Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Response to Amendment
The Amendment filed on 12/18/2020 has been entered.  Claims 1-15 remain pending in the application. Applicant arguments to the claims have not overcome the rejections previously set forth in the Non-Final Office Action mailed 9/18/2020. 

Response to Arguments
Applicant's arguments filed 12/18/2020 have been fully considered but are not persuasive. Upon further examination of the primary reference, the 102(a)(1) rejection is maintained.
The Applicant argues, on pp. 8-9:
On p. 8 (bottom), “processing with elevated permission performed in accordance with applicants claimed invention does not occur in the system of Reed during a launch phase of a web server”;
On p. 8 (bottom), “there is no discussion in this patent (Reed) whatsoever about “elevated permission” that allow access to a predefined operating system of a 
On p. 9 (top), “Reed fails to teach, ‘requires access of the predefined operating system area of computer during the launch phase.’”
On p. 9 (top), “there is little in the cited sections of Reed with respect to ‘ignoring requests from clients and a further process having the elevated permissions of the web server process being started by the web server process.’”
On p. 9 (middle), para. [0031], “the process PR is however not executed with conventional permission, but rather with elevated permission that allow access to protected area GB of the operating system BS from fig. 2.”
On p. 9 (bottom), para. [0032], “[d]ue to the web server process PR starting with elevated permissions, there is a security risk caused by unauthorized request that aim to manipulate protected areas of the operating system.  To eliminate this security risk, the port of the web server to clients is not yet opened in the launch phase IP.”
The Examiner respectfully disagrees.

Applicant argues on p. 8 (bottom) “processing with elevated permission performed in accordance with applicants claimed invention does not occur in the system of Reed during a launch phase of a web server.”

Although the claims are interpreted in light of the specification, limitations from the specification (specifically Applicants reference to paragraphs [0031]-[0032] of the specification) are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
According to Reed, col. 3, lines 51-61, “an inside compartment comprising a plurality of CGI applications having root directories chrooted to a directory separate from the Web server such that the Web server cannot communicate directly with the CGI applications. The SWP further comprises a trusted gateway agent for communicating between the Web server and the CGI applications. The trusted gateway agent comprises a gateway client program running in the outside compartment having a plurality of outside CGI links to the CGI applications, and a gateway server program located in the inside compartment…” discloses a web server whose directory is chrooted (isolated) and can only be accessed by a trusted gateway agent and (also see, col. 5, lines 56-67 and col. 6, lines 1-13, “trusted gateway agent 230 further comprises a gateway client program 235…gateway client 237 verifies that it has been invoked by the Web server 210 and not another application by checking the effective privilege set of its parent process (the Web server 210) for the netprivaddr privilege, as the web server 210 must be running with the netprivaddr privilege in order to bind to the local HTTP port…”) discloses the elevated permission (netprivaddr privilege) invoked (processed) during a launch phase of (HTTP request) of a web server.

Applicant argues on p. 8 (bottom), “there is no discussion in this patent (Reed) whatsoever about “elevated permission” that allow access to a predefined operating system of a computer during the launch phase of the web server as additionally performed in accordance with applicant’s claimed invention. ”
According to Reed, col. 4, lines 34-39, “invention provides a secure Web platform (SWP) layered on top of HP UNIX 10.09.01 CMW operating system to implement a mandatory access control policy enabling a plurality of remote users operating Web browsers Internet access to CGI applications in response to HyperText Transfer Protocol (HTTP) requests…” discloses accessing a predefined operating system during a launch phase and (also see col. 5, lines 56-67 and col. 6, lines 1-13, “trusted gateway agent 230 further comprises a gateway client program 235…gateway client 237 verifies that it has been invoked by the Web server 210 and not another application by checking the effective privilege set of its parent process (the Web server 210) for the netprivaddr privilege, as the web server 210 must be running with the netprivaddr privilege in order to bind to the local HTTP port…”) discloses the elevated permission (netprivaddr privilege) invoked (processing) during a launch phase (HTTP request) of a web server (also see col. 5, lines 56-67 and col. 6, lines 1-13, “trusted gateway agent 230 further comprises a gateway client program 235…gateway client 237 verifies that it has been invoked by the Web server 210 and not another application by checking the effective privilege set of its parent process (the Web server 210) for the netprivaddr privilege, as the web server 210 must be running with the netprivaddr privilege in order to bind to the local HTTP port…”).

Applicant argues on p. 9 (top), “Reed fails to teach, ‘requires access of the predefined operating system area of computer during the launch phase.’”
According to Reed, col. 4, lines 34-39, “invention provides a secure Web platform (SWP) layered on top of HP UNIX 10.09.01 CMW operating system to implement a mandatory access control policy enabling a plurality of remote users operating Web browsers Internet access to CGI applications in response to HyperText Transfer Protocol (HTTP) requests…” discloses accessing a predefined operating system during a launch phase and (see also, col. 5, lines 56-67 and col. 6, lines 1-13, “trusted gateway agent 230 further comprises a gateway client program 235…gateway client 237 verifies that it has been invoked by the Web server 210 and not another application by checking the effective privilege set of its parent process (the Web server 210) for the netprivaddr privilege, as the web server 210 must be running with the netprivaddr privilege in order to bind to the local HTTP port…”) discloses the elevated permission (netprivaddr privilege) invoked (processed) during a launch phase of (HTTP request) of a web server.


