Ex Parte Foster et alDownload PDFPatent Trial and Appeal BoardSep 27, 201210192999 (P.T.A.B. Sep. 27, 2012) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________________ Ex parte WARD SCOTT FOSTER, ROBERT JOHN MADRIL, JR., and SHELL STERLING SIMPSON ____________________ Appeal 2010-003982 Application 10/192,999 Technology Center 2400 ____________________ Before MAHSHID D. SAADAT, DAVID M. KOHUT, and JUSTIN BUSCH, Administrative Patent Judges. BUSCH, Administrative Patent Judge. DECISION ON APPEAL Appeal 2010-003982 Application 10/192,999 2 Appellants appeal under 35 U.S.C. § 134(a) from the Examiner’s non- final rejection of claims 1-33. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. Introduction According to Appellants, the invention relates to a method and system for accessing distributed resources and, more specifically, to a method and system for providing secure but limited access to a resource in a distributed environment. Spec. ¶ 1. STATEMENT OF THE CASE Exemplary Claim Claim 16 is an exemplary claim and is reproduced below: 16. A computer readable medium having instructions for: receiving a request from a first resource to access a second resource; verifying that the request was received from the first resource; verifying that a client directed the first resource to request to access to the second resource; authenticating credentials presented for a user; and granting the first resource access to the second resource. References Buhle US 6,286,104 B1 Sep. 4, 2001 Kramer US 6,986,040 B1 Jan. 10, 2006 Appeal 2010-003982 Application 10/192,999 3 BEA Systems, Using WebLogic SSL, http://www.weblogic.com/docs51/classdocs/API_secure.html (printed Feb. 28, 2006) (“BEA”). Rejections Claims 1, 8, 16-19, 26, 28, and 32 stand rejected under 35 U.S.C. § 102(e) as being anticipated by Buhle. Claims 1, 4-8, 11-13, 16, 18-20, 22, and 26-33 stand rejected under 35 U.S.C. § 103(a) as being obvious in view of Kramer. Claims 2, 3, 9, 10, 14, 15, 17, 21, and 23-25 stand rejected under 35 U.S.C. § 103(a) as being obvious in view of Kramer and BEA. ISSUES 35 U.S.C. § 102(e) (Buhle): claims 1, 8, 16-19, 26, 28, and 32 Appellants argue their invention is not anticipated by Buhle. App. Br. 7-11. Specifically, Appellants argue that Buhle only verifies that the middle- tier server had access to a credential or name as opposed to verifying that the client directed the middle-tier server to request the access and, thus, Buhle does not “teach or suggest a method that includes verifying that a client directed the first resource to request to access to the second resource.” App. Br. 10. Issue 1: Has the Examiner erred in finding that Buhle discloses “verifying that a client directed the first resource to request to access to the second resource,” as recited in claim 16? Appeal 2010-003982 Application 10/192,999 4 35 U.S.C. § 103(a) (Kramer): claims 1, 4-8, 11-13, 16, 18-20, 22, and 26-33 Appellants argue their invention is not obvious in view of Kramer. App. Br. 11-16. Specifically, Appellants argue that the element of Kramer that the Examiner equated to a first resource never requests access to an element that the Examiner equated to a second resource and, thus, Kramer cannot verify that a client directed the first resource to request access to the second resource. App. Br. 13. Appellants further argue that, even switching the mapping of the first and second resources, such that the first resource does request access to the second resource, the request to access the second resource is not at the direction of the client and, thus, Kramer still does not teach or suggest verifying that the client directed the request. App. Br. 13- 14. Issue 2: Has the Examiner erred in finding that Kramer teaches or suggests “verifying that a client directed the first resource to request to access to the second resource,” as recited in claim 1? 35 U.S.C. § 103(a) (Kramer, BEA): claims 2, 3, 9, 10, 14, 15, 17, 21, and 23-25 Appellants argue their invention is not obvious in view of Kramer and BEA. App. Br. 16-19. Specifically, Appellants argue that the client in Kramer receives a session identifier in a ticket from the ticket service, which the client in turn provides to the application server, which then provides the session identifier to the ticket service. App. Br. 17. Appellants assert that, because the ticket service never receives a session identifier from the client, Appeal 2010-003982 Application 10/192,999 5 the ticket service cannot match a session identifier from the client with a session identifier received from the application server. Id. Issue 3: Has the Examiner erred in finding that Kramer teaches or suggests “matching the session identifier received from the client with the session identifier received from the distributed application,” as recited in claim 14? ANALYSIS We have reviewed the Examiner’s rejections in light of Appellants’ contentions that the Examiner has erred. Further, we have reviewed the Examiner’s response to each of the arguments. We agree with the Examiner. 