我找不到任何内置功能在春季安全绑定一个会话的IP,但它很容易使用自定义过滤器来实现:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
boolean chainCompleted = implementEnforcement(request, response);
if (!chainCompleted) {
filterChain.doFilter(request, response);
}
}
private boolean implementEnforcement(HttpServletRequest request, HttpServletResponse response) throws IOException {
final String key = "enforcement.ip";
HttpSession session = request.getSession(false);
if (session != null) {
// we have a session
String ip = request.getRemoteAddr();
String ipInSession = session.getAttribute(key);
if (ipInSession == null) {
session.setAttribute(key, ip);
} else {
if (!ipInSession.equals(ip)) {
// JSESSIONID is the same, but IP has changed
// invalidate the session because there is a probability that it is
// a session hijack
session.invalidate();
// a redirection to some page (probably to context root) may be added here
return true;
}
}
}
return false;
}
它会记住用户的IP地址,然后比较了当前IP记住的一个:如果它不同,会话被破坏。