According to Reed, col. 6, lines 1-7, “gateway client 237 verifies that it has been invoked by the Web server 210 and not another application by checking the effective privilege set of its parent process (the Web server210) for the netprivaddr privilege, as the Web server 210 must be running with the netprivaddr privilege in order to bind to the local HTTP port discloses that gateway client verifies it has been called by the web server and the gateway client ignores further processing of request when an error occurs…” and see also 340 audit failure, Fig. 3; col. 6, lines 34-38, “request is rejected, the gateway server 240 audits the reason for the failure (Step 340) and transmits an error message to the gateway client 237, which then terminates…” discloses ignoring requests from clients (gateway clients) if request is not verified or received in error, and the web server using elevated permissions (netprivaddr privilege) in order to have a Web server start up process (HTTP request).

Applicant argues on p. 9 (middle), para. [0031], “the process PR is however not executed with conventional permission, but rather with elevated permission that allow access to protected area GB of the operating system BS from fig. 2.”
Applicant is reminded that the claims are given their broadest reasonable interpretation. In this case, the claims recite “during a launch phase” and “during normal operation”. However, “launch phase” and “normal operation” are relative terms which do not 
Although the claims are interpreted in light of the specification, limitations from the specification (specifically Applicants reference to paragraphs [0031]-[0032] of the specification) are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
According to Reed, col. 5, lines 56-67 and col. 6, lines 1-13, “trusted gateway agent 230 further comprises a gateway client program 235…gateway client 237 verifies that it has been invoked by the Web server 210 and not another application by checking the effective privilege set of its parent process (the Web server 210) for the netprivaddr privilege, as the web server 210 must be running with the netprivaddr privilege in order to bind to the local HTTP port…”) discloses the elevated permission (netprivaddr privilege) invoked (processed) during a launch phase of (HTTP request) of a web server to provide access to protected areas (Webserver 210).

Applicant argues on p. 9 (bottom), para. [0032], “[d]ue to the web server process PR starting with elevated permissions, there is a security risk caused by unauthorized request that aim to manipulate protected areas of the operating system.  To eliminate this security risk, the port of the web server to clients is not yet opened in the launch phase IP.”

Although the claims are interpreted in light of the specification, limitations from the specification (specifically Applicants reference to paragraphs [0031]-[0032] of the specification) are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
According to Reed, col. 5, lines 56-67 and col. 6, lines 1-13, “trusted gateway agent 230 further comprises a gateway client program 235…gateway client 237 verifies that it has been invoked by the Web server 210 and not another application by checking the effective privilege set of its parent process (the Web server 210) for the netprivaddr privilege, as the web server 210 must be running with the netprivaddr privilege in order to bind to the local HTTP port…”) discloses the elevated permission (netprivaddr privilege) invoked (processed) during a launch phase of (HTTP request) of a web server to provide access to protected areas (Webserver 210) and see also 340 audit failure, Fig. 3; col. 6, lines 34-38, “request is rejected, the gateway server 240 audits the reason for the failure (Step 340) and transmits an error message to the gateway client 237, which then terminates…” discloses ignoring requests (closing ports) from clients (gateway clients) if request is not verified or received in error, and 

Independent claims 13 and 15 have the same arguments as claim 1 and are responded to using the same rationale as claim 1.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Reed et al. (US 5903732 A, hereinafter Reed).
Regarding claims 1, 13 and 15, Reed discloses a method/computer and non-transitory computer program product for operating a web server implemented on a computer having an operating system executing thereon, the web server being configured to execute a web server (Fig. 2; col. 4, lines 34-39; col. 3, lines 45-51), comprising: 
executing the web server process with elevated permissions, during a launch phase of the web server after starting the web server which, in addition to the permissions during normal operation, allow access to the predefined operating system area of the computer, during the launch phase the web server process ignoring requests from clients (340 audit failure, Fig. 3; col. 6, lines 1-7, gateway client 237 verifies that it has been invoked by the Web server 210 and not another application by checking the effective privilege set of its parent process (the Web server210) for the netprivaddr privilege, as the Web server 210 must be running with the netprivaddr privilege in order to bind to the local HTTP port discloses that gateway client verifies it has been called by the web server and the gateway client ignores further processing of request when an error occurs…) and a further process having the elevated permissions of the web server process being started by the web server process, and the further process serving to execute actions with access to the predefined operating system area (col. 6, lines 34-38, request is rejected, the gateway server 240 audits the reason for the failure (Step 340) and transmits an error message to the gateway client 237, which then terminates. If the request is accepted, the gateway server 240 strips the environment of all variables that are not specified by the CGI protocol (see Appendix D, entitled "CGI Environment Variables"), sends a "ready" acknowledgment to the gateway client program 237…); and 
transitioning the web server process to normal operation to process requests from clients subsequent to the launch phase, in an event of the web server process receiving a request requiring an action with access to the predefined operating system area, a permissibility of the received request being checked by the web server process, and the web server process and the further process communicating, which prompts the further process to execute the action with the required access to the predefined operating system area in accordance with the received request in an event of a permissible request (col. 5, lines 56-67 and col. 6, lines 1-13).