35 U.S.C. § 102(e) (Buhle): claims 1, 8, 16-19, 26, 28, and 32 Appellants argue that Buhle’s disclosure of a middle-tier server providing client credentials to a data server is not the same as “verifying that a client directed the first resource to request to access to the second resource” as claimed in independent claim 16. App. Br. 9. Appellants create an analogy of a bank teller legitimately receiving a customer’s social security number to open a bank account for the customer at the customer’s direction, but later using that social security number to establish credit on her own – i.e. not at the customer’s direction and thus, fraudulently. App. Br. 10; Reply Br. 4-6. Appellants further argue that the Examiner has assumed that an access request from the middle-tier server to the data server was at the direction of the client merely because the middle-tier server was authenticated and had access to the client’s credentials. Reply Br. 4. Appeal 2010-003982 Application 10/192,999 6 Appellants assert that “the data server can only presume that the client directed the middle tier server to access the data server” but that the “data server cannot verify that the client directed the middle tier server to do anything.” Id. (emphasis added). The Examiner finds that Buhle “is deeply concerned with providing authentication, accountability, and auditing throughout the system.” Ans. 24. The Examiner further finds that client credentials are provided “to the middle tier server from the data server for explicit use in establishing communication on behalf of the particular client Client1.” Id. The Examiner states that, even in Appellants’ modified analogy (of the thief being a bank employee), “there is no authentication or authorization of the victim, thief, [or] bank,” whereas the client and middle-tier server in Buhle are authenticated. Supp. Ans. 23. Moreover, “the middle tier server of Buhle is required to have explicit authorization [in] order to act on behalf of a client, as shown in column 6, lines 30-32.” Id. We understand Appellants to argue that the point of the invention is to prevent a second (in time) attempt by the first resource to access the second resource from succeeding, unless it is verified that the request was at the direction of the client. Reply Br. 3. However, we find that the claims are not so limiting, because the relevant limitation of claim 16 merely requires verifying that a client directed the access request. As explained by the Examiner, the entire disclosure of Buhle relates to “authentication, accountability, and auditing” of access to a database server. In fact, the middle-tier server (Appellants’ “first resource”) “cannot assume the identity of any clients until explicitly authorized.” See Supp. Ans. 23; Buhle col. 6 ll. Appeal 2010-003982 Application 10/192,999 7 31-32. This position is consistent with Appellants’ disclosure, which states that “[v]erifier 30 represents any programming capable of limiting access to resource 26 to those providing verifiable credentials” and “[o]rigin verifier 36 represents any programming capable of verifying that a request to access resource 26 originated from a user.” Spec. ¶ 27, 29. A user is defined by Appellants as including a client, browser, and/or individual. Spec. ¶ 29. As shown in the passages cited by the Examiner, Buhle similarly distinguishes between a request by the middle-tier server for access to the data server on behalf of one client versus access on its own behalf or that of another client. Buhle col. 8 ll. 53-56; Buhle Abstract. Thus, Buhle must include “programming capable of verifying that a request to access [a resource] originated from a user” as opposed to from the middle-tier server or a different user. We agree with the Examiner that, under the broadest reasonable interpretation of claim 16, Buhle discloses “verifying that a client directed the first resource to request to access to the second resource.” Therefore, because Buhle discloses “verifying that a client directed the first resource to request to access to the second resource,” we find that claim 16 is anticipated by Buhle. Independent claims 1, 26, 28, and 32 contain similar limitations to those in independent claim 16 and Appellants make no further arguments with respect to claims 1, 26, 28, and 32. Therefore, we find that claims 1, 26, 28, and 32 are anticipated by Buhle for at least the same reasons as discussed with respect to independent claim 16. Appellants do not present a separate argument for the patentability of dependent claims 17-19 (each of which ultimately depends from claim 16) over Buhle. Therefore, Appeal 2010-003982 Application 10/192,999 8 dependent claims 17-19 fall with independent claim 16. Appellants provide no argument regarding the patentability of claim 8 over Buhle. Therefore, we also affirm the rejection of claim 8 as being anticipated by Buhle. 