packet, more specifically, the destination IP address of the application server 14 on which the authentication / determination program runs and the TCP port used by the program) In step 54, the destination IP address and TCP port number extracted from the received packet are checked against the destination IP address and TCP port number registered in the destination table. By determining whether or not the received packet is an authentication request packet, the received packet is identified.

  In the next step 56, it is determined whether or not the received packet is identified as an authentication request packet as a result of the processing in step 54. If the determination is negative, the process proceeds to step 58, and processing corresponding to the received packet (for example, processing for distributing homepage data of the online financial transaction website to the requesting client terminal 18) is performed. On the other hand, if the received packet is identified as an authentication request packet, the determination in step 56 is affirmed and the process proceeds to step 60, where the packet is transmitted from the IP header of the received packet (authentication request packet) stored in the memory 12B. Extract the original IP address. Step 60 corresponds to the extraction means according to the present invention.

  In the next step 62, the source IP address extracted in step 60 is added to the data part of the authentication request packet (see also (4) in FIG. 4). Thus, the transmission source IP address set in the IP header of the received authentication request packet can be reliably transmitted to an authentication / determination program (authentication / determination process) described later. In step 64, the destination IP address set in the IP header is overwritten with the private IP address of the application server 14 (IP address in the intranet 26) for the authentication request packet with the source IP address added to the data portion. In addition, after overwriting the source IP address set in the IP header with the private IP address of the own device (web server 12) (see also (5) in FIG. 4), the updated authentication request packet is sent to the intranet 26. Then, it is transferred to the application server 14 (authentication / determination program) (see also (6) of FIG. 4), and the reception process is terminated. Steps 62 and 64 correspond to the transfer means according to the present invention.

  By the way, as shown in FIG. 5 as an example, the data part of the packet received by the web server 12 from the client terminal 18 includes, in addition to the user ID and password, an application ID or request for identifying the transfer destination application. A transaction code indicating the type (for example, login or logoff) is set. If the packet received from the client terminal 18 is an authentication request packet, the ID of the authentication / determination program is set as the application ID, and the data indicating that the request is login as the transaction code is set in the data portion. A transmission source IP address is further added to the data portion by the above-described reception program and transferred to the application server 14. Note that the data portion of the updated authentication request packet transferred from the web server 12 to the application server 14 corresponds to the reception information according to the present invention.

In the application server 14 that has received the authentication request packet transferred from the web server 12 via the intranet 26, first, a first processing program that performs processing corresponding to the Internet layer in the TCP / IP protocol is started, and the received authentication request is received. Information set in the IP header of the packet is referred to, and after processing corresponding to the Internet layer is performed based on the information, the IP header is removed. Subsequently, a second processing program that performs processing corresponding to the transport layer in the TCP / IP protocol is started, and information set in the TCP header of the received authentication request packet is referred to. After the processing corresponding to the port layer is performed, the TCP header is removed. Further, a third processing program that performs processing corresponding to the application layer in the TCP / IP protocol is started, the application ID and the transaction code set in the data part of the received authentication request packet are referred to, and the received packet is It is an authentication request packet, and it is recognized that the transfer destination application is an authentication / determination program. As a result, the authentication / determination program installed in the HDD 14C is activated and executed by the CPU 14A, whereby the authentication / determination process shown in FIG. 6 is performed. This authentication / determination process corresponds to service providing means according to the present invention (specifically, the service providing means described in claim 2 ).

  In this authentication / determination process, first, in step 70, the user ID, password, and source IP address are extracted from the data part of the received authentication request packet. In step 72, the authentication information DB is searched using the user ID extracted in step 70 as a key, and an attempt is made to extract an authentication information table corresponding to the user to which the user ID is assigned. In the next step 74, it is determined whether or not the corresponding authentication information table is extracted from the authentication information DB by the search in step 72. If the determination is negative, the process proceeds to step 94, and an error process such as displaying a message notifying that the input user ID is not registered in the database on the display of the client terminal 18 that is the authentication request packet transmission source. To end the authentication / determination process.

  If the corresponding authentication information table is extracted from the authentication information DB by the search in step 72, the determination in step 74 is affirmed and the process proceeds to step 76. First, the data is extracted from the data part of the authentication request packet in step 70. It is determined which of the plurality of access source identification information registered in the authentication information table extracted in step 72 corresponds to the source IP address, and then the source IP address corresponds By referring to the authentication level specification information registered in the authentication information table in association with the determined access source identification information, the user can access the access from the current access source (the client terminal 18 that is the authentication request packet transmission source). Recognize the authentication level to be applied in the authentication process. In step 78, it is determined whether or not the authentication level recognized in step 76 is “access denied”.

  For example, an authentication information table as shown in FIG. 2A is extracted by the search in step 72, and the source IP address extracted in step 70 is the range of the source IP address represented by the first access source identification information (201.189). .xxx.001 to 256), if the source IP address range (128.401.xxx.001 to 256) indicated by the second access source identification information does not correspond, the extracted source IP address Corresponds to third access source identification information indicating “other” (source IP address), and this third access source identification information is associated with authentication level specifying information indicating “access denied”. Therefore, the determination in step 78 described above is affirmed. If the determination in step 78 is affirmative, the process proceeds to step 94, and a message notifying that access from the currently used terminal is prohibited is displayed on the display of the client terminal 18 that is the transmission source of the authentication request packet. Etc., and the authentication / determination process is terminated.

