• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Application validation

 
Ranch Hand
Posts: 362
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I posted this a while back in the security section in hopes of getting an answer, I haven't had any. Since I pretty much know what to do I just want feedback on the best way of doing this or experience from others. I'll post it here now>>>>


Ok this isn't strictly speaking a security issue, but the technologies used to solve it are mostly from this area (encryption, encoding, hashing, validation, etc). So I thought I'd ask it here.

I'm working on a system that needs to be leased to clients/franchises/subsidaries. This is a web application running on Tomcat which needs to be validated and allowed to run if and only if the client has the month or year key. They will have full control of the machine, aka they will be root (at the OS level and the dbase level).

I'd like to exchange ideas with those that have worked or thought about this. My current standing is
- store an encrypted key in the database
- the encrypted key is product of the current time, the time of expiration of the license, the month/year key and some salt.
- if the key doesn't decode well then the license key is wrong and the application shuts down
- if it decrypts and the system time doesn't check with the expiration time or is prior to the current system time the system shuts down

Now the checking can't take place in something that depends on an XML file configuration. For example a filter. Since editing the XML file will remove it and unlock the system. I can use a filter as check to set some application level data. Which in turn gets queried by the servlets to see if they can run or not.

Anybody with this experience? Would an application scope bean be good? A singleton type thing? I use Hibernate, so maybe two session factories? One for validation and the other for data delivery. Without validation the data delivery factory shuts down.

Ideas??
 
Ranch Hand
Posts: 775
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This sounds a lot like what people usually call license management. Solutions range from the simple to the complex, depending on how much is matters to you to protect your intellectual property. Usually its something you just buy/license to integrate into your product. Flex/LM is one of the beefier packages out there, but I think there are a couple of Java-specific equivalents.
 
Gerardo Tasistro
Ranch Hand
Posts: 362
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm mostly concerned about the application running. I don't care about the information in the database or the physical server.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic