1. Overview
In this quick article, we’ll focus on writing a custom filter for the Spring Security filter chain.
2. Creating the Filter
Spring Security provides a number of filters by default, and most of the time, these are enough.
But of course sometimes it’s necessary to implement new functionality with create a new filter to use in the chain.
We’ll start by implementing the org.springframework.web.filter.GenericFilterBean.
The GenericFilterBean is a simple javax.servlet.Filter implementation implementation that is Spring aware.
On to the implementation – we only need to implement a single method:
public class CustomFilter extends GenericFilterBean { @Override public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(request, response); } }
3. Using the Filter in the Security Config
We’re free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.
3.1. Java Configuration
You can register the filter programmatically overriding the configure method from WebSecurityConfigurerAdapter. For example, it works with the addFilterAfter method on a HttpSecurity instance:
@Configuration public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.addFilterAfter( new CustomFilter(), BasicAuthenticationFilter.class); } }
There are a couple of possible methods:
- addFilterBefore(filter, class) – adds a filter before the position of the specified filter class
- addFilterAfter(filter, class) – adds a filter after the position of the specified filter class
- addFilterAt(filter, class) – adds a filter at the location of the specified filter class
- addFilter(filter) – adds a filter that must be an instance of or extend one of the filters provided by Spring Security
3.2. XML Configuration
You can add the filter to the chain using the custom-filter tag and one of these names to specify the position of your filter. For instance, it can be pointed out by the after attribute:
<http> <custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" /> </http> <beans:bean id="myFilter" class="org.baeldung.security.filter.CustomFilter"/>
Here are all attributes to specify exactly a place your filter in the stack:
- after – describes the filter immediately after which a custom filter will be placed in the chain
- before – defines the filter before which our filter should be placed in the chain
- position – allows replacing a standard filter in the explicit position by a custom filter
4. Conclusion
In this quick article, we created a custom filter and wired that into the Spring Security filter chain.
As always, all code examples are available in the sample Github project.