Menu
I need to find those user who are logged in our application.
We are using Spring Security and there must be a way to find out users' IPs.
I think these information are stored in their sessions. In Spring Security, the current sessions are stored in SessionRegistry. From this class I can have list of authenticated users and some session information. (Using getAllPrincipals , getAllSessions and getSessionInformation)
The question is, how can I have access to current users' IPs? Consider we have to give service to a known region only.
The SessionInformation is not much help as it does not contain much information.
673
public class User extends Object implements UserDetails, CredentialsContainer. Models core user information retrieved by a UserDetailsService . Developers may use this class directly, subclass it, or write their own UserDetails implementation from scratch.
We can use hasIpAddress() to allow only users with a given IP address to access a specific resource. In this configuration, only users with the IP address “11.11. 11.11” will be able to access the ”/foos” resource.
I think that the check be achieved by using hasIpAddress http expression
See section 15.2 Web Security Expressions
<http use-expressions="true">
<intercept-url pattern="/admin*"
access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
...
</http>
If you want more flexibility, you can implement your own IP address check service, based on IpAddressMatcher:
<bean id="ipCheckService" class="my.IpCheckService">
</bean>
<security:http auto-config="false" access-denied-page="/accessDenied.jsp"
use-expressions="true">
<security:intercept-url pattern="/login.jsp"
access="@ipCheckService.isValid(request)" />
bean implementation:
public class IpCheckService {
public boolean isValid(HttpServletRequest request) {
//This service is a bean so you can inject other dependencies,
//for example load the white list of IPs from the database
IpAddressMatcher matcher = new IpAddressMatcher("192.168.1.0/24");
try {
return matcher.matches(request);
} catch (UnsupportedOperationException e) {
return false;
}
}
}
update: you can try to get current user IP this way:
public static String getRequestRemoteAddr(){
HttpServletRequest request = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes())
.getRequest();
return request.getRemoteAddr();
}
update The information about the relation between IP addresses and sessions can only be gathered from the different sources(like listening to AuthenticationSuccessEvent and SessionDestroyedEvent events, implementing a filter or using an AOP interceptor). Spring Security doesn't store such information because it's useless, as IP address has some meaning only while the server is processing a ServletRequest.
IP address may change(user may be using a proxy), so we can only audit different kinds of events like logging in with some credentials, accessing a service from a different IP, or doing some suspicious activity.
142
You can get IP address from WebAuthenticationDetails object, which can be obtained from Authentication instance.
Object details =
SecurityContextHolder.getContext().getAuthentication().getDetails();
if (details instanceof WebAuthenticationDetails)
ipAddress = ((WebAuthenticationDetails) details).getRemoteAddress();
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
