spring-security-custom-filter
A Custom Filter in the Spring Security Filter Chain
Further reading:
Spring Security – @PreFilter and @PostFilter
Learn how to use the @PreFilter and @PostFilter Spring Security annotations through practical examples.
Introduction to Java Config for Spring Security
A quick and practical guide to Java Config for Spring Security
Spring Boot Security Auto-Configuration
A quick and practical guide to Spring Boot’s default Spring Security configuration.
2. Creating the Filter
But of course sometimes it’s necessary to implement new functionality with create a new filter to use in the chain.
We’ll start by implementing the org.springframework.web.filter.GenericFilterBean.
The GenericFilterBean is a simple javax.servlet.Filter implementation implementation that is Spring aware.
On to the implementation – we only need to implement a single method:
public class CustomFilter extends GenericFilterBean {
@Override
public void doFilter(
ServletRequest request,
ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(request, response);
}
}
3. Using the Filter in the Security Config
We’re free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.
3.1. Java Configuration
You can register the filter programmatically overriding the configure method from WebSecurityConfigurerAdapter. For example, it works with the addFilterAfter method on a HttpSecurity instance:
@Configuration
public class CustomWebSecurityConfigurerAdapter
extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterAfter(
new CustomFilter(), BasicAuthenticationFilter.class);
}
}
There are a couple of possible methods:
-
addFilterBefore(filter, class) – adds a filter before the position of the specified filter class
-
addFilterAfter(filter, class) – adds a filter after the position of the specified filter class
-
addFilterAt(filter, class) – adds a filter at the location of the specified filter class
-
addFilter(filter) – adds a filter that must be an instance of or extend one of the filters provided by Spring Security
3.2. XML Configuration
You can add the filter to the chain using the custom-filter tag and one of these names to specify the position of your filter. For instance, it can be pointed out by the after attribute:
<http>
<custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="org.baeldung.security.filter.CustomFilter"/>
Here are all attributes to specify exactly a place your filter in the stack:
-
after – describes the filter immediately after which a custom filter will be placed in the chain
-
before – defines the filter before which our filter should be placed in the chain
-
position – allows replacing a standard filter in the explicit position by a custom filter
4. Conclusion
In this quick article, we created a custom filter and wired that into the Spring Security filter chain.
As always, all code examples are available in the sample Github project.