How can I add a filter class in Spring Boot?

Question

Is there any annotation for a Filter class (for web applications) in Spring Boot? Perhaps @Filter?

I want to add a custom filter in my project.

The Spring Boot Reference Guide mentioned about FilterRegistrationBean, but I am not sure how to use it.

Note, that the Filter added with @WebFilter does not behave like a real filter in Servlet spec. It will be a spring bean called after a lot of other spring beans and not like real filters before any servlet code. — lrxw, Jun 05 '18 at 12:32
can you tell me you exact requirement. If you want filter classes for ComponentScan then there is an annotation for that "@ComponentScan.Filter" — Keaz, Jun 23 '18 at 07:56
you should write more detail, we have different type of filter, ex: filter for requests , client side filter to filter from a list and so on — ZahraAsgharzade, Apr 14 '21 at 04:47

score 184 · Answer 1 · edited May 12 '21 at 08:05

184

If you want to setup a third-party filter you can use FilterRegistrationBean.

For example, the equivalent of web.xml:

<filter>
     <filter-name>SomeFilter</filter-name>
        <filter-class>com.somecompany.SomeFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>SomeFilter</filter-name>
    <url-pattern>/url/*</url-pattern>
    <init-param>
        <param-name>paramName</param-name>
        <param-value>paramValue</param-value>
    </init-param>
</filter-mapping>

These will be the two beans in your @Configuration file:

@Bean
public FilterRegistrationBean someFilterRegistration() {

    FilterRegistrationBean registration = new FilterRegistrationBean();
    registration.setFilter(someFilter());
    registration.addUrlPatterns("/url/*");
    registration.addInitParameter("paramName", "paramValue");
    registration.setName("someFilter");
    registration.setOrder(1);
    return registration;
}

public Filter someFilter() {
    return new SomeFilter();
}

The above was tested with Spring Boot 1.2.3.

edited May 12 '21 at 08:05

Peter Mortensen

30,738
21
105
131

answered Jun 05 '15 at 05:09

Haim Raman

11,508
6
44
70

2

what if i want to add multiple filters? @Opal – verystrongjoe Sep 15 '15 at 01:37
10

Just add an additional @Bean public FilterRegistrationBean additionalFilterRegistration() – Haim Raman Sep 16 '15 at 11:16
How does one know the order in which the filters are applied? – BeepDog May 26 '16 at 21:10
7

FilterRegistrationBean.setOrder – Haim Raman May 29 '16 at 04:02
You don't need filter bean when you call the method `someFilter()` directly. – wst Mar 14 '17 at 07:57
2

The sample misses `@Bean` onto `someFilter()`. – Pavel Vlasov Sep 08 '17 at 20:50
@HaimRaman HI! do you have any solution for his issue : https://stackoverflow.com/questions/53774909/how-to-bypass-or-skip-customfilter-in-mockito-with-springboot-applicaiton . any help will be appreciated. – MrSham Dec 14 '18 at 22:43
@Haim Need some help over here https://stackoverflow.com/q/55411311/7538821 – sam Mar 29 '19 at 06:13
What about *WebMvcConfigurer*? – Jorge Tovar Jun 11 '19 at 17:25
You can't use WebMvcConfigurer to configure servlet filters. see https://stackoverflow.com/questions/33463918/how-to-add-a-filter-with-webmvcconfigureradapter-in-spring – Haim Raman Jun 12 '19 at 04:54
2

What package is `Filter` in? I'm seeing over 24 possible matches. Maybe include an import statement snippet. – dlamblin Apr 28 '21 at 22:53
how doe i add the FilterRegistrationBean to the web security? Does it automaticly looks for beans of FilterRegistrationBean ? – Johnyb Feb 04 '22 at 11:33
I suggest that you add this on a question of it's own – Haim Raman Feb 07 '22 at 14:58

score 131 · Answer 2 · edited Jul 27 '16 at 06:24

131

Here is an example of one method of including a custom filter in a Spring Boot MVC application. Be sure to include the package in a component scan:

package com.dearheart.gtsc.filters;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

import org.springframework.context.annotation.Profile;
import org.springframework.stereotype.Component;

@Component
public class XClacksOverhead implements Filter {

  public static final String X_CLACKS_OVERHEAD = "X-Clacks-Overhead";

  @Override
  public void doFilter(ServletRequest req, ServletResponse res,
      FilterChain chain) throws IOException, ServletException {

    HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader(X_CLACKS_OVERHEAD, "GNU Terry Pratchett");
    chain.doFilter(req, res);
  }