35 U.S.C. § 103(a) (Kramer or Kramer and BEA): claims 1-33 Appellants argued that the application server in Kramer does not request access to the ticket service under the direction of the client and thus does not teach “verifying that a client directed the first resource to request access to the second resource,” as claimed in independent claim 1. App. Br. 14. Appellants further argue that “sending information to Kramer’s application server is not the same as requesting access to the application server. As an analogy, sending an email is not the same as requesting access to an email server that receives it.” Reply Br. 8. The Examiner responds that the “mere fact that Kramer does not refer to such a communication [sending ticket/session information to the application server to allow access by a client to the application server] explicitly as a ‘request’ is insignificant.” Ans. 26. The Examiner further explains that the ticket service in Kramer “will send data to the application server that will allow the client to obtain access to the application server. Without the application server receiving the session ID [from the ticket service as part of the ticket], the application server will not allow the client to access the application server.” Supp. Ans. 25. The Examiner also points out that in Kramer, the “application server will compare these session IDs” received from the client and the ticket service and, “only upon finding such a correlation between session IDs and being able to retrieve the session key Appeal 2010-003982 Application 10/192,999 9 that is indexed by such session ID, verifying that the client requested and is to be given access to the application server,” will the client be granted access to the application server. Supp. Ans. 26; See also Kramer col. 8 ll. 5-67. Finally, the Examiner points out that one construction of the disputed claim language can be clarified by looking to dependent claim 4, which states “verifying that the client directed the first resource to request access comprises receiving a session identifier from the client, receiving a session identifier from the first resource, and verifying that the received session identifiers match.” Supp. Ans. 26. We do not find Appellants’ analogy persuasive. As the Examiner explains, the ticket service is sending session information to the application server for the purpose of allowing a client to access the application server. Supp. Ans. 25. This communication between the ticket service and application server is quite different than merely sending an email that the email server manages. We agree with the Examiner that one embodiment of “verifying that a client directed the first resource to request access to the second resource” includes comparing session IDs received from the client and the first resource, which is shown in the sections cited by the Examiner. See Kramer col. 8 ll. 5-67. Therefore, because Kramer teaches or suggests “verifying that a client directed the first resource to request to access to the second resource,” we agree with the Examiner that independent claim 1 is obvious in view of Kramer. Independent claims 8, 16, 20, 26, 28, and 31-33 contain similar limitations to those in claim 1 and Appellants make no further arguments with respect to claims 8, 16, 20, 26, 28, or 31-33. Therefore, we agree with Appeal 2010-003982 Application 10/192,999 10 the Examiner that claims 8, 16, 20, 26, 28, and 31-33 are obvious in view of Kramer for the same reasons as discussed above with respect to claim 1. Dependent claims 2-7, 9-13, 17-19, 21-22, 27, and 29-30 were not argued separately, and were rejected under 35 U.S.C. § 103(a) in view of Kramer or in view of the combination of Kramer and BEA. Therefore, dependent claims 2-7, 9-13, 17-19, 21-22, 27, and 29-30 fall with the rejection of claims 1, 8, 16, 20, 26, and 28 under 35 U.S.C. § 103(a). Appellants argued that independent claims 14, 15, 23, and 25 were not obvious in view of the combination of Kramer and BEA, because the ticket service of Kramer never receives a session identifier from the client. App. Br. 17-19. However, the Examiner clarified that the application server receives the session identifier from both the client and the ticket service and thus meets the limitations of claims 14, 15, 23, and 25. Ans. 27-28. We agree with the Examiner and observe that Appellants have provided no further response in the Reply Brief. Therefore, because Kramer teaches or suggests “matching the session identifier received from the client with the session identifier received from the distributed application,” we find that claims 14, 15, 23, and 25 are obvious in view of Kramer and BEA. Independent claim 24 contains similar limitations to those in independent claims 1 and 14. Appellants argued that independent claim 24 was not obvious in view of Kramer and BEA for the same reasons as argued with respect to independent claim 14 and independent claim 1. Therefore, we agree with the Examiner that independent claim 24 is obvious in view of Kramer and BEA for the same reasons as discussed above with respect to claims 1 and 14. Appeal 2010-003982 Application 10/192,999 11 DECISION The Examiner’s rejection of claims 1, 8, 16-19, 26, 28, and 32 under 35 U.S.C. § 102(e) as being anticipated by Buhle is affirmed. The Examiner’s rejection of claims 1, 4-8, 11-13, 16, 18-20, 22, and 26-33 under 35 U.S.C. § 103(a) as being obvious in view of Kramer is affirmed. The Examiner’s rejection of claims 2, 3, 9, 10, 14, 15, 17, 21, and 23- 25 under 35 U.S.C. § 103(a) as being obvious in view of Kramer and BEA is affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED msc Copy with citationCopy as parenthetical citation