  On the other hand, if the authentication level recognized in step 76 is other than “access denied”, the determination in step 78 is denied and the process proceeds to step 80 to execute the user authentication process at the recognized authentication level. For example, an authentication information table as shown in FIG. 2A is extracted by the search in step 72, and the source IP address extracted in step 70 is the range of the source IP address represented by the first access source identification information (201.189). .xxx.001 to 256), the first access source identification information is associated with authentication level specifying information indicating “authentication level 1 (authentication using only the first password)”. In step 80, by confirming whether or not the first password extracted from the data part of the authentication request packet in step 70 matches the first password registered in the authentication information table, the authentication request packet transmission source The authentication process of “authentication level 1” for determining whether or not the user operating the client terminal 18 is a valid user is performed.

  Further, for example, an authentication information table as shown in FIG. 2A is extracted by the search in step 72, and the source IP address extracted in step 70 is the range of the source IP address represented by the second access source identification information. In the case of (128.401.xxx.001 to 256), the second access source identification information is associated with authentication level specifying information indicating “authentication level 2 (authentication using the first and second passwords)”. Therefore, in step 80, the first password extracted from the data part of the authentication request packet in step 70 matches the first password registered in the authentication information table, and from the data part of the authentication request packet. Sending an authentication request packet by checking whether or not the extracted second password matches the second password registered in the authentication information table Performing user authentication processing to determine whether the authorized user "authentication level 2" operating the client terminal 18. In the “authentication level 2” authentication process, when only a single password is set in the received authentication request packet, the second password input screen is displayed on the display of the client terminal 18 that is the transmission source of the authentication request packet. Processing such as displaying is also included.

  In the next step 82, it is determined whether or not the user operating the client terminal 18 that is the authentication request packet transmission source is determined to be a valid user by the authentication processing in step 80. If the determination is negative, the process proceeds to step 94, and error processing such as displaying a message notifying that the input password is incorrect is performed on the display of the client terminal 18 that is the authentication request packet transmission source, and authentication is performed.・ End the decision process.

  If it is determined by the authentication processing in step 80 that the user operating the client terminal 18 that is the transmission source of the authentication request packet is a valid user, the determination in step 82 is affirmed and the process proceeds to step 84. The transaction condition DB is searched using the user ID extracted in 70 as a key, and a transaction condition table corresponding to the user to which the user ID is assigned is extracted from the transaction condition DB. In the next step 86, it is first determined whether the source IP address extracted from the data part of the authentication request packet corresponds to a plurality of access source identification information registered in the transaction condition table extracted in step 84. Next, by referring to the transaction condition provision information registered in the transaction condition table in association with the access source identification information determined to correspond to the transmission source IP address, this access source (authentication request) It recognizes the conditions of the financial transaction to be applied to the access from the client terminal 18) of the packet transmission source. In step 88, it is determined whether or not the financial transaction condition recognized in step 86 is "transaction prohibited".

  For example, the transaction condition table as shown in FIG. 2B is extracted by the search in step 84, and the source IP address is within the range of the source IP address represented by the first access source identification information (201.189.xxx.001 to 256) and the source IP address range (128.401.xxx.001 to 256) represented by the second access source identification information does not correspond, the extracted source IP address is “other” ( Since the third access source identification information is associated with the transaction condition defining information indicating “transaction prohibited”, the third access source identification information indicating the “transaction prohibition” is described above. The determination in step 88 is affirmed. If the determination in step 88 is affirmed, the process proceeds to step 94, and a message notifying that the financial transaction from the currently used terminal is prohibited is displayed on the display of the client terminal 18 that is the transmission source of the authentication request packet. The error processing such as making the error is performed, and the authentication / judgment processing is terminated.

  If the authentication information table and the transaction condition table corresponding to the same user have the contents shown in FIGS. 2A and 2B, step 78 before determining “transaction prohibited” in step 88. Although the access source identification information registered in both tables does not have to be the same information, depending on the contents of both tables, although it is not determined as “access denied” It should be noted that “prohibited” may occur.

  If the determination in step 88 is negative, the process proceeds to step 90, where the current transaction time zone in the financial transaction conditions recognized in step 86 is compared with the current time, so that the current time is the current transaction time zone. It is determined whether it is within. For example, the transaction condition table as shown in FIG. 2B is extracted by the search in step 84, and the source IP address is within the range of the source IP address represented by the first access source identification information (201.189.xxx.001 to 256), in the transaction condition regulation information registered in association with the first access source identification information, the transaction time zone is set from 9:00 to 17:00. Is not within this time zone, the determination in step 90 is negative. If the determination in step 90 is negative, the process proceeds to step 94, and the display of the authentication request packet transmission source client terminal 18 is notified that the time zone in which the financial transaction is possible from the currently used terminal has passed. An error process such as displaying a message to be displayed is performed, and the authentication / determination process is terminated.