  @Override
  public void destroy() {}

  @Override
  public void init(FilterConfig arg0) throws ServletException {}

}

edited Jul 27 '16 at 06:24

Sudhir N

4,008
1
22
32

answered Mar 22 '15 at 18:18

tegatai

1,371
1
8
2

8

Should filter be registered somewhere? – gstackoverflow Sep 02 '15 at 22:09
1

When I tried that approach, Filter was created as bean and even was injected to other class **but init() method didn't run**. Probably, init() works only in 'normal' registering not by spring container. I think, one may use PostConstruct instead of init() but I didn't try that as I refused declaring Filter as Spring bean. – May 18 '16 at 10:58
What about filter ordering using this approach? – Pavel Vlasov Sep 08 '17 at 16:50
How can we get RS body from ServletResponse? – user2602807 Oct 13 '17 at 13:36
5

One important thing to note is that the name of your bean (based on your class name) should not be the same as a Spring bean. For instance, you might be tempted to create a `MetricsFilter`, but this bean will be overshadowed by the Spring actuator bean of the same name. Learned this the hard way... – kinbiko Nov 08 '17 at 11:50
Perhaps better to extend `org.springframework.web.filter.GenericFilterBean`? – Jakub Holý Feb 21 '20 at 19:41

score 94 · Answer 3 · edited Sep 10 '17 at 22:16

There are three ways to add your filter,

Annotate your filter with one of the Spring stereotypes such as @Component
Register a @Bean with Filter type in Spring @Configuration
Register a @Bean with FilterRegistrationBean type in Spring @Configuration

Either #1 or #2 will do if you want your filter applies to all requests without customization, use #3 otherwise. You don't need to specify component scan for #1 to work as long as you place your filter class in the same or sub-package of your SpringApplication class. For #3, use along with #2 is only necessary when you want Spring to manage your filter class such as have it auto wired dependencies. It works just fine for me to new my filter which doesn't need any dependency autowiring/injection.

Although combining #2 and #3 works fine, I was surprised it doesn't end up with two filters applying twice. My guess is that Spring combines the two beans as one when it calls the same method to create both of them. In case you want to use #3 alone with authowiring, you can AutowireCapableBeanFactory. The following is an example,

private @Autowired AutowireCapableBeanFactory beanFactory;

    @Bean
    public FilterRegistrationBean myFilter() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        Filter myFilter = new MyFilter();
        beanFactory.autowireBean(myFilter);
        registration.setFilter(myFilter);
        registration.addUrlPatterns("/myfilterpath/*");
        return registration;
    }

Excellent answer. Thanks for detailing all the options and also covering how to autowire your `Filter` while using `FilterRegistrationBean` — sbk, May 12 '17 at 07:01
This is also described here: https://www.baeldung.com/spring-boot-add-filter — Jakub Holý, Feb 21 '20 at 19:40

Dave Syer · Answer 4 · 2017-09-20T06:14:07.537

85

There isn't a special annotation to denote a servlet filter. You just declare a @Bean of type Filter (or FilterRegistrationBean). An example (adding a custom header to all responses) is in Boot's own EndpointWebMvcAutoConfiguration;

If you only declare a Filter it will be applied to all requests. If you also add a FilterRegistrationBean you can additionally specify individual servlets and url patterns to apply.

Note:

As of Spring Boot 1.4, FilterRegistrationBean is not deprecated and simply moved packages from org.springframework.boot.context.embedded.FilterRegistrationBean to org.springframework.boot.web.servlet.FilterRegistrationBean

edited Sep 20 '17 at 06:14

answered Nov 07 '13 at 08:17

Dave Syer

56,583
10
155
143

Would you mind to tell me how to include corresponding entry in build.gradle? I added the following, but it doesn't get compiled: providedCompile('javax.servlet:servlet-api:2.5') runtime('javax.servlet:jstl:1.1.2') – janetsmith Nov 07 '13 at 19:13
3

Spring Boot isn't going to work with Servlet 2.5, and there isn't really much support for JSP yet. I'm not really a gradler, so I don't know what you are trying to do. What's wrong with "compile"? Does it work if you just depend on "spring-boot-starter-web"? (I don't think these questions are related to the original question though, so maybe you should post again with the new questions?) – Dave Syer Nov 08 '13 at 11:24
I added a filter by implementing Filter interface, however Eclipse is unable to find the interface. So I am trying to figure out how to add it to classpath for compiling. – janetsmith Nov 08 '13 at 18:19
1

Yes, of course you need to have `Filter` on your classpath. Normally I would just use the `spring-boot-starter-web` to pull in all the relevant depdendencies (e.g. [here](https://github.com/spring-guides/gs-rest-service/blob/master/complete/pom.xml#L18)). – Dave Syer Nov 12 '13 at 13:58
As other responses detail, you can also just annotate your Filter class with @Component and it will be automatically registered (for all URLs). – Jakub Holý Feb 21 '20 at 19:41

Surasin Tancharoen · Answer 5 · 2022-05-29T13:31:21.333

UPDATE: 2022-05-29:

There are two simple ways to do this in Spring Boot 1.5.8.RELEASE and there isn't any need for XML.