Regarding claim 2, Reed discloses the method as claimed in claim 1, wherein the requests originate from clients which are implemented on a computer different from the computer upon which the web server is implemented (Fig. 2; col. 4, lines 34-39).

Regarding claim 3, Reed discloses the method as claimed in claim 1, wherein the elevated permissions, in contrast to non-elevated permissions of the web server process, permit installation of software on the computer upon which the web server is implemented (Fig. 2; col. 3, lines 51-61; col. 4, lines 49-57; and col. 5, lines 56-60).

Regarding claim 4, Reed discloses the method as claimed in claim 2, wherein the elevated permissions, in contrast to non-elevated permissions of the web server process, permit installation of software on the computer upon which the web server is implemented (Fig. 2; col. 3, lines 51-61; col. 4, lines 49-57; and col. 5, lines 56-60).

Regarding claim 5, Reed discloses the method as claimed in claim 1, wherein the web server process ignores the requests in the launch phase by keeping a port that is provided for communication with clients closed, said port being open during normal operation (Fig. 2; col. 3, lines 51-61; col. 4, lines 49-57; and col. 5, lines 56-60; col. 6, lines 1-7 and 9-13).

Regarding claim 6, Reed discloses the method as claimed in claim 2, wherein the web server process ignores the requests in the launch phase by keeping a port that is provided for communication with clients closed, said port being open during normal operation (Fig. 2; col. 3, lines 51-61; col. 4, lines 49-57; and col. 5, lines 56-60; col. 6, lines 1-7).

Regarding claim 7 Reed discloses the method as claimed in claim 3, wherein the web server process ignores the requests in the launch phase by keeping a port that is provided for communication with clients closed, said port being open during normal operation (Fig. 2; col. 3, lines 51-61; col. 4, lines 49-57; and col. 5, lines 56-60; col. 6, lines 1-7 and 9-13).

Regarding claim 8, Reed discloses the method as claimed in claim 1, wherein, in the launch phase, a port provided for communication with clients is open and the web server process ignores the requests by dismissing said requests (Fig. 2; col. 4, lines 34-39; col. 6, lines 1-7 and 9-13).

Regarding claim 9, Reed discloses the method as claimed in claim 1, 
wherein a sender of the request is identified, in contexts of the check on the permissibility of the received request, based on information in the received request (Fig. 2; col. 3, lines 51-61; col. 4, lines 34-39 and 4-57; and col. 5, lines 56-60); and 
wherein a required condition for the permissibility of the request comprises recognizing, by the web server process, the identified sender as a sender from a plurality of authorized senders (col. 3, lines 61-67 and col. 4, lines 1-3; claim 1, lines 21-32).

Regarding claim 10, Reed discloses the method as claimed in claim 1, 
wherein the received request comprises a digital signature (Fig. 2; col. 3, lines 51-61; col. 4, lines 49-57; and col. 5, lines 56-60, outside CGI links to the CGI applications); 
wherein the signature is verified in contexts of the check on the permissibility of the received request (Fig. 2; col. 3, lines 51-61; col. 4, lines 49-57; and col. 5, lines 56-60); and 
wherein one required condition for the permissibility of the request is an ability to successfully verify the signature (col. 3, lines 61-67 and col. 4, lines 1-3; claim 1, lines 21-32).

Regarding claim 11, Reed discloses the method as claimed in claim 1, wherein the requests from the clients are each generated by a user via a browser executing on a corresponding client and which interacts with the web application (Fig. 2; col. 4, lines 34-39).

Regarding claim 12, Reed discloses the method as claimed in claim 1, wherein the computer upon which the web server is implemented comprises a control computer in an automation facility (Fig. 2, secure Web platform (SWP)).

Regarding claim 14, Reed discloses the computer as claimed in claim 13, wherein the web server of the computer is configured so as to perform a method for operating the web server implemented on the computer having the operating system (col. 3, lines 61-67 and col. 4, lines 1-3; claim 1, lines 21-32).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
See PTO-892 Notice of References Cited.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to THORNE E WAUGH whose telephone number is (571)270-0434.  The examiner can normally be reached on Monday-Friday 9AM-5:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ARIO ETIENNE can be reached on (571)272-4001.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 





3/19/2021
/THORNE E WAUGH/Examiner, Art Unit 2457                                                                                                                                                                                                        
/ARIO ETIENNE/Supervisory Patent Examiner, Art Unit 2457