  On the other hand, if the determination in step 90 is affirmative, it can be determined that an instruction to execute a financial transaction from the user can be accepted. Therefore, in step 92, the financial transaction condition recognized in the previous step 86 (executable transaction) For each user who logs in to the online financial transaction website, and distributes the web page of the website to each user, A process for setting in a financial transaction condition table (not shown) referred to when receiving an instruction to execute a financial transaction from an individual user is performed, and the authentication / determination process is terminated.

  When a user instructs execution of a desired financial transaction using the online financial transaction website, first, the name of the executable financial transaction is one of the web pages constituting the online financial transaction website. Financial transaction that is desired to be executed by selecting the name of the financial transaction that is desired to be executed while the transaction selection page that is displayed as a list of options (links) is displayed on the display of the client terminal 18 The condition input page provided with an input field for inputting the condition is displayed on the display of the client terminal 18, and the financial items desired to be executed in each input field provided in the condition input page displayed subsequently This is done by inputting transaction conditions and performing an operation (such as selecting a predetermined box) to instruct execution of a financial transaction.

  Here, the type of executable transaction set in the above-described financial transaction condition table is the transaction selection page to be distributed to the client terminal 18 by receiving a packet requesting distribution of the transaction selection page from the client terminal 18. A transaction selection page that is referred to when generating and displays only the names of financial transactions set as executable transactions in the financial transaction condition table as options (links) is generated and distributed to the client terminal 18. Thereby, the financial transaction that can be instructed by the user via the client terminal 18 is defined as a transaction that can be executed by the transaction condition provision information registered in the transaction condition table extracted in the previous step 84. You will be limited to transactions only.

  Further, the transaction possible upper limit amount and the transaction possible time zone set in the financial transaction condition table are referred to when a packet instructing execution of the financial transaction is received from the client terminal 18, and the financial transaction instructed to execute the financial transaction If the maximum transaction amount set in the condition table has been exceeded, or if the time at which the execution of the financial transaction is instructed is out of the available transaction time zone set in the financial transaction condition table Without executing the designated financial transaction, a process for displaying a message notifying execution refusal of the designated financial transaction together with a message notifying the reason on the display of the client terminal 18 is performed. Thereby, the upper limit of the financial transaction that can be instructed by the user via the client terminal 18 is the upper limit of the transaction that is defined in the transaction condition provision information registered in the transaction condition table extracted in the previous step 84. The time period during which the user is allowed to instruct the execution of the financial transaction via the client terminal 18 is defined in the transaction condition provision information registered in the transaction condition table extracted in the previous step 84. You will be limited within the available trading hours.

  In the above, in the reception process executed by the web server 12, the destination IP address and TCP port number set in the received packet are collated with the destination IP address and TCP port number registered in the destination table, The mode of adding the source IP address set in the IP header to the data portion of the received packet has been described only when the received packet is an authentication request packet. However, the present invention is not limited to this. The destination table may be omitted, and the source IP address may be added to the data part of all received packets.

[Second Embodiment]
Next, a second embodiment of the present invention will be described. In addition, the same code | symbol is attached | subjected to the part same as 1st Embodiment, and description is abbreviate | omitted. FIG. 7 shows a computer system 30 according to the second embodiment. In the second embodiment, a client terminal (PC) 18C installed in the company is connected to a LAN 32. In addition to the proxy server 22 described in the first embodiment, an in-company system server 34 is connected to the LAN 32. Is also connected.

  The in-company system server 34 can be accessed only by the client terminal 18C connected to the LAN 32, and provides a service providing services that support the execution of various operations in the company (hereinafter, this website is referred to as the website A (FIG. 8) for convenience. When the execution of an arbitrary process is instructed through the website A from the client terminal 18C connected to the LAN 32, the function as the web server that operates the It also functions as an application server to return. Each person in the company accesses the website A via the client terminal 18C, displays a desired web page in the website A on the display of the client terminal 18C, and then performs a desired process through the web page. Instruct execution. Thereby, the in-company system server 34 performs processing desired by the person in charge.

  In addition, various businesses within a company include businesses that require specific financial institutions to instruct the execution of financial transactions such as transfers. Therefore, as shown in FIG. 8, some or all of the plurality of web pages A1, A2, A3,... Constituting the website A include an online financial transaction website operated by a specific financial institution. Links are provided for accessing a home page (in FIG. 8, this home page is indicated as a web page X1) (in FIG. 8, the links are provided on the web pages A1, A2, A3, respectively). Example). When the web page provided with a link to the online financial transaction website among the web pages of the website A is displayed on the display of the client terminal 18C, the link is selected by the operator. A packet requesting the delivery of the homepage of the online financial transaction website to the server 12 is transmitted from the client terminal 18C, and information on the homepage is transmitted from the web server 12 through a process to be described later. The page displayed on the display is switched to the home page of the online financial transaction website (login screen provided with an input field for entering a user ID and password).

