{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 霸刀☆藐视天下 的问题《How to prevent piracy for java webstart applicatio》','https://www.manongdao.com/q-784863.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have this java swing application that I intend to sell over the internet. At the moment I'm leaning towards deploying the application using java webstart. The product will be licensed for the user to use the program on one computer at a time only. I am concerned about piracy with this model. I would like to install some security features to enforce the license model. The goal is to at least make it difficult for a licensed user to copy the installed product including license key to unlicensed users. Here are the options I am looking at now:
Force the user to authenticate to the mother ship with a username/password each time the program is launched.
Simply install a license key somewhere (hidden?) on the users PC after they have registered and paid. At runtime, verify that there is a valid license key installed.
Use/build a security package that is based on a hardware fingerprint of the users computer. This fingerprint would be computed each time the app is started and compared with the locally installed license key using some sort of hash. This license key would be would only be valid with this hardware fingerprint.
One of the issues here is that once this application is installed, there isn't any runtime need for the application to contact the mother ship, other than checking for application updates using java webstart. Everything the app does it does locally and displays the results to the user using swing. So any solution involving a mother ship would basically mean building a server infrastructure for the sole purpose of license verification.
I guess what I'm looking for is something java based that is at least somewhat secure, easy to deploy and is not a pain for the user. What security/licensing approach have you used?
EDIT: I should add that I am not necessarily looking for a silver bullet to prevent absolutely everyone from defeating security. There will always be someone with enough time on their hands to find ways to get it done. I'm not so concerned with these guys. I'm basically looking to make it difficult for a casual user to simply copy the license key and send to his buddies. Implemented correctly, the solution should convince the casual user that it is simpler to just buy it.
Honestly, unless the program actually needs data from the server to function (as fred-o stated that World of Warcraft needs; and is true), then there is nothing you can do client side that will be completely fool proof. All 3 ideas you had could be circumvented easily. The server/login one might be a bit harder, but I've even seen cracks go so far as to locally create a dummy login server so the program thinks it's being authenticated.
The only true way to prevent piracy is to have some server-side logic that the program NEEDS to run. For example - you're making software that resizes images (i know, i know). If the raw image was shipped off to your server and resized there and then sent back to the client (as opposed to the client doing the resizing), then you would be safe because your server can easily be protected with a login system of some sort. And without a valid username or password (or if they tried to generate a fake one), the program would be useless.
If you implement client side functionality, it can be reached, no matter what you do.
IMO, trying to enforce copy protection on the client side is probably more trouble than it's worth. You will spend countless of hours trying to outsmart your customers (hours that you could instead spend improving your product), but in the end the pirates will always win.
You have other options, though: