Date based licensing logic for Java web app?

Question

I am trying to come up with a logic for a date based licensing mechanism for a Java web app. The app needs to be deployed in client sites which may not have access to the Internet (deployed on the intranet). In this case how do I build a licensing mechanism based on Start / End Dates. If I use the server system Date / Time for this, I risk the system admin changing the server date / time in order to keep the locense active. Any suggestions? Windows dektop apps seem to do this, not sure how?

Sanjay.

Answer 1

A possible solution:

You'll periodically issue a matched pair of key and a key verify class to your clients. The server app should check with the verify class, minimally at startup, or periodically using JVM time.

You'll also need to provide your clients a trivial way to get renewed key/verifier updates.

At the end of the day, this is still not a full proof mechanism given that the java class files can be inspected and manipulated, but it does provide a temporal licensing scheme that is not dependent on host mechanisms.

Answer 2

Detect any change in System Date, by having your app record the last time it was run. If it starts up and finds it was last run in the future, you can suspect foul-play!

Of course if the user can find where that lastRunDate number is stored, they can get around it. Edit: Also it can be mis-triggered if a user really notices his machine's date is wrong and changes it. If you aren't using Universal Time, don't forget about daylight-saving changes (allow an hour or two of flexibility for valid date changes).

Answer 3

Hmm, I think if the rules are: (a) The licensing must be based on start and end dates; and (b) The computer cannot be assumed to be connected to the outside world, then I don't think the problem is even theoretically solvable. Your only source of what the date is will be some date on the computer itself, either the system date or some other date the user enters. Maybe I'm missing something, but I don't see how it could NOT be subject to the user lying about the date. I mean, if the computer is not connected to the outside world, then there is by definition no outside source to verify the date. You could do something like Joeytwiddle's suggestion to do reasonableness checks on the date, record dates you've seen before and look for anything suspicious, like the date going backward or it being the same day for the last 6000 runs or whatever. Beyond that, this sounds like a problem in squaring the circle or finding an honest politician: It just can't be done.