First way:

If you do not have any specific URL pattern, you can use @Component like this (full code and details are here https://github.com/surasint/surasint-examples/tree/master/spring-boot-jdbi/3_spring-boot-filter , look at README.txt to start):

@Component
public class ExampleFilter implements Filter {
    ...
}

Second way:

If you want to use URL patterns, you can use @WebFilter like this (full code and details are here https://github.com/surasint/surasint-examples/tree/master/spring-boot-jdbi/4_spring-boot-filter-urlpattern , look at README.txt to start):

@WebFilter(urlPatterns = "/api/count")
public class ExampleFilter implements Filter {
    ...
}

But you also need to add @ServletComponentScan annotation in your @SpringBootApplication class:

@ServletComponentScan
@SpringBootApplication
public class MyApplication extends SpringBootServletInitializer {
    ...
}

Note that @Component is Spring's annotation, but @WebFilter is not. @WebFilter is Servlet 3 annotation.

Both ways, you just need a basic Spring Boot dependency in pom.xml (there isn't any need for an explicit Tomcat embedded jasper)

    <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.5.8.RELEASE</version>
    </parent>

    <groupId>com.surasint.example</groupId>
    <artifactId>spring-boot-04</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>jar</packaging>
    <properties>
        <maven.compiler.target>1.8</maven.compiler.target>
        <maven.compiler.source>1.8</maven.compiler.source>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

WARNING: The first way, if the Controller in Spring Boot returns to a JSP file, the request will pass the filter twice.

While, in the second way, the request will pass the filter only once.

I prefer the second way, because it is more similar to default behavior in the Servlet specification.

I've seen `Filter` interface getting called numerous times during the launch of the applicationContext. Is there any way to execute it only once ? — PAA, Aug 09 '19 at 09:24
@Surasin : Great articles on your blog. Question - Instead of \@ServletComponentScan, won't mentioning \@ComponentScan on the filter class along with \@WebFilter be enough for Spring App context to pick it up? — Saurabh Patil, Sep 19 '20 at 05:41
All the ***www.surasint.com*** links are broken (*"Hmm. We’re having trouble finding that site. We can’t connect to the server at www.surasint.com."*). — Peter Mortensen, May 12 '21 at 08:27
@PeterMortensen it is gone. Gcloud has completely destroyed it. And I don't have backup anywhere T-T — Surasin Tancharoen, May 12 '21 at 13:41
You can use \@Component on the filter instead of using \@ServletComponentScan on the App class — tomtomssi, Dec 20 '22 at 11:57

score 26 · Answer 6 · edited May 12 '21 at 08:13

Here is an example of my custom Filter class:

package com.dawson.controller.filter;

import org.springframework.stereotype.Component;
import org.springframework.web.filter.GenericFilterBean;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;


@Component
public class DawsonApiFilter extends GenericFilterBean {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        if (req.getHeader("x-dawson-nonce") == null || req.getHeader("x-dawson-signature") == null) {
            HttpServletResponse httpResponse = (HttpServletResponse) response;
            httpResponse.setContentType("application/json");
            httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST, "Required headers not specified in the request");
            return;
        }
        chain.doFilter(request, response);
    }
}

And I added it to the Spring Boot configuration by adding it to Configuration class as follows:

package com.dawson.configuration;

import com.fasterxml.jackson.datatype.hibernate5.Hibernate5Module;
import com.dawson.controller.filter.DawsonApiFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;

@SpringBootApplication
public class ApplicationConfiguration {
    @Bean
    public FilterRegistrationBean dawsonApiFilter() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new DawsonApiFilter());

        // In case you want the filter to apply to specific URL patterns only
        registration.addUrlPatterns("/dawson/*");
        return registration;
    }
}

Lucky · Answer 7 · 2021-05-24T11:18:26.027

From the Spring documentation,

Embedded servlet containers - Add a Servlet, Filter or Listener to an application

To add a Servlet, Filter, or Servlet *Listener provide a @Bean definition for it.

For example:

@Bean
public Filter compressFilter() {
    CompressingFilter compressFilter = new CompressingFilter();
    return compressFilter;
}

Add this @Bean configuration to your @Configuration class and the filter will be registered on startup.

Also you can add Servlets, Filters, and Listeners using classpath scanning,

@WebServlet, @WebFilter, and @WebListener annotated classes can be automatically registered with an embedded servlet container by annotating a @Configuration class with @ServletComponentScan and specifying the package(s) containing the components that you want to register. By default, @ServletComponentScan will scan from the package of the annotated class.

http://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-servlet-containers.html#howto-add-a-servlet-filter-or-listener didn't work for me but https://docs.spring.io/spring-boot/docs/1.5.8.RELEASE/reference/html/howto-embedded-servlet-containers.html worked for me. — user674669, Mar 23 '18 at 08:01

score 14 · Answer 8 · answered Jul 27 '19 at 07:46

We have roughly four different options to register a filter using Spring.

