Security Top

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:


1. Overview

In this quick article, we'll focus on writing a custom filter for the Spring Security filter chain.

Further reading:

Spring Security – @PreFilter and @PostFilter

Learn how to use the @PreFilter and @PostFilter Spring Security annotations through practical examples.

Introduction to Java Config for Spring Security

A quick and practical guide to Java Config for Spring Security

Spring Boot Security Auto-Configuration

A quick and practical guide to Spring Boot's default Spring Security configuration.

2. Creating the Filter

Spring Security provides a number of filters by default, and most of the time, these are enough.

But of course sometimes it's necessary to implement new functionality with create a new filter to use in the chain.

We'll start by implementing the org.springframework.web.filter.GenericFilterBean.

The GenericFilterBean is a simple javax.servlet.Filter implementation implementation that is Spring aware.

On to the implementation – we only need to implement a single method:

public class CustomFilter extends GenericFilterBean {

    public void doFilter(
      ServletRequest request, 
      ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);

3. Using the Filter in the Security Config

We're free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.

3.1. Java Configuration

You can register the filter programmatically overriding the configure method from WebSecurityConfigurerAdapter. For example, it works with the addFilterAfter method on a HttpSecurity instance:

public class CustomWebSecurityConfigurerAdapter
  extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
          new CustomFilter(), BasicAuthenticationFilter.class);

There are a couple of possible methods:

3.2. XML Configuration

You can add the filter to the chain using the custom-filter tag and one of these names to specify the position of your filter. For instance, it can be pointed out by the after attribute:

    <custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />

<beans:bean id="myFilter" class=""/>

Here are all attributes to specify exactly a place your filter in the stack:

  • after – describes the filter immediately after which a custom filter will be placed in the chain
  • before – defines the filter before which our filter should be placed in the chain
  • position – allows replacing a standard filter in the explicit position by a custom filter

4. Conclusion

In this quick article, we created a custom filter and wired that into the Spring Security filter chain.

As always, all code examples are available in the sample Github project.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

newest oldest most voted
Notify of
Amit Patel
Amit Patel

i want to use spring security in my spring mvc project , i am not using password for authentication , i am asking three question to user and he pass the three answers for these question if answers is correct login success otherwise failed how to implement spring security for this

Eugen Paraschiv

Hey Amit,
Well, that’s certainly an interesting case – it’s very unusual to ask security questions as a primary means to authenticate the user. If that’s really what you’re doing (do let me know if I understood it wrong) – then you’ll need to go into Spring Security and write your own logic, likely as a custom authentication provider.
But – before you do that, I would reconsider the approach and think through both the security implications (which are significant) but also the user experience for your system.
Hope that helps. Cheers,

Amit Patel
Amit Patel

I wrote the custom authentication for that as u suggested.

System.out.println( ” thank you very much . ” )

Eugen Paraschiv

I’m glad everything’s sorted out Amit. Cheers,

Comments are closed on this article!