DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is response to communication:  response to amendments/arguments filed on 06/28/2022.
Claims 1-20 are currently pending in this application.  
No new IDS has been filed for this application.  

Response to Arguments

Applicant’s arguments concerning the 112 rejections have been fully considered but are not found persuasive.  Applicant’s argue that that the term Javascript Object Notation Web Token is clear and concise from the specification.  However, applicants still fail to describe how this further limits the claim.  The term “Java” or “Javascript” are trademarks and merely marks of goodwill, and thus, it is unclear how such terms limit the utility of the claimed invention.

Applicant’s arguments concerning the 103 rejections have been fully considered but are moot in view of new grounds of rejection.  See amended rejection below. 


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



Claims 6, 7, 13, 19, and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claims 6, 7, 13, 19, and 20, the claims recite a “Javascript Object Notation Web Token.”  Javascript is a trademark, which is a term of goodwill.  This term is a proprietary term, and it is unclear how this term limits the claim in regards to its utility. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims  1-5, 8-12, and 14-18 are rejected under 35 U.S.C. 103 as being obvious over Shnitko et al. US Patent Application Publication 2018/0077222 (Shnitko), in view of Yoo et al. US Patent No. 8,046,432 (Yoo).
As per claim 1, Shnitko teaches a computer-implemented method for delivery restricted access resources hosted on an origin server using a content delivery network comprising a plurality of CDN servers, the method comprising: receiving, by a CDN server from a client, a request for a restricted-access resource hosted on the origin server, wherein the request comprises a resource identifier of the restricted-access resource and an authentication token (paragarphs 39-40 with client device sending request for content asset; request includes cdn url, which points to conent and provides cdn with token); performing a delivery step comprising: creating, by the CDN server, a composite cache key comprising the resource identifier and at least part of the authentication token (paragraph 40 with authorization and source url; these url include asset identifier and key which were included from the request/cdn url); comparing, by the cdn server, the composite cache key with stored elements on the CDN server, and if a match between the composite cache key and one or the previously stored elements is found, delivering, by the CDN server, a response associated to the composite cache key to the client (paragraph 29, 41, and throughout, with receiving request and if client has the correct permissions, releasing content to the client if content is in cache; also see Figure 6 and paragraphs 60-62 with using authorization URL and determining if there is authorization and whether the content is cached; if authorized and cached, content is retrieved and sent to client); and if no match is found in the cache: forwarding, by the CDN server, the request to the origin server (paragraph 41, Figure 6, wherein  if the content is not cached, the requested will be forwarded to cloud service/source; see Figure 6 and paragraphs 59-62  with checking authorization URL and determining if content is cached); and checking by the origin server, whether the authentication token allows access to the restricted-access resource (see paragraph 41 and Figure 6, wherein checking if content is authorized); if the access is allowed: retrieving, by the origin server, the restricted-access resource and sending, by the origin server, a response comprising the restricted-access resource to the CDN server (paragraphs 41-42 wherein content is transmitted to CDN; see also paragraph 64); and if the access is not allowed: sending, by the origin server, a response comprising a refusal of the request to the CDN server (Figure 6, paragraph 66); storing, by the CDN server, the response in association to the composite cache key and delivering, by the CDN server, the response to the client (paragraphs 66-67 with CDN receives an error message or a forbidden message from cloud service and CDN delivering error or signal to client; the error message or signal is forwarded by the CDN server to the client, and thus, it is stored).  
Although Shnitko may not explicitly teach comparing a cache key to a previously stored cache key on a server, this would have been obvious, if not inherent.  As seen in Schnitko in paragraph 40, an authorization URL is generated, which includes an asset identifier and a key.  As seen in the flow chart in Figure 6 and in paragraphs 41, 42, and 60-63, the system then uses the authorization URL to determine if a client is authorized and if the content is cached.  Thus, Schnitko uses elements such as the key and also the asset identifier to determine if the user is authorized and if the content is cached.  By using these elements of the authorization URL to determine if a client is authorized or if content is cached, Shnitko implies matching the information from the authorization URL to previously stored information.  Thus, even if Schnitko does not explicitly teaching matching a key to a key (per se) Schnitko does teach matching elements from within the key to stored elements, and making a determination.  Thus, it would have been obvious to one of ordinary skill in the art, if not inherent, over the Schnitko combination, to compare a key to a stored key to make a determination.  However, for a further teaching and explicit teaching on determining a match between a composite cache key and one of the previously stored compsite cache keys is found, see Yoo (Figure 2, col. 6  line 63 to col. 7 line 21 with checking if there is a match of cache keys).  Further, Yoo teaches the obvsiouness of storing the responses received (col. 9 line 5-20 and col. 5 line 45 to 65).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Yoo with Shnitko.  One of ordinary skill in the art would have been motivated to perform such an addition to reduce the burden of origin servers (col. 2 line 54 to 60).

