According to Tomcat developer @mark-thomas client IP is notexposed via JSR-356 thus it is impossible to implement such a function with pure JSR-356 API-s.

据 Tomcat 开发人员 @mark-thomas 客户端 IP没有通过 JSR-356 公开，因此不可能用纯 JSR-356 API-s 实现这样的功能。

You have to use a rather ugly hack to work around the limitation of the standard.

您必须使用相当丑陋的 hack 来解决标准的限制。

What needs to be done boils down to:

需要做的事情归结为：

1. Generate each user a token that contains their IP on initial request (before websocket handshake)
2. Pass the token down the chain until it reaches endpoint implementation

1. 在初始请求时（在 websocket 握手之前）为每个用户生成一个包含其 IP 的令牌
2. 将令牌沿链向下传递，直到它到达端点实现

There are at least two hacky options to achieve that.

至少有两个 hacky 选项可以实现这一点。

Use HttpSession

使用 HttpSession

1. Listen to incoming HTTP requests with a ServletRequestListener
2. Call request.getSession()on incoming request to ensure it has a session and store client IP as a session attribute.
3. Create a ServerEndpointConfig.Configuratorthat lifts client IP from HandshakeRequest#getHttpSessionand attaches it to EndpointConfigas a user property using the modifyHandshakemethod.
4. Get the client IP from EndpointConfiguser properties, store it in map or whatever and trigger cleanup logic if the number of sessions per IP exceeds a threshold.

1. 侦听传入的 HTTP 请求 ServletRequestListener
2. 调用request.getSession()传入请求以确保它具有会话并将客户端 IP 存储为会话属性。
3. 使用该方法创建一个ServerEndpointConfig.Configurator从中提取客户端 IPHandshakeRequest#getHttpSession并将其附加EndpointConfig为用户属性的对象modifyHandshake。
4. 从EndpointConfig用户属性中获取客户端 IP ，将其存储在地图或其他任何内容中，如果每个 IP 的会话数超过阈值，则触发清理逻辑。

You can also use a @WebFilterinstead of ServletRequestListener

您也可以使用@WebFilter代替ServletRequestListener

Note that this option can have a high resource consumption unless your application already uses sessions e.g. for authentication purposes.

请注意，除非您的应用程序已经使用会话（例如用于身份验证），否则此选项可能会消耗大量资源。

Pass IP as an encrypted token in the URL

在 URL 中将 IP 作为加密令牌传递

1. Create a servlet or a filter that attaches to a non websocket entry point. e.g. /mychat
2. Get client IP, encrypt it with a random salt and a secret key to generate a token.
3. Use ServletRequest#getRequestDispatcherto forward the request to /mychat/TOKEN
4. Configure your endpoint to use path parameters e.g. @ServerEndpoint("/mychat/{token}")
5. Lift the token from @PathParamand decrypt to get client IP. Store it in map or whatever and trigger cleanup logic if the number of sessions per IP exceeds a threshold.

1. 创建附加到非 websocket 入口点的 servlet 或过滤器。例如/mychat
2. 获取客户端 IP，使用随机盐和密钥对其进行加密以生成令牌。
3. 用于ServletRequest#getRequestDispatcher将请求转发到/mychat/TOKEN
4. 配置您的端点以使用路径参数，例如 @ServerEndpoint("/mychat/{token}")
5. 提取令牌@PathParam并解密以获取客户端 IP。如果每个 IP 的会话数超过阈值，则将其存储在地图或其他任何内容中并触发清理逻辑。

For ease of installation you may wish to generate encryption keys on application startup.

为了便于安装，您可能希望在应用程序启动时生成加密密钥。

Please note that you need to encrypt the IP even if you are doing an internal dispatch that is not visible to the client. There is nothing that would stop an attacker from connecting to /mychat/2.3.4.5directly thus spoofing the client IP if it's not encrypted.

请注意，即使您正在进行客户端不可见的内部调度，您也需要对 IP 进行加密。/mychat/2.3.4.5如果没有加密，没有什么可以阻止攻击者直接连接从而欺骗客户端 IP。

See also:

也可以看看：

• apache tomcat 8 websocket origin and client address
• Find number of active sessions created from a given client IP
• Accessing HttpSession from HttpServletRequest in a Web Socket @ServerEndpoint
• https://tyrus.java.net/documentation/1.4/index/websocket-api.html
• http://docs.oracle.com/javaee/7/tutorial/doc/websocket010.htm#BABJAIGH

• apache tomcat 8 websocket来源和客户端地址
• 查找从给定客户端 IP 创建的活动会话数
• 从 Web Socket @ServerEndpoint 中的 HttpServletRequest 访问 HttpSession
• https://tyrus.java.net/documentation/1.4/index/websocket-api.html
• http://docs.oracle.com/javaee/7/tutorial/doc/websocket010.htm#BABJAIGH

If you are using Tyrus which is JSR-356 compliant, then you can get the IP address from the Session instance, but this is a non-standard method.

如果您使用的是符合 JSR-356 的 Tyrus，那么您可以从 Session 实例获取 IP 地址，但这是一种非标准方法。

See here.

看这里。

the socket object is hidden in WsSession, so you can use reflection to got the ip address. the execution time of this method is about 1ms. this solution is not prefect but useful.

套接字对象隐藏在 WsSession 中，因此您可以使用反射来获取 ip 地址。该方法的执行时间约为1ms。这个解决方案并不完美但很有用。

public static InetSocketAddress getRemoteAddress(WsSession session) {
    if(session == null){
        return null;
    }

    Async async = session.getAsyncRemote();
    InetSocketAddress addr = (InetSocketAddress) getFieldInstance(async, 
            "base#sos#socketWrapper#socket#sc#remoteAddress");

    return addr;
}

private static Object getFieldInstance(Object obj, String fieldPath) {
    String fields[] = fieldPath.split("#");
    for(String field : fields) {
        obj = getField(obj, obj.getClass(), field);
        if(obj == null) {
            return null;
        }
    }

    return obj;
}

private static Object getField(Object obj, Class<?> clazz, String fieldName) {
    for(;clazz != Object.class; clazz = clazz.getSuperclass()) {
        try {
            Field field;
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
            return field.get(obj);
        } catch (Exception e) {
        }            
    }

    return null;
}

and the pom config is

和 pom 配置是

<dependency>
  <groupId>javax.websocket</groupId>
  <artifactId>javax.websocket-all</artifactId>
  <version>1.1</version>
  <type>pom</type>
  <scope>provided</scope>
</dependency>
<dependency>
  <groupId>org.apache.tomcat</groupId>
  <artifactId>tomcat-websocket</artifactId>
  <version>8.0.26</version>
  <scope>provided</scope>
</dependency>