The decorator approach complicates things when it comes to parsing the filter list and makes it difficult to provide proper tooling integration (since we have to rely on a bean processor to build the final filter list). This approach makes sense with the AuthenticationManager since the implementation is not visible, but it would make things clearer if the <http> block contained a complete definition of the filter list, rather than having to scan through the rest of the configuration for filter beans with <custom-filter> in them.
So we would have
<custom-filter ref="filterBean" position="whatever"/>
The existing bean parser can be modified to provide a suitable message and example of the new syntax.