Firstly, we can create a Spring bean implementing Filter or extending HttpFilter:

@Component
public class MyFilter extends HttpFilter {

    @Override
    protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) 
        throws IOException, ServletException {
        // Implementation details...

        chain.doFilter(request, response);
    }
}

Secondly, we can create a Spring bean extending GenericFilterBean:

@Component
public class MyFilter extends GenericFilterBean {

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
  throws IOException, ServletException {
    //Implementation details...

        chain.doFilter(currentRequest, servletResponse);
    }
}

Alternatively we can use the FilterRegistrationBean class:

@Configuration
public class FilterConfiguration {

    private final MyFilter myFilter;

    @Autowired
    public FilterConfiguration(MyFilter myFilter) {
        this.myFilter = myFilter;
    }

    @Bean
    public FilterRegistrationBean<MyFilter> myFilterRegistration() {
        FilterRegistrationBean<DateLoggingFilter> filterRegistrationBean = new FilterRegistrationBean<>();
        filterRegistrationBean.setFilter(myFilter);
        filterRegistrationBean.setUrlPatterns(Collections.singletonList("/*"));
        filterRegistrationBean.setDispatcherTypes(DispatcherType.REQUEST);
        filterRegistrationBean.setOrder(Ordered.LOWEST_PRECEDENCE - 1);
        return filterRegistrationBean;
    }
}

And lastly we can use the @WebFilter annotation with @ServletComponentScan:

@WebFilter(urlPatterns = "/*", dispatcherTypes = {DispatcherType.REQUEST})
public class MyFilter extends HttpFilter {

    @Override
    protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
  throws IOException, ServletException {
        // Implementation details...

        chain.doFilter(request, response);
    }
}

1

Which filter to use and why ? – PAA Aug 09 '19 at 07:03

score 10 · Answer 9 · edited May 12 '21 at 08:15

If you use Spring Boot + Spring Security, you can do that in the security configuration.

In the below example, I'm adding a custom filter before the UsernamePasswordAuthenticationFilter (see all the default Spring Security filters and their order).

@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired FilterDependency filterDependency;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .addFilterBefore(
                new MyFilter(filterDependency),
                UsernamePasswordAuthenticationFilter.class);
    }
}

And the filter class

class MyFilter extends OncePerRequestFilter  {
    private final FilterDependency filterDependency;

    public MyFilter(FilterDependency filterDependency) {
        this.filterDependency = filterDependency;
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request,
        HttpServletResponse response,
        FilterChain filterChain)
        throws ServletException, IOException {

        // Filter
        filterChain.doFilter(request, response);
    }
}

KayV · Answer 10 · 2019-02-10T17:42:10.427

Using the @WebFilter annotation, it can be done as follows:

@WebFilter(urlPatterns = {"/*" })
public class AuthenticationFilter implements Filter{

    private static Logger logger = Logger.getLogger(AuthenticationFilter.class);

    @Override
    public void destroy() {
        // TODO Auto-generated method stub

    }

    @Override
    public void doFilter(ServletRequest arg0, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

         logger.info("checking client id in filter");
        HttpServletRequest request = (HttpServletRequest) arg0;
        String clientId = request.getHeader("clientId");
        if (StringUtils.isNotEmpty(clientId)) {
            chain.doFilter(request, response);
        } else {
            logger.error("client id missing.");
        }
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub

    }

}

Also add @ServletComponentScan – Justinas Jakavonis Aug 23 '17 at 14:32 — Justinas Jakavonis, Aug 23 '17 at 14:32

score 5 · Answer 11 · edited Jul 24 '19 at 13:00

This filter will also help you to allow cross origin access

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCORSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

            HttpServletResponse response = (HttpServletResponse) res;
            HttpServletRequest request = (HttpServletRequest) req;
            response.setHeader("Access-Control-Allow-Origin", "*");
            response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
            response.setHeader("Access-Control-Max-Age", "20000");
            response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, Content-Type, Authorization, credential, X-XSRF-TOKEN");

            if("OPTIONS".equalsIgnoreCase(request.getMethod())) {
                response.setStatus(HttpServletResponse.SC_OK);
            } else {
                chain.doFilter(req, res);
            }
    }


    public void destroy() {}

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub

    }

}

score 5 · Answer 12 · edited May 12 '21 at 08:55

Step 1: Create a filter component by implementing the Filter interface.

@Component
public class PerformanceFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        ...
        ...
    }

}

Step 2: Set this filter to the URI patterns using FilterRegistrationBean.

@Configuration
public class FilterConfig {
    @Bean
    public FilterRegistrationBean<PerformanceFilter> perfFilter() {
        FilterRegistrationBean<PerformanceFilter> registration = new FilterRegistrationBean<>();
        registration.setFilter(new PerformanceFilter());
        registration.addUrlPatterns("/*");
        return registration;
    }
}

You can refer to this link for a complete application.

