Adding a custom filter to be invoked after spring-security filter in a Servlet 3+ environment

Question

I\'m using Spring-Security 3.2.4 and Spring Boot 1.1.0 (and it\'s related dependencies versions 4.X). I\'m writing a web application that will be run in an embedded tomcat.<

Answer 1

If you are using web.xml approaches, you can follow this: https://stackoverflow.com/a/11929129/1542363

If you using Java config approaches, you can do this in WebSecurityConfigurerAdapter

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.addFilterBefore(your-request-filter-1, ChannelProcessingFilter.class);
    http.addFilterAfter(your-request-filter-2, SwitchUserFilter.class);

}

Always check the library version you are using, and refer to the specific document for the correct order of the filter chains:

https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#ns-custom-filters

Or, if you using AbstractSecurityWebApplicationInitializer, you can use the insertFilters or appendFilters.

public class SecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

    @Override
    protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
        insertFilters(servletContext, new MultipartFilter());
    }
}

More info You can refer this: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-multipart