DETAILED ACTION
This final action is in response to amendment filed on 12 October 2021. In this amendment, claims 3, 8, 10, 15, 17 have been amended. Claims 1-20 are pending, with claims 1, 8 and 15 being independent. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application is a continuation of U.S. Patent Application Serial No. Serial 15/713,750, filed 09/26/2017, which is a continuation of U.S. Patent Application Serial No. 13/891,612, filed May 10, 2013, as well as a continuation-in-part of U.S. Patent Application Serial No. 13/316,073, filed December 9, 2011.

Response to Arguments
Claim Objection
Claim Objection has been withdrawn in view of amended claim.
35 U.S.C. § 101 Rejections
Claim rejections have been maintained because the claimed processor may include computer program code or software. Since there is no positive recitation of “hardware” in the claim, the claim as a whole is directed towards software per se, which is one of the non-statutory category.  
35 U.S.C. § 103 Rejections
Applicants’ arguments, with regards to claims 1-20, have been fully considered but they are not persuasive.
In the response filed 12 October 2021, applicant argues in substance that:
Counterman does disclose, teach, or suggest “requesting, using the proxy server, user credentials of a user from the client device in response to receiving the re-routed request” from the client device and “obtaining, in the proxy server, the requested user credentials from the client device” to “determine that the client device is authorized to access the remote resource.”
The examiner respectfully disagrees. One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. In reKeller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In reMerck & Co., Inc., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Combination of Longobardi and Counterman teaches the limitations above. In particular, Longobardi teaches that in response to receiving the re-routed request from target device, an authentication server device [proxy server] requesting and receiving user credentials of a user from the client device (see Longobardi par. 51- 52), and Counterman teaches that authorization server may verify the request by determining if the authorized token contained in the message from client application is a valid token (Counterman par. 51). Therefore, the combination of Longobardi and Counterman teaches “requesting, using the proxy server, user credentials of a user from the client device in response to receiving the re-routed request” from the client device and “obtaining, in the proxy server, the requested user 
Since the argument of claim 1 is not persuasive, other claims’ arguments that rely on the argument above are also not persuasive.
Non-Statutory Double Patenting Rejections
Non-statutory double patenting rejections are maintained because of improper response regarding the nonstatutory double patenting rejection. A complete response to a nonstatutory double patenting (NSDP) rejection is either a reply by applicant showing that the claims subject to the rejection are patentably distinct from the reference claims or the filing of a terminal disclaimer in accordance with 37 CFR 1.321in the pending application(s) with a reply to the Office action (see MPEP § 1490 for a discussion of terminal disclaimers). As filing a terminal disclaimer, or filing a showing that the claims subject to the rejection are patentably distinct from the reference application’s claims, is necessary for further consideration of the rejection of the claims, such a filing should not be held in abeyance.

Claim Rejections - 35 USC § 101 
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 8-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim is directed towards a software per se. 

Applying the broadest reasonable interpretation in light of the specification and taking into account the meaning of the words in their ordinary usage as they would be understood by one of ordinary skill in the art (See MPEP 2111), the recited “processor” and “an application” may include computer program code or software and since there is no positive recitation of “hardware” in the claim, the claim as a whole is directed towards software per se, which is one of the non-statutory category.  
35 USC 101 enumerates four categories of subject matter that Congress deemed to be appropriate subject matter for a patent: Processes, Machines, Manufactures and Composition of Matter. 
Software or computer program per se does not fall within any one of these four statutory category, i.e. software per se is not a process because it is not a series of acts or steps, nor is it a machine which is a concrete thing consisting of parts or of certain devices and combination of devices, nor is it a manufacture nor a composition of matter, as defined in MPEP 2106.03 I. Therefore, the claim which is directed towards software or computer program per se is ineligible. 
Claims 9-14 are rejected due their dependency on claim 8, and claims 9-14 further does not recite any hardware.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:



