Skip to content

Introduction

Ihawu (Ndebele for shield) is a Policy Enforcement Point (PEP) for JVM and Kotlin applications. It masks restricted fields as your data is serialized, so sensitive values never reach a caller who is not permitted to see them — and it fails closed, emitting an empty document rather than leaking when something goes wrong.

Given a response type marked with @IhawuResource and a set of policies, Ihawu:

  • resolves the field policies that apply to the current caller for that resource,
  • hides (drops) or redacts (obfuscates) restricted fields during serialization, and
  • returns the unmodified object for fields no rule restricts (masking is a denylist).

Your controllers return full, strongly-typed domain objects; the masking difference between callers comes entirely from policy.

Ihawu is a Policy Enforcement Point, not a Policy Decision Point and not an authorizer. It enforces the decisions your identity provider and policy engine make; it does not decide whether a caller may reach an endpoint at all — that belongs upstream (your web framework, Spring Security, OPA, or your own PDP). Keeping enforcement separate from decision-making is what lets Ihawu stay small, predictable, and safe.

request → [ auth / authz decision ] → controller returns domain object
[ Ihawu enforces policy during serialization ]
masked response

Ready to try it? Head to Getting Started.