Web tier: servlets, JSP, Web frameworks: How to protect web app from being modified by the customer?

  1. Hi all,

    We are creating web-based application using JSP and Struts. We would like to limit the number of concurrent users, and if the limit is reached, new users won't be able to log on.

    The trouble is, the application will be deployed on the customer's computer. Is it possible to somehow protect the logic that handles the logon process and user autentification from being potentially modified by the customer?

    Thanks in advance for any feedback, positive or negative!
  2. How about stating that in the license?

    You could use some sort of digitally signed configuration file to hold the maximal number of concurrent users. But that seems to me like a waste of time, since if your customers are really criminals, they can change the actual code that checks this parameter using Java decompilers, etc. You could make it hard for them using an obfuscator, but this really isn't gonna stop them if they *really* want to change the code. I think putting the restriction in your license is the best option.