Restrict the Joda timer to be not dependent with system time

Question

I am making a Payroll and Attendance Monitoring system as a school project. Currently using Java Swing with Joda API. I'm in a part of attendance monitoring. I want a security restriction that even the user change the system time he can't cheat to time-out early.

How can I implement it?

Answer 1

If you're trusting anything from the user's computer, that's a bad start IMO. (What's to stop the user from manually modifying the data recorded?) Normally a server which you can trust would be involved. However, that's a different matter and I appreciate this is a school project.

To address the question as asked though - if you can't trust anything locally, you should probably look into an internet time provider. There's nothing Joda Time specific about this - you may find "Joda Time integrated" libraries to talk to NTP servers, but I think it's more likely that you'll just get libraries which expose a number of milliseconds (or microseconds, or nanoseconds) since some epoch in a vanilla way. It should be easy to construct the relevant Joda Time types from there. Just be careful that you don't use Joda Time types which implicitly use local settings (not just the clock - consider the time zone too!).

Answer 2

Well your school has maybe no sysadmin who can block unauthorized access on the installed computers. So a workaround could be to implement the interface

DateTimeUtils.MillisProvider

and then install it by DateTimeUtils.setCurrentMillisProvider(...)

The right (secure) implementation of the interface should use an SNTP-server (for example Apache-NTP-client) via internet (if this is possible on the school). Otherwise every clock based on System.currentTimeMillis() is sensible for external clock adjustments.