I need some tips on how to authenticate licenses (user / license key ) .
Is it better to do what many games do, which is validating the cd key from company servers. Is there a guide on how to implement this without becoming "cracked" or "patched" ?
OR is it better to just validate user / license key within the software ? Would you not see keygens floating around the net after a while ?
Please advise.
If you do it client side then the code can be decompiled and the algorithm learned. Keeping it on the server side prevents that.
If you simply return "true/false" type of thing a proxy server could be developed that simply returns "true" all the time so the client thinks it is enabled when it wasn't.
You will need to do the work on the server and provide some means of encryption for the network communication.
Even then it is still possible to defeat such a scheme (I won't go into the details, but pretty much all apps that do this sort of thing are defeatable). To really make this work you have to do some of the actual work on the server instead of the client so that the results cannot simply be faked.
How much is your program selling for, and how many sales do you expect to get? If either answer is below 50, then very likely you shouldn't over-think it. Yes you can decompile Java, but if you are selling to a handful of people you know, they won't have the knowledge to do so (or they would have done it themselves). Games get cracked because millions of people want to play it. Some random program you are trying to sell for $10 or whatever should slip under the radar :) And if it does get cracked, release a version 2.0 with better protection...
Is there a guide on how to implement this without becoming "cracked" or "patched" ?
Nothing you can do will make it impossible for someone to crack your license key system. The more popular your program is, the more likely it is that people will attempt a crack, and someone will succeed.
I'm not sure that you will find a good publicly available guide on how to make cracking difficult, because such a document would also give the crackers lots of clues for their cracking efforts. (Software DRM is a perpetual arms race between the "good guys" and the "bad guys".)
IMO, it is simply not worth trying to get every last drop of revenue for your software. Those cracked keys don't really represent lost sales. The chances are that the people who use them wouldn't buy your software anyway. Just right them off as a revenue source, and focus your efforts on making your software a good experience for the honest people who HAVE bought a license. (The worst thing you can do is to use some DRM scheme that makes life difficult for honest customers!!)