Java 当客户端';s的IP地址更改
如果用户的IP地址发生更改,我将尝试使用户会话无效(我希望强制用户在会话的整个过程中保持相同的IP地址,或者他们需要重新验证)。我假设SpringSecurity中内置了一个功能来实现这一点,但我似乎找不到它Java 当客户端';s的IP地址更改,java,spring-mvc,session,spring-security,Java,Spring Mvc,Session,Spring Security,如果用户的IP地址发生更改,我将尝试使用户会话无效(我希望强制用户在会话的整个过程中保持相同的IP地址,或者他们需要重新验证)。我假设SpringSecurity中内置了一个功能来实现这一点,但我似乎找不到它 实现这一要求最优雅的方法是什么(最好是通过Spring Security的配置)?我在Spring Security中找不到任何将会话绑定到IP的内置功能,但可以使用自定义过滤器轻松实现: public void doFilter(ServletRequest request, Servl
实现这一要求最优雅的方法是什么(最好是通过Spring Security的配置)?我在Spring Security中找不到任何将会话绑定到IP的内置功能,但可以使用自定义过滤器轻松实现:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
boolean chainCompleted = implementEnforcement(request, response);
if (!chainCompleted) {
filterChain.doFilter(request, response);
}
}
private boolean implementEnforcement(HttpServletRequest request, HttpServletResponse response) throws IOException {
final String key = "enforcement.ip";
HttpSession session = request.getSession(false);
if (session != null) {
// we have a session
String ip = request.getRemoteAddr();
String ipInSession = session.getAttribute(key);
if (ipInSession == null) {
session.setAttribute(key, ip);
} else {
if (!ipInSession.equals(ip)) {
// JSESSIONID is the same, but IP has changed
// invalidate the session because there is a probability that it is
// a session hijack
session.invalidate();
// a redirection to some page (probably to context root) may be added here
return true;
}
}
}
return false;
}
它会记住用户的IP地址,然后将当前IP与记住的IP地址进行比较:如果它不同,会话将被销毁。我在Spring Security中找不到任何内置功能来将会话绑定到IP,但使用自定义筛选器很容易实现:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
boolean chainCompleted = implementEnforcement(request, response);
if (!chainCompleted) {
filterChain.doFilter(request, response);
}
}
private boolean implementEnforcement(HttpServletRequest request, HttpServletResponse response) throws IOException {
final String key = "enforcement.ip";
HttpSession session = request.getSession(false);
if (session != null) {
// we have a session
String ip = request.getRemoteAddr();
String ipInSession = session.getAttribute(key);
if (ipInSession == null) {
session.setAttribute(key, ip);
} else {
if (!ipInSession.equals(ip)) {
// JSESSIONID is the same, but IP has changed
// invalidate the session because there is a probability that it is
// a session hijack
session.invalidate();
// a redirection to some page (probably to context root) may be added here
return true;
}
}
}
return false;
}
它记住用户的IP地址,然后将当前IP与记住的IP地址进行比较:如果它不同,会话将被破坏。这是一个旧线程,但我希望这一信息对将来可能引用它的人有用。如果请求具有
X-Forwarded-For
头,则最好从头获取客户端IP,而不是request.getRemoteAddr()
。关于这两个问题之间的区别,请参考此问题-您还可以使用类似Tomcat的RemoteIpValve
()这样的工具来实现这一点(即,它从request.getRemoteAddr()返回X-Forwarded-for
头值)
这是一个旧线程,但我希望这一信息对将来可能引用它的人有用。如果请求具有X-Forwarded-for
头,那么最好从头获取客户端IP,而不是request.getRemoteAddr()
。有关这两个问题之间的区别,请参考此问题-您也可以使用类似Tomcat的RemoteIpValve
()这样的工具来实现这一点(即,它从请求返回X-Forwarded-for
头值。getRemoteAddr()