4

How can I replace default filter with custom filter in java configuration? In XML it would be, for example:

<bean id="myFilter" class="lalalal.MyFilter">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>

<security:http auto-config="true">     
      <security:custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/>
</security:http>

About filterBefore, filterAfter and default filter inhereting I know.

Anthon
  • 69,918
  • 32
  • 186
  • 246
Serhii Soboliev
  • 820
  • 1
  • 13
  • 21

1 Answers1

2

Assuming you have an understanding in general of Java configuration for Spring-security, adding filters is relatively simple (general details of updating spring-security config to java here):

So in your WebSecurityConfigurerAdapter implementation, do something like this:

@Configuration
@EnableWebSecurity
class SecurityConfiguration extends WebSecurityConfigurerAdapter {

   @Override protected void configure(HttpSecurity http) throws Exception {

       //Custom security filters
       http.addFilterBefore( myFilter(), BasicAuthenticationFilter.class );

       //Rest of the security configuration goes here
       ...
   }

That is a very cut down example - but hopefully helps enough - you would put additional security configuration here (e.g. role based restrictions, csrf, session config etc) and myFilter() is another method defining the bean you mention in the question that sets up your Filter. There is also an addFilterAfter() method and you can choose where to place your filter in the chain.

Here is an example for API security that shows some custom filters being used.

Kariem
  • 4,398
  • 3
  • 44
  • 73
rhinds
  • 9,976
  • 13
  • 68
  • 111
  • tnx for you answer but this is not exactly I'm searching for. You show insert you own filter BEFORE/AFTER existing. But i'm looking for way insert my filter INSTEAD default. – Serhii Soboliev Apr 30 '15 at 19:06
  • Ok - maybe this answer will help you get through the problem: http://stackoverflow.com/questions/24122586/how-to-represent-the-spring-security-custom-filter-using-java-configuration - Might also be worth taking a look at the spring code that you are using with @EnableWebSecuriyt and extending WebSecurityConfigurerAdapter (that is why the default filters are being added) https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java etc – rhinds Apr 30 '15 at 19:25
  • tnx again, i've read these articles but I'm wondering that there is no method like .addCustomFilter(filter, position) in HttpSecurity, according to xml variant – Serhii Soboliev Apr 30 '15 at 19:40
  • Not that I know about - What is it that your custom filter is doing? Is it not something that can be done using the default stuff provided by the classes but configured? – rhinds Apr 30 '15 at 19:44
  • It doesn't matter. Question about custom-filter in java config. Now seems like I almost found the answer. But subquestion exists: beans of what type I can use on as ref in ? Anyone or only subtypes of type of default filter? – Serhii Soboliev May 01 '15 at 23:19