Subject: Question on building a PEP
I would like to know how others are inserting a PEP into their Java based systems. My fledgling attempt was creating a little RBAC system used a servlet Filter for the PEP:
1) do a login in which the user selects a role
1) issue a request for a servlet such as
2) the request is intercepted by a filter servlet called PEP defined in Tomcat. The doFilter method constructs an XACML request, sends it to another servlet called PolicyDecisionPoint and gets the XACML response.
3) the PEP uses the decision to allow for continuation to the above URL or to issue its own deny page.
I used the filter approach to hide the PEP/PDP steps from the user. Implementing the PDP as a servlet was a quickie, it is pre-instantiated with a large set of policies.
The negative is that doFilter takes ServletRequest as an argument so I don't have access to the target servlet name through say getServletPath() . So I'm passing it as a query parameter, tacky I know.
Any well known practices for placing the PEP as an interceptor of HTTP requests?