Claims 1, 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Longobardi et al. (US 2013/0061298, filed Sep. 1, 2011) and Counterman (US 2012/0144202, filed Dec. 6, 2010).
As per claim 1, Longobardi discloses a method for authenticating a client device and providing access to a remote resource hosted by a remote device (Longobardi Figs. 3, 7-9, method for authenticating and providing client device 302 to access resource 318 stored by target device 306), comprising: 
receiving, in a proxy server, a re-routed request (Longobardi par. 51, Target device 306 forwards the logon request received from client device 302 to authentication server device 304 for processing), the re-routed request originating from a request by a client device to the remote device and being re-routed to the proxy server (Longobardi par. 51, The process starts when a user of client device 302 wants to connect and logon to target device 306 to access protected resource 318 located on target device 306); 
requesting, using the proxy server, credentials associated with the client device in response to receiving the re-routed request (Longobardi par. 51, authentication server device 304 requests the user of client device 302 to provide the appropriate credentials); 
obtaining, in the proxy server, the credentials from the client device (see Longobardi par. 52, client device 302 uses password authentication manager 218 to send credentials to authentication server device 304). 

determining, using the proxy server, that the client device is authorized to access the remote resource based at least in part upon the credentials obtained from the client device; 
generating, in the proxy server, an access credential associated with the remote resource; and 
transmitting, from the proxy server, the access credential to the client device, wherein the access credential permits the client device to access the remote resource from the remote device.  
Counterman teaches:
determining, using the proxy server, that client device is authorized to access the remote resource based at least in part upon the credential obtained from the client device (Counterman par. 51, Authorization server 140 may verify the request by determining if the authorized token contained in the message from client application 170 is a valid token); 
generating, in the proxy server, an access credential associated with the remote resource (Counterman par. 51, authorization server 140 may return a message 930 that includes a valid access token); and 
transmitting, from the proxy server, the access credential to the client device (Counterman par. 51, authorization server 140 may return a message 930 that includes a valid access token if the request from client application 170 is verified), wherein the access credential permits the client device to access the remote resource from the 
It would have been obvious to one skilled in the art at the time of effective filing date of the claimed invention to modify the method of Longobardi with the teaching of Counterman for determining, using the proxy server, that the client device is authorized to access the remote resource based at least in part upon the credentials obtained from the client device; generating, in the proxy server, an access credential associated with the remote resource; and transmitting, from the proxy server, the access credential to the client device, wherein the access credential permits the client device to access the remote resource from the remote device. One of ordinary skilled in the art would have been motivated because it offers the advantage of verifying user device is authorized for accessing resources.

Claim 8 is a system claim reciting similar subject matters to those recited in the method claim 1, and is rejected under similar rationale. Longobardi further discloses a system for authenticating a client device and providing access to a remote resource hosted by a remote device (Longobardi Fig. 3, system 300 for authenticating and providing client device 302 to access resource 318 stored by target device 306), comprising: 
a proxy server comprising at least one processor (Longobardi Fig. 3, authentication server device 304); and 
at least one processor (Longobardi Fig. 3, application executed by authentication server device 304), the application, when executed, causing the at least one processor to at least.

Claim 15 is computer readable medium claim reciting similar subject matters to those recited in the method claim 1, and is rejected under similar rationale. Longobardi further discloses a non-transitory computer readable medium embodying a program executable by a proxy server for authenticating a client device and providing access to a remote resource hosted by a remote device (Longobardi Fig. 3, storage device of authentication server device 304 for authenticating and providing client device 302 to access resource 318 stored by target device 306), the program, when executed, causing the proxy server to at least.

Claims 2, 4-7, 9, 11-14, 16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Longobardi et al. (US 2013/0061298, filed Sep. 1, 2011), Counterman (US 2012/0144202, filed Dec. 6, 2010) and Laudermilch et al. (US 2008/0137593, published Jun. 12, 2008).
As per claim 2, Longobardi-Counterman discloses the method of claim 1. Longobardi-Counterman does not explicitly disclose:
wherein the credentials comprise a hardware identifier of the client device.  
Laudermilch teaches:

It would have been obvious to one skilled in the art at the time of effective filing date of the claimed invention to further modify the method of Longobardi with the teaching of Laudermilch for the credentials comprise a hardware identifier of the client device. One of ordinary skilled in the art would have been motivated because it offers the advantage of verifying whether the device is authorized to access resources.

