How to write a custom filter in spring security?

by

You can use the standard Java filter. Just place it after authentication filter in web.xml (this means that it will go later in the filter chain and will be called after security filter chain). 

public class CustomFilter implements Filter{

    @Override
    public void destroy() {
        // Do nothing
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res,
            FilterChain chain) throws IOException, ServletException {

            HttpServletRequest request = (HttpServletRequest) req;

            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

            Set<String> roles = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
            if (roles.contains("ROLE_USER")) {
                request.getSession().setAttribute("myVale", "myvalue");
            }

            chain.doFilter(req, res);

    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // Do nothing
    }

}

Fragment of web.xml:

<!-- The Spring Security Filter Chain -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Your filter definition -->
<filter>
    <filter-name>customFilter</filter-name>
    <filter-class>com.yourcompany.test.CustomFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>customFilter</filter-name>
    <url-pattern>/VacationsManager.jsp</url-pattern>
</filter-mapping>

Also you can add handler that will be invoked after successfull login (you need to extend SavedRequestAwareAuthenticationSuccessHandler). Look here how to do this. And I think that this is even better idea.

UPDATED:
Or you can have this filter at the end of your security filters like this:

<security:filter-chain-map>
    <sec:filter-chain pattern="/**"
            filters="
        ConcurrentSessionFilterAdmin, 
        securityContextPersistenceFilter, 
        logoutFilterAdmin, 
        usernamePasswordAuthenticationFilterAdmin, 
        basicAuthenticationFilterAdmin, 
        requestCacheAwareFilter, 
        securityContextHolderAwareRequestFilter, 
        anonymousAuthenticationFilter, 
        sessionManagementFilterAdmin, 
        exceptionTranslationFilter, 
        filterSecurityInterceptorAdmin,
        MonitoringFilter"/> <!-- Your Filter at the End -->
</security:filter-chain-map>

And to have your filter, you may use this:

public class MonitoringFilter extends GenericFilterBean{
@Override
public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {
    //Implement this Function to have your filter working
}

More Related Contents:

  1. How Spring Security Filter Chain works
  2. Spring Boot Security CORS
  3. Handle spring security authentication exceptions with @ExceptionHandler
  4. How do I get the Session Object in Spring?
  5. How to pass an additional parameter with spring security login page
  6. Spring Boot CORS filter – CORS preflight channel did not succeed
  7. Spring Security redirect to previous page after successful login
  8. How can I have list of all users logged in (via spring security) my web application
  9. Spring Security exclude url patterns in security annotation configurartion
  10. Spring Security 3.2 CSRF support for multipart requests
  11. Spring CSRF token does not work, when the request to be sent is a multipart request
  12. JSON Web Token (JWT) with Spring based SockJS / STOMP Web Socket
  13. How can I use Spring Security without sessions?
  14. Spring Security configuration: HTTP 403 error
  15. How to manually log out a user with spring security?
  16. Prevent Spring Boot from registering a servlet filter
  17. How to set up Spring Security SecurityContextHolder strategy?
  18. How do I remove the ROLE_ prefix from Spring Security with JavaConfig?
  19. Spring + Web MVC: dispatcher-servlet.xml vs. applicationContext.xml (plus shared security)
  20. How to get custom user info from OAuth2 authorization server /user endpoint
  21. antMatchers that matches any beginning of path
  22. Combining basic authentication and form login for the same REST Api
  23. Multiple antMatchers in Spring security
  24. An Authentication object was not found in the SecurityContext – Spring 3.2.2
  25. Spring Boot with embedded Tomcat behind Apache proxy
  26. How to use Spring AbstractRoutingDataSource with dynamic datasources?
  27. Spring Social Authentication Filter for Stateless REST Endpoints which use Facebook Token for authentication
  28. How to allow a User only access their own data in Spring Boot / Spring Security?
  29. Spring security 4 custom login j_spring_security_check return http 302
  30. Custom Authentication provider with Spring Security and Java Config

Leave a Comment