This question gets asked over and over again. You can search this forum for some of the detailed explanations, but in short, the IP address isn't reliable for identification puposes. Not only can it be spoofed, but it's often translated in the course of ordinary network operations. Plus there's DHCP. MAC addresses probably would require a JNI glue class, but they're no more trustworthy. If you want a positive ID, look at some sort of certificate exhange. For most purposes, J2EE's security framework is adequate, however, and it doesn't break if the user's PC dies and they end up having to log in from someone else's box.
Customer surveys are for companies who didn't pay proper attention to begin with.