protecting a java app

I want to distribute a java application in demo mode and upon registration to enable the full mode. What are my options ?
What i figured out so far is that i must get the user to submit some data (such as a name, id, etc) and i'll offer a key generated from his data. he types the key in the app and if it matches his data the app gets into full mode. so far so good. BUT, what should the user's data be ? what if one user registers and then tells everyone his data and key ? are there any other options ? how are big-time commercial java apps distributed ?

Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

girionisConnect With a Mentor Commented:
Have your application communicate with your server when the user enters his key. Then if the key is valid register the product and "cancel" this key (you could set a field in the database to true, like "keyUsed = true"). Then when next user tries to re-enter the same key check it against the database. If it is canceled (field "keyUsed" is true) then inform the user that this is an invalid key.
hapciuAuthor Commented:
That's doable, but i think it's a bit of overkill for my small-time app.
is there a way to avoid communicating with my server ? can I get some absolutely unique data from the user's machine (i.e. not letting him enter his data but show it to him) ?
krakatoaConnect With a Mentor Commented:
You could try to use the serial number of the hard disk.
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

CEHJConnect With a Mentor Commented:
>>how are big-time commercial java apps distributed ?

They tend to generate time-limited keys. I know ATG and Together do
It is only needed to be done once, when the user first enters his/her key. After that there is no need to communicate with the server since the product will be unlocked.

> can I get some absolutely unique data from the user's machine (i.e. not letting him enter his data but show it to him) ?

You could get his I.P. (if it is static and if he is not behind a firewall) or his MAC address, but you can't get the MAC address with pure Java unless you use JNI.
TimYatesConnect With a Mentor Commented:
   java.rmi.dgc.VMID guid = new java.rmi.dgc.VMID() ;
    System.out.println( guid.toString() ) ;



on my machine, which is a SHA encoded IP address, hashcode, system time and a counter, so if you only look at the first two blocks of it, maybe that will be unique?

actually, you could encode the key with the system time, and then you could make it only work for a specific period of time?

hapciuAuthor Commented:
CEHJ: what is a time limited key ? do they still communicate with the company's server ?
>>CEHJ: what is a time limited key ?

A licence key that expires after a period. In some cases, network connections are not made.
And at the end of the day, with perseverence, a copy of JAD, a copy of BCEL, an the JDK, people will probably be able to strip the protection out...  :-(

So I wouldn't stress about it for too long...
What kind of app is it? Can't you include in the hash some user specific data?
What I mean is that for an accounting application (for example), you could include the registration number of the company (which usually appears on reports and other stuff - so another company will NOT work with the same one)
If not... you could include the computer name and the "registered to" name (windows)... but all of this is changeable...
The only remaining option is (as stated above) the HDD serial number and/or the MAC address... but what happens when he changes hardware? You reissue...
But then as well maybe he does not, and just applies for reissue, with his "friends" data :) So you are mostly stuck. The best would be to have server communication... but I don't know if that pays off...
All Courses

From novice to tech pro — start learning today.