Straightforward answer but using springboot the second step is not needed at least you want to add the filter for a specific patter. Visit https://www.baeldung.com/spring-boot-add-filter for similar brief example. — TomasMolina, May 25 '22 at 04:36

score 4 · Answer 13 · edited May 12 '21 at 08:36

It's more an advice than an answer, but if you are using a Spring MVC in your web application the good idea is to use Spring HandlerInterceptor instead of Filter.

It can do the same job, but also

Can work with ModelAndView
Its methods can be called before and after request processing, or after request completion.
It can be easily tested

1. Implement HandlerInterceptor interface and add a @Component annotation to your class

@Component
public class SecurityInterceptor implements HandlerInterceptor {

    private static Logger log = LoggerFactory.getLogger(SecurityInterceptor.class);

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        request.getSession(true);
        if(isLoggedIn(request))
            return true;

        response.getWriter().write("{\"loggedIn\":false}");
        return false;
    }

    private boolean isLoggedIn(HttpServletRequest request) {
        try {
            UserSession userSession = (UserSession) request.getSession(true).getAttribute("userSession");
            return userSession != null && userSession.isLoggedIn();
        } catch(IllegalStateException ex) {
            return false;
        }
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, @Nullable ModelAndView modelAndView) throws Exception {

    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, @Nullable Exception ex) throws Exception {

    }
}

2. Configure your Interceptor

@Configuration
public class WebConfig implements WebMvcConfigurer {

    private HandlerInterceptor securityInterceptor;

    @Autowired
    public void setSecurityInterceptor(HandlerInterceptor securityInterceptor) {
        this.securityInterceptor = securityInterceptor;
    }

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(securityInterceptor).addPathPatterns("/**").excludePathPatterns("/login", "/logout");
    }

}

Simple and elegant! Thanks – Benjamin RD Aug 07 '19 at 02:47 — Benjamin RD, Aug 07 '19 at 02:47

score 4 · Answer 14 · edited May 12 '21 at 08:53

You need two main things:

Add @ServletComponentScan to your Main Class

You may add a package named filter inside it. You create a Filter class that has the following:

  @Component
  @Order(Ordered.HIGHEST_PRECEDENCE)
  public class RequestFilter implements Filter {

      // whatever field you have

      public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
          HttpServletResponse response = (HttpServletResponse) res;
          HttpServletRequest request = (HttpServletRequest) req;

          // Whatever implementation you want

          try {
              chain.doFilter(req, res);
          } catch(Exception e) {
              e.printStackTrace();
          }
      }

      public void init(FilterConfig filterConfig) {
      }

      public void destroy() {
      }
  }

score 3 · Answer 15 · edited May 12 '21 at 08:17

3

You can use @WebFilter javax.servlet.annotation.WebFilter on a class that implements javax.servlet.Filter:

@WebFilter(urlPatterns = "/*")
public class MyFilter implements Filter {
}

Then use @ServletComponentScan to register.

edited May 12 '21 at 08:17

Peter Mortensen

30,738
21
105
131

answered Jul 18 '17 at 10:41

Cwrwhaf

324
3
5

score 3 · Answer 16 · edited May 12 '21 at 08:34

I saw a lot of answers here, but I didn't try any of them. I've just created the filter as in the following code.

import org.springframework.context.annotation.Configuration;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import java.io.IOException;

@WebFilter(urlPatterns = "/Admin")
@Configuration
public class AdminFilter implements Filter{
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse  servletResponse, FilterChain filterChain) throws IOException, ServletException      {
    System.out.println("happened");

    }

    @Override
    public void destroy() {

    }
}

And I left the remaining Spring Boot application as it was.

score 2 · Answer 17 · edited Apr 25 '22 at 15:09

Use:

@WebFilter(urlPatterns="/*")
public class XSSFilter implements Filter {

    private static final org.apache.log4j.Logger LOGGER = LogManager.getLogger(XSSFilter.class);

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        LOGGER.info("Initiating XSSFilter... ");
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpRequestWrapper requestWrapper = new HttpRequestWrapper(req);
        chain.doFilter(requestWrapper, response);
    }

    @Override
    public void destroy() {
        LOGGER.info("Destroying XSSFilter... ");
    }

}

You need to implement Filter, and it needs to be annotated with @WebFilter(urlPatterns="/*").

And in the Application or Configuration classes, you need to add @ServletComponentScan. By this, your filter will get registered.

This `@WebFilter` is only since Servlet 3.0. So it might not work properly for 2.5 — ha9u63a7, Dec 09 '19 at 00:54

score 1 · Answer 18 · edited May 12 '21 at 08:29

You can also make a filter by using @WebFilter and implementing Filter. It will do.

