This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes Security and the fly likes Application validation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Application validation" Watch "Application validation" New topic
Author

Application validation

Gerardo Tasistro
Ranch Hand

Joined: Feb 08, 2005
Posts: 362
Ok this isn't strictly speaking a security issue, but the technologies used to solve it are mostly from this area (encryption, encoding, hashing, validation, etc). So I thought I'd ask it here.

I'm working on a system that needs to be leased to clients/franchises/subsidaries. This is a web application running on Tomcat which needs to be validated and allowed to run if and only if the client has the month or year key. They will have full control of the machine, aka they will be root (at the OS level and the dbase level).

I'd like to exchange ideas with those that have worked or thought about this. My current standing is
- store an encrypted key in the database
- the encrypted key is product of the current time, the time of expiration of the license, the month/year key and some salt.
- if the key doesn't decode well then the license key is wrong and the application shuts down
- if it decrypts and the system time doesn't check with the expiration time or is prior to the current system time the system shuts down

Now the checking can't take place in something that depends on an XML file configuration. For example a filter. Since editing the XML file will remove it and unlock the system. I can use a filter as check to set some application level data. Which in turn gets queried by the servlets to see if they can run or not.

Anybody with this experience? Would an application scope bean be good? A singleton type thing? I use Hibernate, so maybe two session factories? One for validation and the other for data delivery. Without validation the data delivery factory shuts down.

Ideas??
[ February 08, 2006: Message edited by: Gerardo Tasistro ]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Application validation