I posted this a while back in the security section in hopes of getting an answer, I haven't had any. Since I pretty much know what to do I just want feedback on the best way of doing this or experience from others. I'll post it here now>>>>
Ok this isn't strictly speaking a security issue, but the technologies used to solve it are mostly from this area (encryption, encoding, hashing, validation, etc). So I thought I'd ask it here.
I'm working on a system that needs to be leased to clients/franchises/subsidaries. This is a web application running on Tomcat which needs to be validated and allowed to run if and only if the client has the month or year key. They will have full control of the machine, aka they will be root (at the OS level and the dbase level).
I'd like to exchange ideas with those that have worked or thought about this. My current standing is - store an encrypted key in the database - the encrypted key is product of the current time, the time of expiration of the license, the month/year key and some salt. - if the key doesn't decode well then the license key is wrong and the application shuts down - if it decrypts and the system time doesn't check with the expiration time or is prior to the current system time the system shuts down
Now the checking can't take place in something that depends on an XML file configuration. For example a filter. Since editing the XML file will remove it and unlock the system. I can use a filter as check to set some application level data. Which in turn gets queried by the servlets to see if they can run or not.
Anybody with this experience? Would an application scope bean be good? A singleton type thing? I use Hibernate, so maybe two session factories? One for validation and the other for data delivery. Without validation the data delivery factory shuts down.
This sounds a lot like what people usually call license management. Solutions range from the simple to the complex, depending on how much is matters to you to protect your intellectual property. Usually its something you just buy/license to integrate into your product. Flex/LM is one of the beefier packages out there, but I think there are a couple of Java-specific equivalents.
Reid - SCJP2 (April 2002)
Joined: Feb 08, 2005
I'm mostly concerned about the application running. I don't care about the information in the database or the physical server.