A Custom Filter in the Spring Security Filter Chain – Spring安全过滤器链中的一个自定义过滤器

最后修改: 2016年 10月 31日


1. Overview


In this quick tutorial, we’ll focus on writing a custom filter for the Spring Security filter chain.

在这个快速教程中,我们将专注于为Spring Security过滤器链编写一个自定义过滤器。

2. Creating the Filter


Spring Security provides a number of filters by default, and these are enough most of the time.

Spring Security默认提供了一些过滤器,这些过滤器在大多数时候是足够的。

But of course it’s sometimes necessary to implement new functionality by creating a new filter to use in the chain.


We’ll start by implementing the org.springframework.web.filter.GenericFilterBean.


The GenericFilterBean is a simple javax.servlet.Filter implementation that is Spring-aware.


We only need to implement a single method:


public class CustomFilter extends GenericFilterBean {

    public void doFilter(
      ServletRequest request, 
      ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);

3. Using the Filter in the Security Config


We’re free to choose either XML configuration or Java configuration to wire the filter into the Spring Security configuration.

我们可以自由选择XML配置或Java配置,将过滤器接入Spring Security配置。

3.1. Java Configuration

3.1. Java配置

We can register the filter programmatically by creating a SecurityFilterChain bean.

我们可以通过创建一个SecurityFilterChain bean,以编程方式注册该过滤器。

For example, it works with the addFilterAfter method on an HttpSecurity instance:


public class CustomWebSecurityConfigurerAdapter {

    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
          new CustomFilter(), BasicAuthenticationFilter.class);
        return http.build();

There are a couple of possible methods:


3.2. XML Configuration


We can add the filter to the chain using the custom-filter tag and one of these names to specify the position of our filter.


For instance, it can be pointed out by the after attribute:


    <custom-filter after="BASIC_AUTH_FILTER" ref="myFilter" />

<beans:bean id="myFilter" class="com.baeldung.security.filter.CustomFilter"/>

Here are all the attributes to specify exactly where to place our filter in the stack:


  • after describes the filter immediately after which a custom filter will be placed in the chain.
  • before defines the filter before which our filter should be placed in the chain.
  • position allows replacing a standard filter in the explicit position by a custom filter.

4. Conclusion


In this quick article, we created a custom filter and wired that into the Spring Security filter chain.

在这篇快速文章中,我们创建了一个自定义过滤器,并将其接入Spring Security过滤器链。

As always, all code examples are available in the sample GitHub project.