How to add custom filter after user authorize in spring application

Finally I was able to resolved my problem. Instead of using filter I have added handler which only invokes for successful login.

Following line is added in security.xml

<form-login login-page="/" authentication-failure-url="/?login_error=1" default-target-url="/" always-use-default-target="false"          authentication-success-handler-ref="authenticationSuccessHandler"/>        <logout /><beans:bean id="authenticationSuccessHandler" class="security.CustomSuccessHandler"/>

Also I have added one custom handler which add session attribute.

package security;import java.io.IOException;import java.security.GeneralSecurityException;import javax.servlet.ServletException;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import org.springframework.beans.factory.annotation.Value;import org.springframework.security.core.Authentication;import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;public class CustomSuccessHandler extends            SavedRequestAwareAuthenticationSuccessHandler {    @Override    public void onAuthenticationSuccess(final HttpServletRequest request,            final HttpServletResponse response, final Authentication authentication)            throws IOException, ServletException {        super.onAuthenticationSuccess(request, response, authentication);        HttpSession session = request.getSession(true);        try {            if (CurrentUser.isUserInRole("USER")) {                session.setAttribute("Flag", "user");            }         } catch (Exception e) {            logger.error("Error in getting User()", e);        }     }}

You can use standart java filter (I mean implement Filter interface). Just place it after authentification filter in web.xml (this means that it will go later in the filter chain and will be called after security filter chain).

public class CustomFilter implements Filter{    @Override    public void destroy() {        // Do nothing    }    @Override    public void doFilter(ServletRequest req, ServletResponse res,            FilterChain chain) throws IOException, ServletException {            HttpServletRequest request = (HttpServletRequest) req;            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();            Set<String> roles = AuthorityUtils.authorityListToSet(authentication.getAuthorities());            if (roles.contains("ROLE_USER")) {                request.getSession().setAttribute("myVale", "myvalue");            }            chain.doFilter(req, res);    }    @Override    public void init(FilterConfig arg0) throws ServletException {        // Do nothing    }}

Fragment of web.xml:

<!-- The Spring Security Filter Chain --><filter>    <filter-name>springSecurityFilterChain</filter-name>    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter><!-- Pay attention to the url-pattern --><filter-mapping>    <filter-name>springSecurityFilterChain</filter-name>    <url-pattern>/*</url-pattern>    <!-- <dispatcher>FORWARD</dispatcher><dispatcher>REQUEST</dispatcher> --></filter-mapping><!-- Your filter definition --><filter>    <filter-name>customFilter</filter-name>    <filter-class>com.yourcompany.test.CustomFilter</filter-class></filter><filter-mapping>    <filter-name>customFilter</filter-name>    <url-pattern>/VacationsManager.jsp</url-pattern></filter-mapping>