Is there a secure solution for Java apllications to bind them to a specific user or computer eg by using the MAC adress (unsafe because can be changed?) or any other hardware specific data?
We dont want to create hardware solutions like usb sticks / dongles bu need to check if the user of the software is allowed to use it.
Generally which is the best option against software piracy?
Always-online?
Server-check?
Using hardware data for identifying?
...
One popular trend is when the software checks license validity on startup (or regularly) with the central server. This way you can revoke a compromised license. There are probably a number of services that will manage these licenses for you, I saw Esellerate used.
At the same time, any protection you add to your Java app can be easily reverse-engineered or simply overloaded, unless you go to great lengths obfuscating and securing the code. It is a very hard task and the results may not be worth the effort.
Some companies (e.g. one where I work) do not go to great lengths beyond basic license generation/verification code. A combination of trusting customers honesty and providing support only to valid license holders works well.