Create Custom Filter

 Spring Security uses the concept of servelet filter to get a lot of work done, 

It depends upon the configuration which we are using 

Form Login Filter: If we are enabling form based authentication, then spring security will enable a form Login Filter

Basic Authentication Filter: if we are enabling basic authentication filter than it will enable basic authentication filter for csrf

Note: there are several servelet filters like these

we can even write our own servlet filters and configure them in the spring servlet chain of filter

Step 1: Add New class file with implements Filter interface of package jakarta servlet (MySecurityFilter.java)

This Filter interface will have abstract method named doFilter witer ServeletRequest , ServeletResponse and Most Important FilterChain as parameter as given below method signature

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)

This FilterChain param is a interface which has a complete chain of filter

add the given below filterChain with doFilter this will send the request and response to the next fiter in the chain automaticaly

chain.doFilter(request, response);

whatever you want to do with the request we can do it just before invoking this chain.doFilter(request, response) method calling

public class MySecurityFilter implements Filter {

@Override

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)

throws IOException, ServletException {

System.out.println("Before");

chain.doFilter(request, response);

System.out.println("After");

}

}

Now go to the MySecurityConfig class

To configure the filter https we can use http.addFilter that will add automatically

filter somewhere in the chain we can also have http method that

add the http.addFilterAfter() or http.addFilterBefore() as well

we will add given below filter http.addFilterBefore and provide our custom MySecurityFilter

and we have pass second parameter as BasicAuthenticationFilter this will tell this

filter need to add similarly we can use Form based authenticaion filter or CSRF filter

and so on can we use

@Configuration

public class MySecurityConfig {

@Bean

SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

http.httpBasic();

http.authorizeHttpRequests().requestMatchers("/hello").authenticated();

http.addFilterBefore(new MySecurityFilter(), BasicAuthenticationFilter.class);

return http.build();

}

So now once you hit the api using postman you will get the response with correct user

name and passwod

http://localhost:8080/hello

but in logs you will see Before and After as printed

so it is simple as that to add your own filter to the chanin of spring security filter

OTHER FILTER

1.GenericFilterBean

instead of Filter interface from jakarta we have abstract classes as well like

GenericFilterBean

this abstract class is from org.springframework.web.filter package

Simple base implementation of jakarta.servlet.Filter which treats its config

parameters (init-param entries within the filter tag in web.xml) as bean

properties.

so if we use this, if we want to pass it initialization parameters to this filter

rhrough our web.xml so we can do that

And by simply having getter and setter methods or setter methods on our filter, all

those initialization parameter will be automatically set for you, so you can have a

fields here , for example, private username, etc and thatn automatically this will be

injected at runtime for you from the web.xml that is the benefit of using

GenericFilterBean abstract class, otherwise everying else will be the same as our Filter

interface

so the Unit parameter in web.xml will be automatically injected through setter method

that you create

2. OncePerRequestFilter

OncePerRequestFilter

its abstract class, so this filter is to be used when we want to our filter to be executed only once, we we 

create a filter there is no guarantee that our filter logic will be executed only once because spring can inclue your filter in the chain multiple times. so its very complex if we go through the spring filter chain  so if you want to guarantee that your filter login should be executed only once , you will exted this OncePerRequestFilter abstract class. in this class we have different method as given below

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)

so its only difference is 

It gets the HttpServeletRequest directly it support the HTTP protocol, no Need of ServeletRequest.

so this is the advantage here to directly deailing with HttpServeletRequest and HttpServeletResponse

althogh it is says that onceperrquest but this is our responsiblity to implement the logic in such a way that it will be executed only once.