  Of the web pages of the website A, a web page provided with a link to an online financial transaction website is a packet (online financial transaction website) transmitted by the client terminal 18C when the link is selected. A program (script) for causing the client terminal 18C to perform processing for setting the site ID of the website A fixed in advance as the transition source site ID in the data portion of the packet requesting the delivery of the homepage of Embedded. For this reason, when the link is selected, the client terminal 18C executes the above script, whereby a packet in which the site ID of the website A is set as the transition source site ID is transmitted from the client terminal 18C.

  In the second embodiment, a website that can be accessed by the same user and can be changed to an online financial transaction website (a web page including a web page provided with a link to the online financial transaction website) There are other websites than the website A (refer to websites B and C shown in FIG. 8 as an example). These websites are operated by any one of a number of web servers directly connected to the Internet 16 as shown in FIG. 7 with reference numeral “36”, for example, and the website A is connected to the LAN 32. While only the client terminal 18C is an accessible site, the websites B and C are different in that any client terminal 18 is accessible. As shown in FIG. 8, for example, the website B may be a site for the mobile terminal 18B, the website C may be a general site with no access restrictions, and the website B is assigned to a user registered in advance. The site providing the service, the website C may be a site providing a predetermined service to an unspecified user.

  In the second embodiment, different transitional websites are preliminarily assigned different site IDs to identify the individual transitionable websites, and the web pages constituting the individual transitional websites are assigned. When a link to an online financial transaction website is selected for a web page (transitionable web page) provided with a link to an online financial transaction website, as with the website A described above Further, scripts for causing the client terminal 18 to perform the process of setting the site ID of the transitionable website to which the transitionable web page belongs as the transition source site ID are embedded in the data part of the packet transmitted by the client terminal 18 respectively. ing.

  In the second embodiment, an online financial transaction website accessed by an individual user is obtained by using a link provided on the transitionable web page while the transitionable website is accessed via the client terminal 18. Depending on the choice, each individual user can transition (access) from multiple transitional websites to an online financial transaction website, and the security of each transitionable website is different. (For example, the website A that can be accessed only by the client terminal 18C connected to the LAN 32 has relatively high security, and the transitionable website that does not restrict accessible users has low security.) Online financial trading web from transitionable websites It is different for each individual transition possible website also security at a transition (access) to the site.

  For this reason, in the second embodiment, in addition to an access source that may be used to access the online financial transaction website, the user may use the transition (access) to the online financial transaction website. Knowing a certain transitionable website, and using the online financial transaction acceptance service for each combination of the identified access source and transitionable website (transition source website), the user's own convenience In consideration of the above, conditions for financial transactions that can be instructed to execute are determined. The financial transaction conditions determined for each combination of the access source and the transition source website (transitionable website) are the IP addresses of the individual access sources or their ranges, and the addresses of the transition source websites that may be used. (For example, URI) is notified to a specific financial institution. Thereby, in the specific financial institution, information notified from the user is registered in the transaction condition DB. The specific financial institution knows the site ID of each transitionable website, and the address of each notified transition source website (transitionable website) is converted into a site ID for each transaction condition DB. Register with.

As shown in FIG. 9, the transaction condition table according to the second embodiment includes financial transaction conditions (executable transaction type, transaction) that can be executed for each combination of access source identification information and transition source website. The transaction condition regulation information that regulates the maximum possible amount of money, the tradeable time zone, the number of trades per transaction, etc.) can be registered, and the IP address notified from the corresponding user for each individual access source or its Each of the ranges is registered as access source identification information, and the site ID of each transition source website converted from the address of each notified transition source website is registered as a transition source site ID. Transaction condition regulation information is generated based on the financial transaction conditions notified for each combination of each access source and each transition source website. Commercial conditions prescribed information for each combination of the generated individual access source and the individual transition source website, it is respectively registered in association with the access source identification information and the transition source site ID. The transaction condition DB corresponds to the service definition database according to the present invention (specifically, the service definition database in which the service definition table according to claim 4 is registered), and the transaction condition definition information is the service definition information according to the present invention. (Specifically, the service definition information described in claim 4 ).

  Next, as an operation of the second embodiment, the reception process executed by the web server 12 according to the second embodiment with reference to the flowchart of FIG. 10 is the same as the reception process described in the first embodiment. Only the different parts will be described. In the reception process according to the second embodiment, when the received packet is identified as not an authentication request packet and the determination in step 56 is negative, the process proceeds to step 100, and the received packet is changed by the client terminal 18. When the link to the online financial transaction website of the transitionable web page is selected while browsing the possible website, the packet transmitted from the client terminal 18, that is, the online financial transaction website It is determined whether the packet is a homepage delivery request packet requesting homepage delivery. If the determination is negative, the process proceeds to step 58, and processing corresponding to the received packet (for example, requested web page data among the web pages constituting the online financial transaction website is sent to the requesting client terminal 18). The processing at the time of reception is completed by performing processing such as distribution.

