As explained earlier, Spring Security works on servlet filters. There are number of built-in servlet filters that do almost all the necessary functionalities. If needed, Spring Security does provide a mechanism to write your own custom filter and can be plugged in at the right point in the filter chain execution. Create your own filter by extending org.springframework.web.filter.GenericFilterBean as shown in the following code snippet:

public class NewLogicFilter extends GenericFilterBean {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        // Custom logic
        chain.doFilter(request, response);
    }
}

Once you create your own filter, plug it into the filter chain in the Spring Security configuration file as follows:

@Configuration
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .addFilterBefore(new NewLogicFilter(), 
                BasicAuthenticationFilter.class);
    }
}

You can place the new filter before, after, or at a particular location in the filter chain. If you want to extend an existing filter, you have that provision as well.