A Custom Filter in the Spring Security Filter Chain

1. Overview

In this quick article, we’ll focus on writing a custom filter for the Spring Security filter chain.

Further reading:

Spring Security – @PreFilter and @PostFilter

Learn how to use the @PreFilter and @PostFilter Spring Security annotations through practical examples.

Read more

Introduction to Java Config for Spring Security

A quick and practical guide to Java Config for Spring Security

Read more

Spring Boot Security Auto-Configuration

A quick and practical guide to Spring Boot’s default Spring Security configuration.

Read more

2. Creating the Filter

Spring Security provides a number of filters by default, and most of the time, these are enough.

But of course sometimes it’s necessary to implement new functionality with create a new filter to use in the chain.

We’ll start by implementing the org.springframework.web.filter.GenericFilterBean.

The GenericFilterBean is a simple javax.servlet.Filter implementation implementation that is Spring aware.

On to the implementation – we only need to implement a single method:

public class CustomFilter extends GenericFilterBean {

    @Override
    public void doFilter(
      ServletRequest request,
      ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);
    }
}

3. Using the Filter in the Security Config

We’re free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.

3.1. Java Configuration

You can register the filter programmatically overriding the configure method from WebSecurityConfigurerAdapter. For example, it works with the addFilterAfter method on a HttpSecurity instance:

@Configuration
public class CustomWebSecurityConfigurerAdapter
  extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterAfter(
          new CustomFilter(), BasicAuthenticationFilter.class);
    }
}

There are a couple of possible methods:

3.2. XML Configuration

You can add the filter to the chain using the custom-filter tag and one of these names to specify the position of your filter. For instance, it can be pointed out by the after attribute:

<http>
    <custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>

<beans:bean id="myFilter" class="org.baeldung.security.filter.CustomFilter"/>

Here are all attributes to specify exactly a place your filter in the stack:

  • after – describes the filter immediately after which a custom filter will be placed in the chain

  • before – defines the filter before which our filter should be placed in the chain

  • position – allows replacing a standard filter in the explicit position by a custom filter

4. Conclusion

In this quick article, we created a custom filter and wired that into the Spring Security filter chain.

As always, all code examples are available in the sample Github project.

Leave a Reply

Your email address will not be published.