On the other hand, if the determination in step 100 is affirmative, the process proceeds to step 102, where the source IP address from the IP header of the received packet (homepage distribution request packet) stored in the memory 12B, and the source TCP port from the TCP header. Extract each number. Further, as described above, the homepage delivery request packet has the transition source site ID set in the data portion, and in step 104, the transition source site ID is extracted from the data portion of the received packet. In the next step 106, the transition source site ID extracted in step 104 is registered in the site ID table in association with the source IP address and source TCP port number extracted in step 102. As a result, the transition source site is registered for each client terminal 18 that has transmitted the homepage distribution request packet. Then, in the next step 58, as a process corresponding to the received packet, a process of distributing the data of the homepage (login screen) of the online financial transaction website to the requesting client terminal 18 is performed, and the receiving process is terminated. Steps 102 to 106 described above correspond to the extraction means described in claim 5 .

  In the reception process according to the second embodiment, when the received packet is identified as an authentication request packet and the determination in step 56 is affirmed, first, in step 59, the reception stored in the memory 12B is received. The source IP address is extracted from the IP header of the packet (authentication request packet), and the source TCP port number is extracted from the TCP header. In the next step 61, the site ID table is searched using the source IP address and TCP port number extracted from the received packet in step 59 as keys, and registered in association with the source IP address and TCP port number. The transition source site ID is read from the site ID table. In step 63, the source IP address extracted in step 59 and the transition source site ID read in step 61 are added to the data portion of the received packet (authentication request packet).

Then, in the next step 64, the destination IP address set in the IP header is changed to the application IP address for the authentication request packet in which the transmission source IP address and the transition source site ID are added to the data part, as in the first embodiment. Overwrite with the private IP address of the server 14, overwrite the source IP address set in the IP header with the private IP address of the own device (web server 12), and send the updated authentication request packet to the application via the intranet 26. Transfer to the server 14 (its authentication / determination program). As described above, in the second embodiment, the authentication request packet in which the transmission source IP address and the transition source site ID are added to the data part is transferred from the web server 12 to the application server 14. Steps 59 to 64 described above correspond to the transfer means described in claim 5 .

  Next, the authentication / determination process according to the second embodiment will be described with reference to FIG. 11 only for parts different from the authentication / determination process described in the first embodiment. In the authentication / determination process according to the first embodiment, the user ID, password, and source IP address are extracted from the data part of the received authentication request packet in step 70. However, the authentication / determination process according to the second embodiment is performed. In the determination process, in addition to the above information, the transition source site ID is also extracted from the data part of the authentication request packet (step 71).

  In the authentication / determination process according to the first embodiment, an authentication information table corresponding to a user to which a user ID extracted from the authentication request packet is assigned exists in the authentication information DB (determination in step 74 is affirmative). The authentication level to be applied to the access from the current access source is not “access denied” (determination in step 78 is negative), and the client terminal 18 is operated by the user authentication process performed at the recognized authentication level. After the transaction condition table corresponding to the user assigned with the user ID extracted from the authentication request packet is extracted from the transaction condition DB (step 84), In step 86, the access source identification information having a plurality of source IP addresses registered in the transaction condition table. By referring to the transaction condition regulation information registered in the transaction condition table in association with the access source identification information determined to correspond to the source IP address, The financial transaction conditions to be applied to the access from the access source are recognized. However, in the second embodiment, in step 87 instead of the above step 86, a plurality of transmission source IP addresses are stored in the transaction condition table. After determining which of the registered access source identification information corresponds, the access source identification information determined to correspond to the source IP address and the transition source extracted from the data part of the authentication request packet By referring to the transaction condition regulation information registered in the transaction condition table in association with the combination of the site ID, the access source identification information and It recognizes the conditions of financial transactions to be applied to the combination of the Utsurimoto site ID.

  In the next step 88 and subsequent steps, as in the authentication / judgment process according to the first embodiment, it is determined whether or not the recognized financial transaction condition is “transaction prohibited” (step 88). It is determined whether or not the time is within a tradeable time zone (step 90), and if it is a tradeable time zone, the recognized financial transaction conditions are set in the financial transaction condition table (step 92). Is performed according to the financial transaction condition recognized in step 87, that is, the financial transaction condition corresponding to the combination of the access source identification information and the transition source site ID.

  As described above, in the second embodiment, transaction condition defining information is registered for each combination of access source identification information and transition source site ID, and corresponds to the source IP address of the client terminal 18 that has transmitted the authentication request packet. The condition of the financial transaction is recognized based on the transaction condition defining information corresponding to the combination of the access source identification information to be transmitted and the transition source site ID set in the homepage distribution request packet received from the same client terminal 18, or Even when the user accesses the online financial transaction website from a certain access source, the conditions of the applied financial transaction can be made different depending on which transitionable website has been used.

  As a result, for example, when a transition from a low-security transitionable website to an online financial transaction website is possible, transactions are possible compared to a transition from a high-security transitionable website to an online financial transaction website. Improve security by limiting the number of transactions that can be instructed for time periods and execution, as well as limiting the number of transactions per transaction and setting the transaction condition regulation information so that the maximum transaction amount is also low. Can be made. In addition, for example, when a transition from a specific transitionable website to a website for online financial transactions is performed and the financial transaction desired by the user is limited to certain financial transactions, By setting the transaction condition regulation information so that financial transactions that can be instructed to execute when transitioning from a transitionable website to an online financial transaction website are limited to only the certain financial transactions, security is established. The convenience and operability for the user can also be improved.

