Ok this isn't strictly speaking a security issue, but the technologies used to solve it are mostly from this area (encryption, encoding, hashing, validation, etc). So I thought I'd ask it here.
I'm working on a system that needs to be leased to clients/franchises/subsidaries. This is a web application running on Tomcat which needs to be validated and allowed to run if and only if the client has the month or year key. They will have full control of the machine, aka they will be root (at the OS level and the dbase level).
I'd like to exchange ideas with those that have worked or thought about this. My current standing is - store an encrypted key in the database - the encrypted key is product of the current time, the time of expiration of the license, the month/year key and some salt. - if the key doesn't decode well then the license key is wrong and the application shuts down - if it decrypts and the system time doesn't check with the expiration time or is prior to the current system time the system shuts down
Now the checking can't take place in something that depends on an XML file configuration. For example a filter. Since editing the XML file will remove it and unlock the system. I can use a filter as check to set some application level data. Which in turn gets queried by the servlets to see if they can run or not.
Anybody with this experience? Would an application scope bean be good? A singleton type thing? I use Hibernate, so maybe two session factories? One for validation and the other for data delivery. Without validation the data delivery factory shuts down.