Case No. IP-2017-000169

Claim 1 30.Although they do not correspond exactly, claim 1 can be visualised by reference to figure 4: 31.There are three parts to the system which performs the method of claim 1. The dotted lines in figure 4 distinguish them. First there is the user’s computer (the user is referred to as the ‘user agent’), shown in the centre of figure 4. Secondly the ‘policy service’ which is a computer configured to apply the policy which discriminates one user agent from another when attempting to access to a website, shown on the left. Thirdly, on the right, there is the ‘authentication portal’ which can identify the user agent so that the policy service may then allow access to a requested website. 32.Claim 1 is as follows, with numbers in square brackets added by me to correspond with the numbers in figure 4: “A method of applying network resource access policy, the method comprising: receiving from a user agent a request [102] for a remote network resource; obtaining from the request authorization data specific to the remote network resource when the request contains the authorization data [104]; determining a resource access policy for the request, including using the authorization data, if obtained, to determine the resource access policy for the request [106]; applying the resource access policy [108] to allow or deny access by the user agent to the remote network resource; when denying access to the remote network resource, redirecting the user agent to an authorization portal [112, 114]; after authorization by the authorization portal [115-116], receiving from the user agent an authorized request [100] for the remote network resource, the authorized request including an authorization token [118]; and in response to receiving the authorized request including the authorization token [102], storing the authorization data specific to the remote network resource at the user agent and redirecting the user agent to the remote network resource to cause the user agent to make another request for the remote network resource [104, 106, 108 and 110].” Claim 11 33.Claim 11 is: “11. A system for applying network resource access policy, the system comprising: a filter configured to apply resource access policy to a request from a user agent for access to a remote network resource by redirecting the user agent to an authorization portal when denying the request for the remote network resource, the filter further configured to respond to an authorized request having an authorization token by storing authorization data at the user agent and redirecting user the agent [sic] to the requested network resource; and a policy server configured to determine resource access policy based on the request as provided by the filter and further based on any authorization data accompanying the request.” 34.The significant feature of claim 11 is a filter which is separate from the policy server. The two may be separately located. The filtering and the application of the policy are thus done independently. 35.Claim 11 is not dependent on claim 1, so need not incorporate exactly the steps of claim 1. Figure 5 illustrates how the claim 11 system could typically work, demonstrating the increased number of steps when compared with claim 1: 36.Figure 5 can be explained as follows by reference to the numbers in the diagram: (1)An individual (user agent) makes a request [130] for access to a website (content source). The request is intercepted by a filter [22]. (2)The filter requests [132] a policy decision from a policy server [24], a computer programmed to apply the desired policy for access to websites. (3)The policy server’s first response [134] is a decision to deny access. (4)There is an authorization portal [50], a computer which can authorise a request for access to a website, but which also hosts a deny page. The decision from the policy server to deny [134] causes the filter to instruct the user agent’s computer to redirect [136] to the authorization portal’s deny page. (5)The user agent’s computer sends a request [138] to the filter which, having had the request approved [140 & 142] by the policy server, requests [144] the deny page from the authorization portal. (6)The deny page is sent [146] to the user agent’s computer, i.e. the screen displays to the user agent a page with the message that access to the website has been denied. The deny page also contains a section permitting the user agent to type in their credentials, typically a username and password. If these are entered, the request is submitted again [148 & 150] to the policy server via the filter. The policy server submits [154] to the authorization portal a request for access to the website. (7)The authorization portal responds by redirecting [156] the request back to the user agent’s computer, together with an ‘authorization token’ which contains a unique identifier, corresponding to the credentials supplied by the user agent. (8)The user agent’s computer then sends a second request [158] to the filter, now with the authorization token. (9)The filter passes [160] the request, along with the authorization token, to the policy server, which allows the request and passes it back [162] to the filter. (10)The filter redirects [164] the request back to the user agent’s computer together with a cookie injected by the filter, which contains authorization data. (11)The request, now with the cookie, is submitted a third time [166] by the user agent’s computer to the filter. (12)The filter sends [168] the third request, with cookie, to the policy server. If the data in the cookie does not satisfy the policy, the policy server will respond by redirecting the user agent’s computer to the deny page (as above). (13)Alternatively if, as is shown in figure 5, the cookie data satisfies the policy, the policy server will direct [170] the filter to request content from the website (‘the content source [42]). (14)The filter requests [172] content from the website. (15)The website then sends [174] the content to the user agent’s computer.