如下代码中如果根据appId生成key，那这个可以不就是和tomocat绑定了，如果验证的时候恰好不在所在tomcat不是验证失败了？这个么有问题吗？

private Key getKey(String appId) throws IOException, ClassNotFoundException {
		Key key;
		File f = new File(Globals.AppRoot + "/WEB-INF/apikey/" + appId + ".key");
		if (Files.isFile(f)) {
			ObjectInputStream keyIn = new ObjectInputStream(
					new FileInputStream(f));
			key = (Key) keyIn.readObject();
			keyIn.close();
		} else {
			key = MacProvider.generateKey();
			Files.createNewFile(f);
			ObjectOutputStream keyOut = new ObjectOutputStream(
					new FileOutputStream(f));
			keyOut.writeObject(key);
			keyOut.close();
		}
		return key;
	}