As per claim 4, Longobardi-Counterman discloses the method of claim 1. Longobardi-Counterman does not explicitly disclose:
wherein determining that the client device is authorized to access the remote resource further comprises: 
extracting, in the proxy server, a device identifier from the request received from the client device request; and 
determining, in the proxy server, that the device identifier corresponds to one of a plurality of approved device identifiers accessible to the proxy server.  
Laudermilch teaches:
extracting, in the proxy server, a device identifier from the request received from the client device request (Laudermilch par. 38, Access manager 130 then extracts information from the intercepted data stream relating to at least one of mobile device 110 or a user of mobile device 110… The extracted information may include… 
determining, in the proxy server, that the device identifier corresponds to one of a plurality of approved device identifiers accessible to the proxy server (Laudermilch par. 38, the Device ID from the application layer may be correlated with a device certificate already stored in the database).  
It would have been obvious to one skilled in the art at the time of effective filing date of the claimed invention to further modify the method of Longobardi with the teaching of Laudermilch for determining that the client device is authorized to access the remote resource further comprises: extracting, in the proxy server, a device identifier from the request received from the client device request; and determining, in the proxy server, that the device identifier corresponds to one of a plurality of approved device identifiers accessible to the proxy server. One of ordinary skilled in the art would have been motivated because it offers the advantage of verifying whether the device is authorized to access resources.

As per claim 5, Longobardi-Counterman-Laudermilch discloses the method of claim 4. Longobardi-Counterman does not explicitly disclose:
wherein determining that the client device is authorized to access the remote resource further comprises: 
transmitting, from the proxy server, a request to authorize the client device or a user associated with the client device to another server; and 

Laudermilch teaches:
transmitting, from the proxy server, a request to authorize the client device or a user associated with the client device to another server (Laudermilch par. 38, Access manager 130 then extracts information from the intercepted data stream relating to at least one of mobile device 110 or a user of mobile device 110… Access manager 130 submits the extracted information to a compliance server 140); and 
obtaining, in the proxy server, an indication from the other server that the client device or the user associated with the client device are authorized (Laudermilch par. 44, access decisions may also be enforced by access manager 130 by granting access to mobile device 110 to network resource 120 if mobile device 110 is determined to be authorized by compliance server 140).  
It would have been obvious to one skilled in the art at the time of effective filing date of the claimed invention to further modify the method of Longobardi with the teaching of Laudermilch for determining that the client device is authorized to access the remote resource further comprises: transmitting, from the proxy server, a request to authorize the client device or a user associated with the client device to another server; and obtaining, in the proxy server, an indication from the other server that the client device or the user associated with the client device are authorized. One of ordinary skilled in the art would have been motivated because it offers the advantage of verifying whether the device is authorized to access resources.


wherein determining that the client device is authorized to access the remote resource further comprises: 
extracting, in the proxy server, a device identifier from the request received from the client device request; and 
determining, in the proxy server, that the device identifier corresponds to a client device that is in compliance with at least one compliance rule.  
Laudermilch teaches:
extracting, in the proxy server, a device identifier from the request received from the client device request (Laudermilch par. 38, Access manager 130 then extracts information from the intercepted data stream relating to at least one of mobile device 110 or a user of mobile device 110… The extracted information may include… identifying information in the application layer (e.g., username/password, device ID, phone number)… Access manager 130 submits the extracted information to a compliance server 140); and 
determining, in the proxy server, that the device identifier corresponds to a client device that is in compliance with at least one compliance rule (Laudermilch par. 44, access decisions may also be enforced by access manager 130 by granting access to mobile device 110 to network resource 120 if mobile device 110 is determined to be authorized by compliance server 140).  
It would have been obvious to one skilled in the art at the time of effective filing date of the claimed invention to further modify the method of Longobardi with the 

As per claim 7, Longobardi-Counterman-Laudermilch discloses the method of claim 6. Longobardi-Counterman does not explicitly disclose:
wherein determining that the device identifier corresponds to a client device that is in compliance with at least one compliance rule further comprises: 
transmitting, from the proxy server, a request to obtain a compliance status of the client device to another server; and 
obtaining, in the proxy server, an indication from the other server that the client device is in compliance with the at least one compliance rule.  
Laudermilch teaches:
transmitting, from the proxy server, a request to obtain a compliance status of the client device to another server (Laudermilch par. 38, Access manager 130 submits the extracted information to a compliance server 140); and 
obtaining, in the proxy server, an indication from the other server that the client device is in compliance with the at least one compliance rule (Laudermilch par. 44, access decisions may also be enforced by access manager 130 by granting access to 
It would have been obvious to one skilled in the art at the time of effective filing date of the claimed invention to further modify the method of Longobardi with the teaching of Laudermilch for determining that the device identifier corresponds to a client device that is in compliance with at least one compliance rule further comprises: transmitting, from the proxy server, a request to obtain a compliance status of the client device to another server; and obtaining, in the proxy server, an indication from the other server that the client device is in compliance with the at least one compliance rule. One of ordinary skilled in the art would have been motivated because it offers the advantage of verifying whether the device is authorized to access resources.