@Configuration
public class AppInConfig
{
    @Bean
    @Order(1)
    public FilterRegistrationBean aiFilterRegistration()
    {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new TrackingFilter());
        registration.addUrlPatterns("/**");
        registration.setOrder(1);
        return registration;
    }

    @Bean(name = "TrackingFilter")
    public Filter TrackingFilter()
    {
        return new TrackingFilter();
    }
}

score 1 · Answer 19 · edited May 12 '21 at 08:40

I saw the answer by Vasily Komarov. Here is a similar approach, but using abstract HandlerInterceptorAdapter class instead of using HandlerInterceptor.

Here is an example...

@Component
public class CustomInterceptor extends HandlerInterceptorAdapter {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
        throws Exception {
    }
}

@Configuration
public class InterceptorConfig extends WebMvcConfigurerAdapter {

    @Autowired
    private CustomInterceptor customInterceptor ;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(customInterceptor );
    }

}

score 1 · Answer 20 · edited May 12 '21 at 08:51

Filters, as the name suggest, used to perform filtering on either the request to a resource or on the response from a resource, or both. Spring Boot provides a few options to register custom filters in the Spring Boot application. Let’s look at the different options.

1. Define Spring Boot filter and invocation order

Implement the Filter interface to create a new filter in Spring Boot.

@Configuration
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CustomFilter implements Filter {

    private static final Logger LOGGER = LoggerFactory.getLogger(CustomFilter.class);

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        LOGGER.info("########## Initiating Custom filter ##########");
    }

    @Override
    public void doFilter(ServletRequest servletRequest,
                         ServletResponse servletResponse,
                         FilterChain filterChain)
                         throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;

        LOGGER.info("Logging Request  {} : {}", request.getMethod(), request.getRequestURI());

        // Call next filter in the filter chain
        filterChain.doFilter(request, response);

        LOGGER.info("Logging Response :{}", response.getContentType());
    }

    @Override
    public void destroy() {
        // TODO: 7/4/2018
    }
}

Let’s quickly look at some important points in the above code

The filter registered by the @Component annotation.

To fire filters in the right order, we needed to use the @Order annotation.

 @Component
 @Order(1)
 public class CustomFirstFilter implements Filter {

 }

 @Component
 @Order(2)
 public class CustomSecondFilter implements Filter {

 }

In the above code, CustomFirstFilter will run before the CustomSecondFilter.

The lower the number, the higher the precedence

2. URL Pattern

If the convention-based mapping is not flexible enough, we can use FilterRegistrationBean for the complete control of the application. Here, don’t use @Component annotation for the filter class but register the filter using a FilterRegistrationBean.

public class CustomURLFilter implements Filter {

    private static final Logger LOGGER = LoggerFactory.getLogger(CustomURLFilter.class);

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        LOGGER.info("########## Initiating CustomURLFilter filter ##########");
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;

        LOGGER.info("This Filter is only called when request is mapped for /customer resource");

        // Call the next filter in the filter chain
        filterChain.doFilter(request, response);
    }

    @Override
    public void destroy() {

    }
}

Register the custom Filter using FilterRegistrationBean.

@Configuration
public class AppConfig {

    @Bean
    public FilterRegistrationBean < CustomURLFilter > filterRegistrationBean() {
        FilterRegistrationBean < CustomURLFilter > registrationBean = new FilterRegistrationBean();
        CustomURLFilter customURLFilter = new CustomURLFilter();

        registrationBean.setFilter(customURLFilter);
        registrationBean.addUrlPatterns("/greeting/*");
        registrationBean.setOrder(2); // Set precedence
        return registrationBean;
    }
}

score 0 · Answer 21 · edited Mar 08 '18 at 13:07

First, add @ServletComponentScan to your SpringBootApplication class.

@ServletComponentScan
public class Application {

Second, create a filter file extending Filter or third-party filter class and add @WebFilter to this file like this:

@Order(1) //optional
@WebFilter(filterName = "XXXFilter", urlPatterns = "/*",
    dispatcherTypes = {DispatcherType.REQUEST, DispatcherType.FORWARD},
    initParams = {@WebInitParam(name = "confPath", value = "classpath:/xxx.xml")})
public class XXXFilter extends Filter{

score 0 · Answer 22 · edited May 12 '21 at 08:47

As you all know, Spring Boot is a wonderful way of developing a web application or stand-alone application with minimum configuration and opinionated setup.

This is how I have achieved a web filter development in a Spring Boot application

My SpringBootApp specifications:

Spring Boot version: 2.0.4.RELEASE
Java version: 8.0
Servlet specification: Servlet 3.0 (Mandatory and Important)

I declared my web filter in the following manner, adhering to the Servlet specification 3.0

This is the programmatic way of defining a filter as a replacement to web.xml-based definitions.

The "@Webfilter" annotation will be processed by the container during deployment. The Filter class, in which it is found, will be created as per the configuration and applied to the URL patterns, javax.servlet.Servlets and javax.servlet.DispatcherTypes.

