
Baeldung Pro comes with both absolutely No-Ads as well as finally with Dark Mode, for a clean learning experience:
Once the early-adopter seats are all used, the price will go up and stay at $33/year.
Last updated: February 6, 2025
In this quick tutorial, we’ll focus on writing a custom filter for the Spring Security filter chain.
Spring Security provides a number of filters by default, and these are enough most of the time.
Of course, it’s sometimes necessary to implement new functionality by creating a new filter to use in the chain.
We’ll start by implementing the org.springframework.web.filter.GenericFilterBean.
The GenericFilterBean is a simple javax.servlet.Filter implementation that is Spring-aware.
We only need to implement a single method:
public class CustomFilter extends GenericFilterBean {
@Override
public void doFilter(
ServletRequest request,
ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(request, response);
}
}
We’re free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.
We can register the filter programmatically by creating a SecurityFilterChain bean.
For example, it works with the addFilterAfter method on an HttpSecurity instance:
@Configuration
public class CustomWebSecurityConfigurerAdapter {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.addFilterAfter(
new CustomFilter(), BasicAuthenticationFilter.class);
return http.build();
}
}
There are a couple of possible methods:
We can add the filter to the chain using the custom-filter tag and one of these names to specify the position of our filter.
For instance, it can be pointed out by the after attribute:
<http>
<custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="com.baeldung.security.filter.CustomFilter"/>
Here are all the attributes to specify exactly where to place our filter in the stack:
Modern applications often serve both public and secured endpoints. Applying a custom Spring Security filter globally can lead to unnecessary processing for public endpoints. To address this, we can target the filter specifically to secured endpoints by using Spring Security’s SecurityFilterChain and RequestMatcher:
@Bean
public SecurityFilterChain securedFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
authorizationManagerRequestMatcherRegistry.requestMatchers("/secured/**").authenticated())
.httpBasic(Customizer.withDefaults());
http.addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class);
return http.build();
}
This configuration ensures that security settings are only applied to endpoints matching /secured/**, as specified by requestMatchers(“/secured/**”).
The addFilterAfter(new CustomFilter(), BasicAuthenticationFilter.class) line ensures the custom filter is applied after the BasicAuthenticationFilter, meaning it will execute only after the basic authentication process.
This approach allows for targeted security processing on secured endpoints without affecting public ones. All requests to /secured/** require authentication, as enforced by .authorizeHttpRequests().
By using a custom SecurityFilterChain, we can isolate these security settings, keeping the application’s security modular and efficient. This setup prevents unnecessary overhead on public endpoints and ensures tailored authentication handling for secured paths, such as custom failure responses in the authentication entry point.
In this quick article, we created a custom filter and wired that into the Spring Security filter chain.