How to protect web-based app?
How about using semaphor based locking model using a database table.
Definitely don't put the login logic in a JSP since pretty much anyone with write access on the machine can make changes.
To make sure that you have no more than 10 active sessions, create an Application scope JavaBean that keeps track of the number of active sessions.
Why not using a filter instead of mssing with all the apps ?
Because the filter can be removed or replaced by the customer.
Not reall an answer to the question you asked but... I'm guessing that you want to prevent more logins because the customers only paid for X and should only be allowed to use X. If it's because the system won't handle more than X that's another issue:) If you distrust your customers so much that you think they'll hack your code that may be a bigger problem. One possibillity is not to disallow logins but to keep track of the maximum number of concurrent users and just ask them to buy more licenses. A lot depends on how many copies you expect to sell etc. If these are big accounts then no license, regular contact with the help desk/consultants, and the knowledge they signed a legal agreement when they purchased the stuff is what's been used elsewhere.
>Why not using a filter instead of mssing with all the apps ?
>Is it possible to somehow protect the logic that handles the logon process and user autentification from being potentially modified by the customer?
With browser clients, how do you define 'concurrent users'? For example, if I navigate to your site and log in and then promptly go off to joelonsoftware.com, am I counted as a concurrent user? For how long? Similarly, what if I log in, start doing stuff and then go have a coffee break while leaving my browser open on some intermediate page in the web app. If the answer to 'how long' above is less than my absence then I'm a gonna be pissed when you 'lose' my 'concurrent' connection. If you build in the ability to seemlessly reconnect me, then what if the reconnection puts me over the concurrent limit? Problem is, the user experience suggests that they are always connected because their browser is always displaying your app. So if you tell them the limit was reached, they're not going to understand and if their reconnect rejection results in lost work, then you have a bigger problem.
Fog Creek Home