Course – LSS – NPI (cat=Spring Security)
announcement - icon

If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:


1. Overview

In this quick tutorial, we’ll focus on writing a custom filter for the Spring Security filter chain.

Further reading:

Spring Security – @PreFilter and @PostFilter

Learn how to use the @PreFilter and @PostFilter Spring Security annotations through practical examples.

Introduction to Java Config for Spring Security

A quick and practical guide to Java Config for Spring Security

Spring Boot Security Auto-Configuration

A quick and practical guide to Spring Boot's default Spring Security configuration.

2. Creating the Filter

Spring Security provides a number of filters by default, and these are enough most of the time.

But of course it’s sometimes necessary to implement new functionality by creating a new filter to use in the chain.

We’ll start by implementing the org.springframework.web.filter.GenericFilterBean.

The GenericFilterBean is a simple javax.servlet.Filter implementation that is Spring-aware.

We only need to implement a single method:

public class CustomFilter extends GenericFilterBean {

    public void doFilter(
      ServletRequest request, 
      ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);

3. Using the Filter in the Security Config

We’re free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.

3.1. Java Configuration

We can register the filter programmatically by creating a SecurityFilterChain bean.

For example, it works with the addFilterAfter method on an HttpSecurity instance:

public class CustomWebSecurityConfigurerAdapter {

    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
          new CustomFilter(), BasicAuthenticationFilter.class);

There are a couple of possible methods:

3.2. XML Configuration

We can add the filter to the chain using the custom-filter tag and one of these names to specify the position of our filter.

For instance, it can be pointed out by the after attribute:

    <custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />

<beans:bean id="myFilter" class=""/>

Here are all the attributes to specify exactly where to place our filter in the stack:

  • after describes the filter immediately after which a custom filter will be placed in the chain.
  • before defines the filter before which our filter should be placed in the chain.
  • position allows replacing a standard filter in the explicit position by a custom filter.

4. Conclusion

In this quick article, we created a custom filter and wired that into the Spring Security filter chain.

As always, all code examples are available in the sample GitHub project.

Course – LSS (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:


res – Security (video) (cat=Security/Spring Security)