After looking in my own code I noticed that I didn't use the 'ref' attribute, but instead I place this tag inside my bean definition as follow:
<bean id="ntlmFilter" class="org.springframework.security.ntlm.samples.failover.NtlmProcessingFilter">
<sec:custom-filter position="NTLM_FILTER" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="retryOnAuthFailure" value="false" />
<property name="securityConfiguration" ref="securityConfiguration" />
</bean>
Source: http://github.com/aloiscochard/spring-security-ntlm-samples/blob/master/spring-security-ntlm-samples-failover/src/main/resources/applicationContext-security.xml
Even if it's for spring-security 2, the behavior is the same in version 3.
You can find all possible position in the org.springframework.security.config.http.SecurityFilters enumeration:
http://grepcode.com/file/repo1.maven.org/maven2/org.springframework.security/spring-security-config/3.0.2.RELEASE/org/springframework/security/config/http/SecurityFilters.java
You can use some postition already defined in this enumeration to define in which order your custom filters must be set.
For exemple:
- one filter before LAST and one at LAST (but not after LAST ! nothing can be after LAST !)
- or one filter before SWITCH_USER_FILTER and one after.
Don't know where your are placing your tags ? but I like to have them directly inside the filter bean... easier to maintain :-)
Hope that's help !
PS: Since position are based on integer you can perhaps put number instead of enumeration value (be warn to us correct position number, look at the logic inside the SecurityFilters enumeration), not sure if accepted ...