To avoid Web.xml completely and to achieve "Deployable" WebApp:

To deploy a Spring Boot application as "Traditional WAR", the application class should extend SpringBootServletInitializer.

NOTE:

SpringBootServletInitializer is a "programmatic implementation" of web.xml with reference to the Servlet 3.0+ specifications, which requires an implementation of WebApplicationInitializer.

Thus, SpringBootApplication doesn't require "web.xml" as its application class (after extending SpringBootServletInitializer). It scans for

@WebFilter,
@WebListener and
@WebServlet.

Annotation @ServletComponentScan

This annotation enables scanning base packages for the web components annotated with @WebFilter, @WebListener and @WebServlet.

Due to the fact that embedded containers do not support @WebServlet, @WebFilter and @WebListener annotations, Spring Boot, relying greatly on embedded containers, introduced this new annotation @ServletComponentScan to support some dependent JAR files that use these three annotations.

Scanning is only performed when using an embedded Servlet container.

The following is my Spring Boot application class definition:

Custom Servlet Initializer:

Here: I have defined a custom class: "ServletInitializer" which extends Class: SpringBootServletInitializer.

As explained earlier, SpringBootServletInitializer is responsible for scanning annotations:

@WebFilter,
@WebListener and
@WebServlet.

And hence the Spring Boot application class should

Either extend the class: SpringBootServletInitializer or
extend the custom class which extends the class: SpringBootServletInitializer

score 0 · Answer 23 · answered Oct 09 '21 at 11:08

For Spring Boot in any configuration class I've done:

@Bean
public OncePerRequestFilter myFilter() {
    return new OncePerRequestFilter() {
        @Override
        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
            AuthUser authUser = SecurityUtil.safeGet(); // applied after secutiry filters
            ...
            filterChain.doFilter(request, response);
        }
    };
}

That's all, no any registration needed. See also What is OncePerRequestFilter?

score 0 · Answer 24 · answered Sep 12 '22 at 11:51

0

Annotate your filter with one of the Spring stereotypes such as @Component. Register a @Bean with Filter type in Spring @Configuration. Register a @Bean with FilterRegistrationBean type in Spring @Configuration.

answered Sep 12 '22 at 11:51

Joel Wembo

814
6
10

score 0 · Answer 25 · answered Jan 05 '23 at 19:30

For filtering based on any criteria and for any list in spring boot, query language is more flexible and allows us to filter down to exactly the resources we need. For instance, if we have simple entity like User and define it like this.

@Entity
public class User {
@Id
@GeneratedValue(strategy = 
GenerationType.AUTO)
private Long id;

private String firstName;
private String lastName;
private String email;

private int age;

//Setter and getter as usual

Then we create a UserSpecification that implements the Specification interface, and we're going to pass in our own constraint to construct the actual query. In this part methods related to criteria and builder as defined are very useful and flexible.

public class UserSpecification implements Specification<User> {

private SearchCriteria criteria;

@Override
public Predicate toPredicate
  (Root<User> root, CriteriaQuery<?> query, CriteriaBuilder builder) {

    if (criteria.getOperation().equalsIgnoreCase(">")) {
        return builder.greaterThanOrEqualTo(
          root.<String> get(criteria.getKey()), criteria.getValue().toString());
    } 
    else if (criteria.getOperation().equalsIgnoreCase("<")) {
        return builder.lessThanOrEqualTo(
          root.<String> get(criteria.getKey()), criteria.getValue().toString());
    } 
    else if (criteria.getOperation().equalsIgnoreCase(":")) {
        if (root.get(criteria.getKey()).getJavaType() == String.class) {
            return builder.like(
              root.<String>get(criteria.getKey()), "%" + criteria.getValue() + "%");
        } else {
            return builder.equal(root.get(criteria.getKey()), criteria.getValue());
        }
    }
    return null;
}
}

And beside we create a Specification based on some simple constraints that represented in the following SearchCriteria class, any criteria can be create like this:

public class SearchCriteria {
private String key;
private String operation;
private Object value;
 }

At the end define UserRepository and extend JpaSpecificationExecutor,

public interface UserRepository 
extends JpaRepository<User, Long>, 
JpaSpecificationExecutor<User> {}

score 0 · Answer 26 · answered Apr 06 '23 at 09:39

Here is pretty simple way of defining Filter:

@Component
@Order(1)
public class SampleFilter implements Filter {


    @PostConstruct
    public void init() {

        System.out.println("Sample Filter initialized");

    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        // with Spring Dependency Injection this method will not be invoked
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {

    

        chain.doFilter(servletRequest, servletResponse);
    }

    @Override
    public void destroy() {

    }
}

score 0 · Answer 27 · answered Apr 06 '23 at 09:50

Here is a simple Example how to use FilterRegistrationBean:

import javax.servlet.*;
import java.io.IOException;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;

@SpringBootApplication
public class MySpringBootApplication {

    public static void main(String[] args) {
        SpringApplication.run(MySpringBootApplication.class, args);
    }