In the second embodiment described above, by registering transaction condition defining information for each combination of access source identification information and transition source site ID, for each combination of access source identification information and transition source site ID. Although an example in which the conditions of financial transactions can be switched has been described, the present invention is not limited to this, and authentication level specification information is registered for each combination of access source identification information and transition source identification information such as a transition source site ID. Thus, the authentication level in the authentication process may be switched for each combination of the access source identification information and the transition source identification information. This aspect corresponds to the invention described in claim 6 .

  In addition, websites that require users to enter authentication information such as passwords before use generally allow users to change their passwords in consideration of user convenience. Some websites lock a password when the password is continuously input a predetermined number of times, and accept unlocking of the password upon request from the user. It is also possible to apply the present invention to such a password change or unlocking on a website.

  Specifically, when a password change or password lock release is requested via a client terminal having an IP address different from that of the access source identification information registered in advance, the user is prompted to enter the current password. If the password is entered, the change to the new password is permitted, the password lock release is rejected, the password is changed via the client terminal of the IP address corresponding to the pre-registered access source identification information, and the password lock is released. Is requested, the user is prompted to enter the current password, and if the password is entered, the change to the new password is allowed and the password lock can be released, while the pre-registered access The password is passed through the client terminal of the IP address corresponding to the original identification information. If the access is a transition from the specified web page and the access is a transition from the specified web page, the password lock can be released and the new password can be entered without the user entering the current password. It may be allowed to change to

  If the user forgets the password, it is necessary to allow the user to change to a new password without entering the current password as described above, but this procedure requires a high level of security. For this reason, the above procedures are often performed in writing, which takes time and effort. In order to solve this problem, for example, when a person in charge such as a call center receives a phone call from a user stating that the password has been locked because the password has been forgotten, the person in charge should use a new password. After confirming the identity based on the date of birth, address, etc., by phone, the user-specific password unlock / reset password web page (corresponding to the above-mentioned designated web page) is generated and determined by a random number. A computer generates a file describing the URL of the web page, locks the file using a temporary password, attaches the file to an e-mail, and sends the e-mail to an e-mail address previously reported by the user. And a procedure for teaching the user a temporary password. In this case, the user receives the above e-mail, opens the attached file of the received e-mail using the taught temporary password, and releases the password unlock / reset password URL of the URL described in the opened file. , And through this web page, an operation for requesting password lock release / password reset is performed.

  In this aspect, a password change / password lock release is requested via a client terminal having an IP address corresponding to a pre-registered access source identification information, and the access is made to a designated web page (the password lock release dedicated to the user).・ If it is a transition from the password reset web page), the operator of the client terminal can be regarded as the user himself / herself, so that unlocking of the password lock is permitted upon request and the current password is entered. Security can be ensured even if the process of permitting a new password to be changed without asking for a password, and simplification of the procedure when the user forgets the password and reduction of the time required for the procedure are realized. Can do. In the above aspect, the ID of the user-specific password unlock / password reset web page is used as the transition source identification information. However, as described above, the transition source identification information according to the present invention is provided for each site. It is not limited to the assigned site ID, but may be identification information assigned to each web page. In addition, in the above mode, it is more secure that a password lock release / password reset web page is provided with a valid period and the page is invalidated after a certain period of time (for example, the page display itself is deleted). This is desirable because of improved properties.

  In the above description, the mode in which the service providing apparatus according to the present invention is realized by the web server 12 and the application server 14 has been described. However, the present invention is not limited to this, and the Internet 16 like the web server 12 is used. It is also possible to make a single computer directly connected to the server function as the service providing apparatus according to the present invention. In this case, instead of transferring the authentication request packet as in the above aspect, the authentication request with the transmission source IP address (and the transition source identification information) added as the reception information transferred from the transfer unit to the service providing unit. Only the data portion of the packet needs to be transferred.

  Further, in the above description, as an example of a service provided by the service providing apparatus, a service that enables execution of online financial transactions has been described. However, the present invention is not limited to this, and the present invention can be provided online. Needless to say, the present invention can be applied when providing any arbitrary service. That is, the present invention can be applied to a website that does not require authentication, such as a merchandise sales site that sells merchandise for individuals. For example, when the present invention is applied to the above merchandise sales site, the access source accesses If the terminal does not have an IP address registered as the original identification information, it is only possible to browse the site (such as product reference or purchase consideration), and the access source client terminal can be determined as a mobile terminal from the source IP address , Enabling ordering of products and restricting payment methods (for example, payment method is only transfer or cash on delivery, payment based on credit card is not allowed, etc.), IP address is registered as access source identification information by access source In the case of a client terminal, it is possible to order products and make payments using any payment method. It is.

