如何在Spring Security中查找用户的IP? [英] How to find users' IPs in Spring Security?
问题描述
我需要找到那些登录我们应用程序的用户。
我们正在使用Spring Security,必须有办法找出用户的IP。
我认为这些信息存储在他们的会话中。在Spring Security中,当前会话存储在 SessionRegistry 。从这个类我可以有经过身份验证的用户列表和一些会话信息。 (使用 getAllPrincipals
, getAllSessions
和 getSessionInformation
)
问题是,我如何才能访问当前用户的IP?考虑我们必须仅为已知区域提供服务。
SessionInformation 没有多大帮助,因为它不包含太多信息。
I need to find those user who are logged in our application.
We are using Spring Security and there must be a way to find out users' IPs.
I think these information are stored in their sessions. In Spring Security, the current sessions are stored in SessionRegistry. From this class I can have list of authenticated users and some session information. (Using getAllPrincipals
, getAllSessions
and getSessionInformation
)
The question is, how can I have access to current users' IPs? Consider we have to give service to a known region only.
The SessionInformation is not much help as it does not contain much information.
推荐答案
我认为通过 hasIpAddress http表达式
I think that the check be achieved by using hasIpAddress http expression
参见< a href =http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html\"rel =noreferrer> 15.2网络安全表达式
<http use-expressions="true">
<intercept-url pattern="/admin*"
access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
...
</http>
如果您想要更多灵活性,可以基于IpAddressMatcher实现自己的IP地址检查服务:
If you want more flexibility, you can implement your own IP address check service, based on IpAddressMatcher:
<bean id="ipCheckService" class="my.IpCheckService">
</bean>
<security:http auto-config="false" access-denied-page="/accessDenied.jsp"
use-expressions="true">
<security:intercept-url pattern="/login.jsp"
access="@ipCheckService.isValid(request)" />
bean实现:
public class IpCheckService {
public boolean isValid(HttpServletRequest request) {
//This service is a bean so you can inject other dependencies,
//for example load the white list of IPs from the database
IpAddressMatcher matcher = new IpAddressMatcher("192.168.1.0/24");
try {
return matcher.matches(request);
} catch (UnsupportedOperationException e) {
return false;
}
}
}
更新:您可以尝试以这种方式获取当前用户IP:
update: you can try to get current user IP this way:
public static String getRequestRemoteAddr(){
HttpServletRequest request = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes())
.getRequest();
return request.getRemoteAddr();
}
更新有关IP地址之间关系的信息和会话只能从不同的源收集(如监听AuthenticationSuccessEvent和SessionDestroyedEvent事件,实现过滤器或使用AOP拦截器)。 Spring Security不存储此类信息,因为它没用,因为IP地址仅在服务器处理 ServletRequest 。
update The information about the relation between IP addresses and sessions can only be gathered from the different sources(like listening to AuthenticationSuccessEvent and SessionDestroyedEvent events, implementing a filter or using an AOP interceptor). Spring Security doesn't store such information because it's useless, as IP address has some meaning only while the server is processing a ServletRequest.
IP地址可能会改变(用户可能正在使用代理),所以我们只能审核不同的各种事件,例如使用某些凭据登录,从不同的IP访问服务或进行一些可疑活动。
IP address may change(user may be using a proxy), so we can only audit different kinds of events like logging in with some credentials, accessing a service from a different IP, or doing some suspicious activity.
这篇关于如何在Spring Security中查找用户的IP?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!