| 摘要 |
A computer system that is configured to provide a resource to an application contains an agent 303 which modifies the ordinary behaviour of a native security system 103, such as to allow security decisions with alternate granularity or an alternate set of access rights. The agent 303 intercepts authorisation requests made by applications 109 for resources 110 identified by URIs 111 and sends amended requests to the security system 103. The intercepted URI is replaced with a URI that redirects to an alternate authorisation mechanism 307 of the agent 303, whereupon the agent 303 may selectively allow or deny the request according to the originally presented URI 111. This allows the least-privilege principal to be implemented while still enabling, legitimate applications to execute on the computer device by accessing the relevant resources, resulting in the computer device being better protected than granting additional privileges to all members of a relevant group. |
