Security Top

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE
Authors Top

If you have a few years of experience in the Java ecosystem, and you’d like to share that with the community, have a look at our Contribution Guidelines.

1. Overview

In this quick tutorial, we'll focus on writing a custom filter for the Spring Security filter chain.

Further reading:

Spring Security – @PreFilter and @PostFilter

Learn how to use the @PreFilter and @PostFilter Spring Security annotations through practical examples.

Introduction to Java Config for Spring Security

A quick and practical guide to Java Config for Spring Security

Spring Boot Security Auto-Configuration

A quick and practical guide to Spring Boot's default Spring Security configuration.

2. Creating the Filter

Spring Security provides a number of filters by default, and these are enough most of the time.

But of course it's sometimes necessary to implement new functionality by creating a new filter to use in the chain.

We'll start by implementing the org.springframework.web.filter.GenericFilterBean.

The GenericFilterBean is a simple javax.servlet.Filter implementation that is Spring-aware.

We only need to implement a single method:

public class CustomFilter extends GenericFilterBean {

    @Override
    public void doFilter(
      ServletRequest request, 
      ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);
    }
}

3. Using the Filter in the Security Config

We're free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.

3.1. Java Configuration

We can register the filter programmatically overriding the configure method from WebSecurityConfigurerAdapter.

For example, it works with the addFilterAfter method on an HttpSecurity instance:

@Configuration
public class CustomWebSecurityConfigurerAdapter
  extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterAfter(
          new CustomFilter(), BasicAuthenticationFilter.class);
    }
}

There are a couple of possible methods:

3.2. XML Configuration

We can add the filter to the chain using the custom-filter tag and one of these names to specify the position of our filter.

For instance, it can be pointed out by the after attribute:

<http>
    <custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>

<beans:bean id="myFilter" class="com.baeldung.security.filter.CustomFilter"/>

Here are all the attributes to specify exactly where to place our filter in the stack:

  • after describes the filter immediately after which a custom filter will be placed in the chain.
  • before defines the filter before which our filter should be placed in the chain.
  • position allows replacing a standard filter in the explicit position by a custom filter.

4. Conclusion

In this quick article, we created a custom filter and wired that into the Spring Security filter chain.

As always, all code examples are available in the sample GitHub project.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

>> CHECK OUT THE COURSE
Security footer banner
Comments are closed on this article!