Spring安全性从同一个IP地址登录几次

时间:2013-02-26 15:33:20

标签: java spring spring-security ip-address

我的问候。

我有这样一个问题。在Spring安全性中有没有办法检查来自同一IP地址的登录量?我的意思是如果有人从当前的IP登录,我想告诉他他不能使用不同的凭据登录(例如从不同的浏览器登录)并拒绝登录尝试。

我试图谷歌并找到以下内容,但这不是我想要的东西:

IP filter using Spring Security

Authenticating By IP Address In Spring 3.1: Smartest Way To Do That?

3 个答案:

答案 0 :(得分:3)

一种可能的解决方案是实现一对自定义AuthenticationSuccessHandlerLogoutSuccessHandler(两者都可以访问http请求)可以管理一个并发映射,其中包含由其ip键入的登录用户数地址。然后添加一个自定义过滤器,拦截登录请求,检查映射,并在用户IP地址的用户数量超出限制时重定向用户。

答案 1 :(得分:1)

我认为没有办法开箱即用。您实际可以做的是限制来自一个浏览器实例的最大连接数(请参阅concurrent session chapiter)。

如果它还不够,那么你可以手动完成(感谢Spring Security中经过精心设计的扩展点)。按照here说明定义自定义过滤器。声明会话注册表和load all principals的别名。在正常情况下,每个主体将由Authentication对象表示。 Authentication.getDetails()可能包含IP地址。查找重复项并将用户重定向到某个错误页面。希望这会有所帮助。

编辑。它不起作用,因为会话注册表中的主体实际上是org.springframework.security.core.userdetails.User的实例,而不是身份验证。

答案 2 :(得分:0)

SessionAuthenticationStrategy 是监控和控制登录尝试的重点。已经有 ConcurrentSessionControlStrategy 用于限制以相同用户名登录的会话。您可以扩展它或从中学习。并在 SimpleUrlAuthenticationFailureHandler 中重定向或转发到错误页面。

/**
 * Strategy which handles concurrent session-control, in addition to the functionality provided by the base class.
 *
 * When invoked following an authentication, it will check whether the user in question should be allowed to proceed,
 * by comparing the number of sessions they already have active with the configured <tt>maximumSessions</tt> value.
 * The {@link SessionRegistry} is used as the source of data on authenticated users and session data.
 * <p>
 * If a user has reached the maximum number of permitted sessions, the behaviour depends on the
 * <tt>exceptionIfMaxExceeded</tt> property. The default behaviour is to expired the least recently used session, which
 * will be invalidated by the {@link ConcurrentSessionFilter} if accessed again. If <tt>exceptionIfMaxExceeded</tt> is
 * set to <tt>true</tt>, however, the user will be prevented from starting a new authenticated session.
 * <p>
 * This strategy can be injected into both the {@link SessionManagementFilter} and instances of
 * {@link AbstractAuthenticationProcessingFilter} (typically {@link UsernamePasswordAuthenticationFilter}).
 *
 * @author Luke Taylor
 * @since 3.0
 */
public class ConcurrentSessionControlStrategy extends SessionFixationProtectionStrategy
相关问题
最新问题