As per claim 2, Shnitko teaches further comprising verifying, by the CDN server, the validity of the authentication token after receiving the request, and wherein the delivery step is only performed if the authentication token is valid (Shnitko paragraphs 41, 59, 60, Figure 6, and throughout, with transmitting client to content only if client is authorized by verifying authorization url).
As per claim 3, Shnitko teaches generating, by the origin server, the authentication token and sending the authentication token to the client; and wherein verifying the vaidity of the authentication token comprises retrieving, by the CDN server, verification data from the origin server (obvious over Shnitko; see paragraphs 34-39 wherein the token is generated, comprising an expiration and key, and is issued by the cloud service and sent to authenticated clients; see paragraphs 39 wherein CDN uses the key to determine whether client is authorized to access content).
As per claim 4, it would have been obvious over Shnitko to store, by the CDN server, the verification data (pragarph 39 wherein CDN access token and determines whether client is authorized to access based on token, which includes key, expiration, etc).
As per claim 5, it would have been obvious over Shnitko wherein the request is an hypertext transfer protocol request comprising a body and the composite cache key further comprises the body (paragraph 40 wherein the request is a URL; see paragraph 32 wherein URL set identifies protocols such as http or https; see paragraph 39 and 40  wherein url inlcues identifier, key/ expiration, etc).
 Claim 8 is rejected using the same basis of arguments used to reject claim 1 above. 
Claim 9 is rejected using the same basis of arguments used to reject claim 2 above. 
Claim 10 is rejected using the same basis of arguments used to reject claim 3 above. 
Claim 11 is rejected using the same basis of arguments used to reject claim 4 above. 
Claim 12 is rejected using the same basis of arguments used to reject claim 5 above. 
Claim 14 is rejected using the same basis of arguments used to reject claim 1 above. 
Claim 15 is rejected using the same basis of arguments used to reject claim 2 above. 
Claim 16 is rejected using the same basis of arguments used to reject claim 3 above. 
Claim 17 is rejected using the same basis of arguments used to reject claim 4 above. 
Claim 18 is rejected using the same basis of arguments used to reject claim 5 above. 


Claims  6, 7, 13, 19, and 20 are rejected under 35 U.S.C. 103 as being obvious over the Shnitko combination as applied above, in view of Lores et al. US Patent Application publication 2019/0306157 (Lores).
As per claim 6, as best understood by the Examiner, Shnitko does not explicitly teach wherein the authetnicaiton token is a JWT comprising one or more JWT claims and the only part of the authentication token comprised in the composite cache key is a subset of the one or more JWT claims.  However, utilizing JWT authentication with JWT caches is well known in the art.  FOr example, see Lores (paragraph 43 with authenticating with JWT found in JWT cache).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Shnitko with Lores.  One of ordinary skill in the art would have been motivated to perform such an addition to increase security by reducing the authentication overhead (paragraph 20 of Lores).
As per claim 7, it would have been obvious over the Shnitko combination further comprising hashing the body and/or the subset of the one or more JWT claims (Lores paragraph 32-33 wherein JWT hashes may be utilized; also obvious over Shnitko, as seen in paragraphs 38-40, 46, and throughout wherein hash values may be used for authentication)
Claim 13 is rejected using the same basis of arguments used to reject claim 6 above.
Claim 19 is rejected using the same basis of arguments used to reject claim 6 above.
Claim 20 is rejected using the same basis of arguments used to reject claim 7 above.



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431.  The examiner can normally be reached on Monda-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/JASON K GEE/Primary Examiner, Art Unit 2495