Spring Security Filter Chain自定义过滤器

1. Overview

In this quick tutorial, we’ll focus on writing a custom filter for the Spring Security filter chain.

2. Creating the Filter

Spring Security provides a number of filters by default, and these are enough most of the time.

But of course it’s sometimes necessary to implement new functionality by creating a new filter to use in the chain.

We’ll start by implementing the org.springframework.web.filter.GenericFilterBean.

The GenericFilterBean is a simple javax.servlet.Filter implementation that is Spring-aware.

We only need to implement a single method:

public class CustomFilter extends GenericFilterBean {

    @Override
    public void doFilter(
      ServletRequest request, 
      ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);
    }
}

3. Using the Filter in the Security Config

We’re free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.

3.1. Java Configuration

We can register the filter programmatically by creating a SecurityFilterChain bean.

For example, it works with the addFilterAfter method on an HttpSecurity instance:

@Configuration
public class CustomWebSecurityConfigurerAdapter {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.addFilterAfter(
          new CustomFilter(), BasicAuthenticationFilter.class);
        return http.build();
    }
}

There are a couple of possible methods:

• addFilterBefore(filter, class) adds a filter before the position of the specified filter class.
• addFilterAfter(filter, class) adds a filter after the position of the specified filter class.
• addFilterAt(filter, class) adds a filter at the location of the specified filter class.
• addFilter(filter) adds a filter that must be an instance of or extend one of the filters provided by Spring Security.

3.2. XML Configuration

We can add the filter to the chain using the custom-filter tag and one of these names to specify the position of our filter.

For instance, it can be pointed out by the after attribute:

<http>
    <custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />
</http>

<beans:bean id="myFilter" class="com.baeldung.security.filter.CustomFilter"/>

Here are all the attributes to specify exactly where to place our filter in the stack:

• after describes the filter immediately after which a custom filter will be placed in the chain.
• before defines the filter before which our filter should be placed in the chain.
• position allows replacing a standard filter in the explicit position by a custom filter.

4. Conclusion

In this quick article, we created a custom filter and wired that into the Spring Security filter chain.

As always, all code examples are available in the sample GitHub project.