  Further, the present invention may be applied to an in-house business system that allows access from the outside. In this case, for example, if the access source is an in-house client terminal in which an IP address is registered as access source identification information, it is possible to log in without low-level authentication processing or authentication processing, and all of the business system provides If the service is available and the IP address of the access source is within the range of the IP address of a specific provider that is used when the sales representative accesses from the outside using a mobile terminal, it is relatively high level. Requesting authentication information corresponding to the authentication process of the customer, and limiting the services that can be used, such as not being able to output a list and making only individual inquiries possible for customer information and other important information inquiry requests If the access source is a terminal that does not have an IP address registered as access source identification information, an electronic certificate etc. is requested to further increase the level. It performs the authentication processing, for the available services, for example, aspects such as greatly limited as such only E-learning and benefits relationship is considered.

1 is a block diagram showing a schematic configuration of a computer system according to a first embodiment. (A) is an example of an authentication information database, and (B) is an image diagram showing an example of a transaction condition database. It is a flowchart which shows the content of the process at the time of reception performed with a web server in 1st Embodiment. It is an image figure for demonstrating the process at the time of reception which concerns on 1st Embodiment. It is an image figure which shows an example of login request data. It is a flowchart which shows the content of the authentication / judgment process performed with an application server in 1st Embodiment. It is a block diagram which shows schematic structure of the computer system which concerns on 2nd Embodiment. It is an image figure which shows an example of the link relationship of each transition origin website and the website for financial transactions in 2nd Embodiment. It is an image figure which shows an example of the transaction condition database in 2nd Embodiment. It is a flowchart which shows the content of the process at the time of reception in 2nd Embodiment. It is a flowchart which shows the content of the authentication and judgment process in 2nd Embodiment.

Explanation of symbols

10 Computer System 12 Web Server 14 Application Server 14C HDD
16 Internet 18 Client terminal 26 Intranet 30 Computer system

Claims (7)

