How to create a secure licensed Java EE application?

java jakarta-ee licensing security
10,706

Solution 1

Bill Karwin's answer was the most useful of the answers from the question mentioned in the comments. Assuming that you will go ahead with a "protection" scheme, try to do the bare minimum. Anything else tends to frustrate users immensely and leads to lower repeat business and/or an increased desire to hack around your frustrating system.

From your question, it's tough to tell if each user will install the application. If so, you probably just need to require a license code that they must contact you in some way to get. If it's a client-server thing, then your options are a lot more limited; in fact, I can't think of a single solution I've ever designed in my head or come across in practice that isn't massively frustrating. You could probably do a license code solution here, too, except the license code would somehow carry a payload that indicated the number of users they paid for and then disallow the creation/use of users in excess of that number. At that point, though, you're really walking that frustration line I mentioned.

Solution 2

If you can obfuscate - this is the way to go for a start. But it could be painful if you use inversion of control frameworks (e.g. spring). I heard that it's possible to obfuscate spring context as well, never tried it though. Also (just guessing) there could be some surprises with reflections, dynamic proxies and such. As to the licensing, I can suggest using TrueLicense. It has very flexible means of handling various aspects of protection as well as free trial periods out of the box. Works very well and has great documentation.

Share:
10,706
Bhushan Bhangale
Author by

Bhushan Bhangale

Updated on June 04, 2022

Comments

  • Bhushan Bhangale
    Bhushan Bhangale almost 2 years

    We are developing a Java EE application backed by any database of customer choice.

    We will sell to customers based on per user license price. How do I make sure, the application is getting used as per our conditions, i.e., not easily hackable? Are there any tutorials available?

  • Bhushan Bhangale
    Bhushan Bhangale almost 15 years
    It's a client-server application. Users use broswer as client. The server will be installed in clients network. Every user will have an account created by their admin but up-to the number for which they have bought the license. If they reach that maximum and want more license, they can simply buy it and update the license in their system and off you go.
  • Hank Gay
    Hank Gay almost 15 years
    In that case, I'd say using the license key to indicate the cutoff is the way to go.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Which JAR contains the weblogic.servlet.security.ServletAuthentication class?
How to configure glassfish 3.1 security file realm using Netbeans 7.1?
request.getUserPrincipal() got null
protect Java Application by licence or key
How to properly logout of a Java EE 6 Web Application after logging in
AccessController.doPrivileged
Glassfish 3 security - Form based authentication using a JDBC Realm
HttpServletRequest.getRemoteUser() vs HttpServletRequest.getUserPrincipal().getName()
j_security_check on Tomcat
Java REST service using authentication token