Claims 9 and 11-14 are system claims reciting similar subject matters to those recited in the method claims 2 and 4-7 respectively, and are rejected under similar rationale.

Claims 16 and 18-20 are computer readable medium claims reciting similar subject matters to those recited in the method claims 2 and 4-7 respectively, and are rejected under similar rationale.

Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Longobardi et al. (US 2013/0061298, filed Sep. 1, 2011), Counterman (US 2012/0144202, filed Dec. 6, 2010) and McDowell et al. (US 2009/0260064, published Oct. 15, 2009).
As per claim 3, Longobardi-Counterman discloses the method of claim 1. Longobardi-Counterman does not explicitly disclose:
wherein the credentials are obtained in response to a prompt to authenticate a user generated by the client device.  
McDowell teaches:
the credentials are obtained in response to a prompt to authenticate a user generated by the client device (McDowell Fig. 3, receiving username/password and device identifiers after providing account login page at 50-52).
It would have been obvious to one skilled in the art at the time of effective filing date of the claimed invention to further modify the method of Longobardi with the teaching of McDowell for the credentials are obtained in response to a prompt to authenticate the user generated by the client device. One of ordinary skilled in the art would have been motivated because it offers the advantage of obtaining credentials for verifying whether the device is authorized to access resources.

Claim 10 is a system claim reciting similar subject matters to those recited in the method claim 3, and is rejected under similar rationale. 

Claim 17 is computer readable medium claim reciting similar subject matters to those recited in the method claim 3, and is rejected under similar rationale.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. US 10,681,028 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because application claims are anticipated by patent claims. For instance, claim 1 of the application is anticipated by patent claim 1 as shown below.
Application
US 10,681,028 B2
1. A method for authenticating a client device and providing access to a remote resource hosted by a remote device, comprising: 
receiving, in a proxy server, a re-routed request, the re-routed request originating from a request by a client device to the remote device and being re-routed to the proxy server; 

obtaining, in the proxy server, the credentials from the client device; 
determining, using the proxy server, that the client device is authorized to access the remote resource based at least in part upon the credentials obtained from the client device; 
generating, in the proxy server, an access credential associated with the remote resource; and 
transmitting, from the proxy server, the access credential to the client device, wherein the access credential permits the client device to access the remote resource from the remote device.

receiving, in a proxy server, a re-routed request, the re-routed request originating from a request by a client device to the remote device and being re-routed to the proxy server; 

obtaining, in the proxy server, the requested user credentials from the client device; 
determining, using the proxy server, that the client device is authorized to access the remote resource based at least in part upon the user credentials obtained from the client device; 
generating, in the proxy server, an access credential associated with the remote resource; and 
transmitting, from the proxy server, the access credential to the client device, wherein the access credential permits the client device to access the remote resource from the remote device.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 9864851 B2; System, Device, And Method For Authentication Of A User Accessing An On-line Resource
This invention relates to a device, system and computer-implemented method for authenticating a user of a computing device.
US 20140040993 A1; Method For Providing Authorized Access To A Service Application In Order To Use A Protected Resource Of An End User
The protected resource, typically an API, is exposed by endpoints of a plurality of administrative domains. The endpoints are previously unknown by said service application and the method further comprises: using an intermediate or global entity for: a) selecting one of said administrative domains based on flexible criteria (i.e. at least on the identity of said end user but also considering varying user or service preferences); and b) performing, said selected administrative domain, a secure authorization to grant access to said end user by means of an open protocol.
US 7475146 B2; Method And System For Accessing Internet Resources Through A Proxy Using The Form-based Authentication
The present invention relates to an Internet environment wherein a user addresses requests for Internet resources to a proxy which transmits these requests to a content server able to provide the Internet resources, and relates in particular to a method and system for accessing Internet resources through a proxy using form-based authentication.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, 





/KHANG DO/Primary Examiner, Art Unit 2492