Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
Applicant's arguments filed 3/15/2022 have been fully considered but they are not persuasive. 
Applicant argues that the prior art Gustafsson in view of Ryerson do not disclose “upon failure of at least one of the one or more rules of the first policy, utilize one or more additional policies associated with the resource to validate remaining segments of the security token when a rule of a succeeding policy fails, wherein each additional policy utilizes data processed by a preceding policy”, as recited in independent claims.
In response to Applicants arguments, the Examiner respectfully disagrees with the applicant and would like to show that Gustafsson in view of Ryerson discloses upon failure of at least one of the one or more rules of the first policy, utilize one or more additional policies associated with the resource to validate remaining segments of the security token when a rule of a succeeding policy fails, wherein each additional policy utilizes data processed by a preceding policy. Gustafsson discloses denying access to the resources at the application device based on the received token and the token revocation policy. The Examiner points out that Ryerson discloses a first perimeter on the device may include a first policy that defines rules for accessing resources (e.g., applications, data, network resources, etc.) associated with the first perimeter, and the second perimeter may include a second policy that defines rules for accessing resources (e.g., applications, data, network resources, etc.) associated with the second perimeter. A device may include any suitable number of perimeters (e.g., 1, 2, 3, 4, or more) (Paragraph 43).
As such the Examiner maintains the rejection.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-12 and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gustafsson (US patent Pub. 20170134429) in view of Ryerson (US patent Pub. 20130346606).

As per claims 1, 8 and 16:  Gustafsson discloses a system comprising:
one or more processors coupled to a memory; and 
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions that perform actions to (see abstract):
receive an authenticated request to access a resource of a web service, the authenticated request including a security token, the resource associated with a plurality of policies (Paragraph 25; a request to access resources at the application device, the request including the token and denies access to the resources at the application device based on the received token and the token revocation policy), 
a policy having a plurality of rules that when satisfied validate the security token for access to the resource, the security token generated by an identity provider having authenticated an entity seeking access to the resource, a policy associated with a distinct identity provider (claim 25; a token revocation policy, which includes one or more rules for progressively revoking multiple tokens respectively associated with multiple client devices).
Gustafsson does not specifically disclose select a first policy of the plurality of policies associated with the resource; apply one or more rules of the first policy to validate the security token; and upon failure of at least one of the one or more rules of the first policy, utilize one or more additional policies associated with the resource to validate remaining segments of the security token when a rule of a succeeding policy fails, wherein each additional policy utilizes data processed by a preceding policy.
Ryerson discloses a first perimeter on the device may include a first policy that defines rules for accessing resources (e.g., applications, data, network resources, etc.) associated with the first perimeter, and the second perimeter may include a second policy that defines rules for accessing resources (e.g., applications, data, network resources, etc.) associated with the second perimeter. A device may include any suitable number of perimeters (e.g., 1, 2, 3, 4, or more) (Paragraph 43).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Gustafsson in view of Ryerson in it’s entirety, to modify the technique of Gustafsson for the request including the token and denies access to the resources at the application device based on the received token by adopting Ryerson's teaching for a first policy that defines rules for accessing resources (e.g., applications, data, network resources, etc.) associated with the first perimeter. The motivation would have been to improve security token validation using partial policy validations.
As per claim 2:  The system of claim 1, wherein the one or more instructions include further instructions that perform actions to: validate a second security token in the authentication request using a second sequence of partial policy validations (See Gustafsson; Paragraph 25; in a first step a first subset of tokens is revoked during a first period of time, followed with a second step at which a second subset of tokens is revoked during a second period of time following the first period of time).
As per claim 3:  The system of claim 1, wherein the one or more instructions include further instructions that perform actions to: validate the security token in the authentication request through successful completion of all rules of a single policy (See Gustafsson; Paragraph 25; a request to access resources at the application device, the request including the token and denies access to the resources at the application device based on the received token and the token revocation policy).
As per claim 4:  The system of claim 1, wherein the one or more instructions include further instructions that perform actions to: upon failure of each policy, deny the application access to the resource (See Gustafsson; Paragraph 40; deny access to the resources to a first subset of the client devices based on the token revocation policy).
As per claims 6 and 17:  The system of claim 1, wherein a rule indicates how to decode the security token (See Gustafsson; Paragraph 48; enable decryption of the session keys and data).
As per claims 7, 14 and 18:  The system of claim 1, wherein a rule indicates how to check a signature of the security token (See Gustafsson; Paragraph 48; enable decryption of the session keys and data).
As per claim 9:  The method of claim 8, further comprising:
selecting a first policy to validate the security token; applying at least one rule of the first policy to the security token; tracking work product generated in processing the at least one rule; and upon detecting that a second rule of the first policy fails, selecting a second policy to continue validation of the security token (See Ryerson; Paragraph 43; a first perimeter on the device may include a first policy that defines rules for accessing resources (e.g., applications, data, network resources, etc.) associated with the first perimeter, and the second perimeter may include a second policy that defines rules for accessing resources (e.g., applications, data, network resources, etc.) associated with the second perimeter. A device may include any suitable number of perimeters (e.g., 1, 2, 3, 4, or more).
As per claim 10:  The method of claim 9, further comprising:
applying a rule of the second policy that has not been applied by the first policy;
upon successful application of remaining rules of the second policy, permit access to the resource (See Ryerson; Paragraph 73; The first perimeter is a personal perimeter associated with a user of the device. The second perimeter is an enterprise perimeter associated with an enterprise).
As per claim 11:  The method of claim 10, further comprising: upon failure of application of the rule of the second policy, select a third policy to continue validation of the security token (See Ryerson; Paragraph 18).
As per claim 12:  The method of claim 8, wherein the authenticated request is transmitted via a HyperText Transfer Protocol (HTTP) message (See Gustafsson; Paragraph 28; HTTP Request).
As per claims 15 and 20:  The method of claim 8, wherein a rule indicates an issuer of the security token (See Gustafsson; Paragraph 30; (a) each one of the client devices 110 requests from the token authority the issuance of a token to access resources at one or more of the servers 140).
As per claim 19:  The device of claim 16, wherein a rule indicates an audience of the security token (See Gustafsson; Paragraph 30).

Claims 5 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Gustafsson (US patent Pub. 20170134429) in view of Ryerson (US patent Pub. 20130346606) in view of Hill (US Patent Pub. 20120303491).

As per claims 5 and 13:  The system of claim 1, a policy having a plurality of rules that when satisfied validate the security token, the security token generated by an identity provider having authenticated an entity seeking access to the resource, a policy associated with a distinct identity provider (claim 25; a token revocation policy, which includes one or more rules for progressively revoking multiple tokens respectively associated with multiple client devices).
Gustafsson in view of Ryerson do not specifically disclose wherein the security token is a JavaScript Object Notation (JSON) Web Token (See Hill, Paragraph 45; the security token is a JavaScript Object Notation (JSON) (or other data schema), compressed using zlib (or other data compression software), encrypted using a private asymmetric key known by the content management system 100, and encoded in Base64 format (or other encoding format).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Gustafsson in view of Ryerson and in view of Hill in it’s entirety, to modify the technique of Gustafsson for the request including the token and denies access to the resources at the application device based on the received token by adopting Hill's teaching for a security token is a JavaScript Object Notation (JSON). The motivation would have been to improve security token validation using partial policy validations.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANTHONY D BROWN whose telephone number is (571)270-1472. The examiner can normally be reached 730-330pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANTHONY D BROWN/Primary Examiner, Art Unit 2433