Skip to content

Getting Started

This guide adds Ihawu to a Spring Boot application and masks a field end to end.

  1. Add the starter. It pulls ihawu-core transitively, so it’s the only dependency you add.

    implementation("org.ihawu:ihawu-spring-boot-starter:0.1.0")
  2. Annotate your response type and mark the sensitive fields’ resource.

    @IhawuResource("employee")
    data class EmployeeResponse(
    val id: String,
    val fullName: String,
    val email: String,
    val salary: Double,
    val socialSecurityNumber: String,
    )
  3. Define a policy. Supply a ResourcePolicyProvider bean with per-role rules (or bind them from configuration).

    @Bean
    fun resourcePolicyProvider() =
    ResourcePolicyProvider {
    listOf(
    ResourcePolicy(
    resourceName = "employee",
    roleFieldPolicies = mapOf(
    "MANAGER" to listOf(
    FieldPolicy("socialSecurityNumber", MaskingStrategy.REDACT, "***-**-****"),
    ),
    "EMPLOYEE" to listOf(
    FieldPolicy("salary", MaskingStrategy.HIDE),
    FieldPolicy("socialSecurityNumber", MaskingStrategy.HIDE),
    ),
    ),
    ),
    )
    }
  4. Call the endpoint. The same handler now returns different fields per role — a MANAGER sees a redacted SSN; an EMPLOYEE sees neither salary nor SSN; an unconfigured role sees the full record (masking is a denylist).

The repository ships a complete, runnable sample under samples/spring-boot-sample — a secured endpoint, three roles, and an integration test that pins each role’s masked JSON. It’s the fastest way to see Ihawu working against a live HTTP endpoint.