如何在Spring Security中查找用户的IP？ [英] How to find users' IPs in Spring Security?

问题描述

我需要找到那些登录我们应用程序的用户。

我们正在使用Spring Security，必须有办法找出用户的IP。



我认为这些信息存储在他们的会话中。在Spring Security中，当前会话存储在 SessionRegistry 。从这个类我可以有经过身份验证的用户列表和一些会话信息。 （使用 getAllPrincipals ， getAllSessions 和 getSessionInformation ）



问题是，我如何才能访问当前用户的IP？考虑我们必须仅为已知区域提供服务。

SessionInformation 没有多大帮助，因为它不包含太多信息。

I need to find those user who are logged in our application.
We are using Spring Security and there must be a way to find out users' IPs.

I think these information are stored in their sessions. In Spring Security, the current sessions are stored in SessionRegistry. From this class I can have list of authenticated users and some session information. (Using getAllPrincipals , getAllSessions and getSessionInformation)

The question is, how can I have access to current users' IPs? Consider we have to give service to a known region only.
The SessionInformation is not much help as it does not contain much information.

推荐答案

我认为通过 hasIpAddress http表达式

I think that the check be achieved by using hasIpAddress http expression

参见< a href =http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html\"rel =noreferrer> 15.2网络安全表达式

<http use-expressions="true">
    <intercept-url pattern="/admin*"
        access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
    ...
  </http>

如果您想要更多灵活性，可以基于IpAddressMatcher实现自己的IP地址检查服务：

If you want more flexibility, you can implement your own IP address check service, based on IpAddressMatcher:

<bean id="ipCheckService" class="my.IpCheckService">
</bean>

<security:http auto-config="false" access-denied-page="/accessDenied.jsp" 
use-expressions="true">
    <security:intercept-url pattern="/login.jsp"
        access="@ipCheckService.isValid(request)" />

bean实现：

public class IpCheckService {
    public boolean isValid(HttpServletRequest request) {
        //This  service is a bean so you can inject other dependencies,
            //for example load the white list of IPs from the database 
        IpAddressMatcher matcher = new IpAddressMatcher("192.168.1.0/24");

    try {
        return matcher.matches(request);
    } catch (UnsupportedOperationException e) { 
        return false;
    }
    }
}

更新：您可以尝试以这种方式获取当前用户IP：

update: you can try to get current user IP this way:

    public static String getRequestRemoteAddr(){
        HttpServletRequest request = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes())
                   .getRequest(); 
        return request.getRemoteAddr();
}

更新有关IP地址之间关系的信息和会话只能从不同的源收集（如监听AuthenticationSuccessEvent和SessionDestroyedEvent事件，实现过滤器或使用AOP拦截器）。 Spring Security不存储此类信息，因为它没用，因为IP地址仅在服务器处理 ServletRequest 。

update The information about the relation between IP addresses and sessions can only be gathered from the different sources(like listening to AuthenticationSuccessEvent and SessionDestroyedEvent events, implementing a filter or using an AOP interceptor). Spring Security doesn't store such information because it's useless, as IP address has some meaning only while the server is processing a ServletRequest.

IP地址可能会改变（用户可能正在使用代理），所以我们只能审核不同的各种事件，例如使用某些凭据登录，从不同的IP访问服务或进行一些可疑活动。

IP address may change(user may be using a proxy), so we can only audit different kinds of events like logging in with some credentials, accessing a service from a different IP, or doing some suspicious activity.

这篇关于如何在Spring Security中查找用户的IP？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！