    @Bean
    public FilterRegistrationBean<MyCustomFilter> myCustomFilterRegistrationBean() {
        FilterRegistrationBean<MyCustomFilter> registrationBean = new FilterRegistrationBean<>();
        registrationBean.setFilter(new MyCustomFilter());
        registrationBean.addUrlPatterns("/*"); /
        return registrationBean;
    }

    public static class MyCustomFilter implements Filter {

        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
                throws IOException, ServletException {
            // Your filter logic comes here
        
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }
}

Here are some useful resources:

score 0 · Answer 28 · answered Apr 22 '23 at 14:10

Short answer to your question:

@Component
class MyCustomFilter : OncePerRequestFilter() {
    override fun doFilterInternal(
        request: HttpServletRequest,
        response: HttpServletResponse,
        filterChain: FilterChain
    ) {
        //some work: adding headers, working with authentication or something else
        filterChain.doFilter(request, response)
    }
}

More details below:

Let's say we have the following chain:

@Bean
@Throws(Exception::class)
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http.authorizeRequests()
        .antMatchers(HttpMethod.POST, "/first", "/second")
        .authenticated()
        .anyRequest()
        .permitAll()
        .and()
        .httpBasic()
        .authenticationEntryPoint(auditAuthenticationEntryPoint)
        .and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and().formLogin().disable()
        .csrf().disable()
        .cors().configurationSource(corsConfigurationSource())
    return http.build()
}

And we want to add the following filter to this chain between some specific filters.

Here are a few ways to add our filter to the chain:

1) adding the @Order annotation to the filter:

@Component
@Order(5)
class MyCustomFilter : OncePerRequestFilter()

Note that:

If you do not specify an order in the annotation, then the default order is: Ordered.LOWEST_PRECEDENCE - your filter will be the last one in the chain.
If you are working with Authentication in your filter (through authentication providers) then Ordered.LOWEST_PRECEDENCE and Ordered.HIGHEST_PRECEDENCE not suitable for your case because:
- in case Ordered.HIGHEST_PRECEDENCE filterSecurityContextPersistenceFilter which will be executed after your filter will clear the SecurityContext even if your filter added an Authentication object to the SecurityContext
- in the case of Ordered.LOWEST_PRECEDENCE your filter will not be called at all: AnonymousAuthenticationFilter will set the Authentication object to Anonymous and you will receive a 401 or 403 response before the chain calls your filter
- In this case, you need to get the chain and determine the specific order of your filter via the FilterChainProxy and the doFilter(ServletRequest request, ServletResponse response) method, getting this.additionalFilters. For example, 5. But this is not the best way to determine the order

2) The standard (and best) way is through setting up the filter chain itself:

    @Bean
    @Throws(Exception::class)
    fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http.authorizeRequests()
            ...
            .addFilterBefore(MyCustomFulter(), BasicAuthenticationFilter::class.java)
            ...
        return http.build()
    }

3) Injecting a filter into a chain in @PostConstruct

In my case, .addFilterBefore() was not possible due to the fact that the filter was added from the starter. My starter needs to add a filter to each chain after the LogoutFilter. Since there can be multiple chains in a context, I add a filter to each one. Thus, when adding my starter to the application , the filter is added to the required place without any additional configuration:

@Configuration
@ComponentScan
@ConfigurationPropertiesScan
class CommonConfig {
    @Autowired
    lateinit var chains: List<SecurityFilterChain>

    @Autowired
    lateinit var myCustomFilter: MyCustomFilter

    @PostConstruct
    fun post() {
        chains.forEach {
            for (i in it.filters.indices){
                if (it.filters[i] is LogoutFilter) {
                    it.filters.add(i + 1, myCustomFilter)
                }
            }
        }
    }
}

score -6 · Answer 29 · edited May 12 '21 at 08:20

Filters are mostly used in logger files. It varies according to the logger you using in the project.

Let me explain for log4j2:

<Filters>
    <!-- It prevents an error -->
    <ThresholdFilter level="error" onMatch="DENY" onMismatch="NEUTRAL"/>

    <!-- It prevents debug -->
    <ThresholdFilter level="debug" onMatch="DENY" onMismatch="NEUTRAL" />

    <!-- It allows all levels except debug/trace -->
    <ThresholdFilter level="info" onMatch="ACCEPT" onMismatch="DENY" />
</Filters>

Filters are used to restrict the data and I used the threshold filter further to restrict the levels of data in the flow. I mentioned the levels that can be restricted over there.

For your further reference, see the level order of log4j2 - Log4J Levels: ALL > TRACE > DEBUG > INFO > WARN > ERROR > FATAL > OFF

`FilterRegistrationBean` as mentioned in the question is for `javax.servlet.Filter`, this answer talks about `org.apache.logging.log4j.core.Filter` — Steve Buzonas, Mar 19 '18 at 03:37