An IP header directly connected to the first computer network, in which information including a transmission source IP address is set as information corresponding to the Internet layer from an unspecified client terminal via the first computer network; A first server computer that receives a packet including a TCP header in which information including a port number is set as information corresponding to the port layer and a data portion in which information corresponding to the application layer is set; or , Realized by a first server computer and a second server computer connected to the first server computer via a second computer network, to a user who has accessed through a client terminal, A service providing device for providing a service,
Of the packets received by the first server computer via the first computer network from the client terminal, the login requesting user inputs the packet requesting login via the client terminal. The user identification information for identifying individual users is set in the data portion,
Extraction means provided in the first server computer for extracting a source IP address set in the IP header from a packet received from a client terminal via the first computer network;
Transfer means provided in the first server computer, adding a transmission source IP address extracted by the extraction means to the data portion of the received packet, and transferring the data portion as reception information;
In association with user identification information of a specific user, service specification information that defines the contents of services that can be provided to the specific user when the specific user accesses from a specific access source is accessed by the specific user. A plurality of types of service definition information are registered corresponding to a plurality of types of access sources to be used in the process, and each of the plurality of types of service definition information is associated with access source identification information indicating a transmission source IP address of the corresponding access source. Storage means for storing a service specification database in which a service specification table is registered and configured for each individual user;
User identification information and transmission source IP address set in the reception information transferred from the transfer means provided in the first server computer or the second server computer are stored in the storage means. The service definition database is compared with the service definition table of the user corresponding to the user identification information, and the corresponding service specification information is extracted and referenced to recognize the contents of the service that can be provided to the user, Service providing means for providing the user with a service that matches the recognized content;
Equipped with a,
The service provided by the service providing means is a service that accepts an instruction to execute a financial transaction from a user,
Each service definition table registered in the service definition database stored in the storage means includes, as the plurality of types of service definition information, types of financial transactions that can be instructed to execute, and financial transactions that can be instructed to be executed. A service providing apparatus in which a plurality of types of service definition information that differ in at least one of an upper limit amount and a time period in which execution can be instructed are registered . In the packet requesting the login, authentication information set in advance for each individual user is also set in the data part,
The storage means also stores an authentication information database in which user identification information and authentication information are registered for each individual user,
The service providing means, when user identification information and authentication information are set in the reception information transferred from the transfer means, the user identification information and authentication information stored in the storage means Can be provided to a user who has been confirmed to be a legitimate user when an authentication process is performed to confirm whether the user is a legitimate user by collating and the legitimate user has been confirmed by the authentication process. The service providing apparatus according to claim 1, wherein the service providing apparatus recognizes the contents of a service. The authentication information database stored in the storage means is associated with user identification information and authentication information of a specific user, and indicates the level of authentication in the authentication process when the specific user accesses from a specific access source. A plurality of types of authentication level specification information to be defined are registered corresponding to a plurality of types of access sources used for access by a specific user, and each of the plurality of types of authentication level specification information is a transmission source of a corresponding access source An authentication information table associated with access source identification information representing an IP address is configured to be registered for each individual user.
The service providing unit, when executing the authentication process, includes user identification information and a source IP address set in the reception information transferred from the transfer unit, among the authentication information database stored in the storage unit Recognizing the level of authentication to be applied by comparing with the authentication information table in which the user identification information is registered, extracting and referring to the corresponding authentication level defining information, and performing the authentication process at the recognized authentication level The service providing apparatus according to claim 2. The access to the service providing apparatus via the client terminal by the user is provided with a link for accessing the service providing apparatus, and when the link is selected, different transitions are made to the data section. After accessing one of a plurality of transitionable web pages each having a function of transmitting a packet in which original identification information is set from the client terminal to the first server computer via the first computer network , Initiated by the user selecting the link of the transitionable web page accessed,
The service regulation database stored in the storage means is associated with user identification information of a specific user, and when the specific user makes a transition from a specific accessible web page and accesses from a specific access source, Service definition information that defines the contents of services that can be provided to a specific user is registered in correspondence with each of a plurality of types of access sources and the plurality of transitionable web pages used for access by a specific user. The service definition table in which the service definition table is associated with the access source identification information indicating the source IP address of the corresponding access source and the transition source identification information is registered and configured for each user. And
In addition to the user identification information and the transmission source IP address, the service providing means is set in the data portion of a packet received when a user makes a transition from any of the plurality of transitionable web pages and accesses. The transition source identification information is also checked against the service definition table of the user corresponding to the user identification information in the service specification database stored in the storage means, and the corresponding service specification information is extracted and referenced. The service providing apparatus according to claim 1, wherein the service providing apparatus recognizes the contents of a service that can be provided to the user. The extraction unit extracts the transition source identification information set in the data part of the packet received when the user makes a transition from any of the plurality of transitionable web pages and accesses the information holding unit. Hold
When the transfer unit receives a packet in which the user identification information is set in the data part, the transfer unit reads the transition source identification information from the information holding unit, and the read transition source identification information is extracted from the extraction unit. 5. The service providing apparatus according to claim 4, wherein the data is added to the data portion of the received packet together with the source IP address extracted by the step, and the data portion is transferred as reception information. In the packet requesting the login, authentication information set in advance for each individual user is also set in the data part,
The storage means is associated with user identification information and authentication information of a specific user, and the level of authentication in authentication processing when the specific user makes a transition from a specific access source and accesses from a specific transitionable web page Are registered corresponding to a plurality of types of access sources and the plurality of transitionable web pages used for access by a specific user, and each authentication level definition information corresponds to An authentication information table associated with the access source identification information indicating the source IP address of the access source and the transition source identification information is stored in an authentication information database that is registered and configured for each user,
When the user identification information and the authentication information are set in the reception information transferred from the transfer unit, the service providing unit includes the user identification information and the source IP address, and the user can change the plurality of transitional web pages. The transition source identification information set in the reception information transferred from the transfer means when accessed from any of the above, the user identification information in the authentication information database stored in the storage means The authentication level to be applied is recognized by collating with the registered authentication information table, and extracting and referring to the corresponding authentication level defining information, and the user identification information and the authentication information are stored in the storage means An authentication process for confirming whether or not the user is a valid user by collating with the authentication information database is performed at the recognized authentication level. 5. The service providing apparatus according to claim 4, wherein when it is confirmed that the user is a legitimate user by processing, the content of the service that can be provided to the user who is confirmed to be the legitimate user is recognized. . An IP header directly connected to the first computer network, in which information including a transmission source IP address is set as information corresponding to the Internet layer from an unspecified client terminal via the first computer network; A first server computer that receives a packet including a TCP header in which information including a port number is set as information corresponding to the port layer and a data portion in which information corresponding to the application layer is set; or A predetermined service is provided to a user who has accessed the first server computer and the second server computer connected to the first server computer via a second computer network via a client terminal. For functioning as a service provider A-bis providing program,
Of the packets received by the first server computer via the first computer network from the client terminal, the login requesting user inputs the packet requesting login via the client terminal. The user identification information for identifying individual users is set in the data portion,
The first server computer or the second server computer is associated with user identification information of a specific user and provided to the specific user when the specific user accesses from a specific access source. A plurality of types of service definition information defining the contents of possible services are registered corresponding to a plurality of types of access sources used for access by a specific user, and each of the plurality of types of service definition information corresponds to a corresponding access. A storage unit is provided for storing a service specification database in which a service specification table associated with access source identification information representing an original transmission source IP address is registered and configured for each user.
The first server computer, or the first server computer and the second server computer,
Extraction means provided in the first server computer for extracting a source IP address set in the IP header from a packet received from a client terminal via the first computer network;
Transfer means provided in the first server computer, for adding a transmission source IP address extracted by the extraction means to the data part of the received packet, and transferring the data part as received information;
And the user identification information and the transmission source IP address which are provided in the first server computer or the second server computer and are set in the reception information transferred from the transfer means are stored in the storage means The content of services that can be provided to the user is recognized by checking the service definition table of the user corresponding to the user identification information in the service specification database, and extracting and referring to the corresponding service specification information Service providing means for providing the user with a service that matches the recognized content
Function as
The service provided by the service providing means is a service that accepts an instruction to execute a financial transaction from a user,
Each service definition table registered in the service definition database stored in the storage means includes, as the plurality of types of service definition information, types of financial transactions that can be instructed to execute, and financial transactions that can be instructed to be executed. A service providing program in which a plurality of types of service definition information that differ in at least one of an upper limit amount and a time period during which execution can be instructed are registered.

Images