4

I'm hoping not to re-invent the wheel -- I'm fairly new to Java, but I need a simple but robust algorithm/code/software to perform email verification for users of a web application (e.g. I only need help with step 4 below). That is, I need to verify the user logging in has access to the email address he/she provides during log in.

The steps I have in mind for the Java middle-tier would be:

  1. Java POJO receives user's email and password from client.
  2. The POJO talks to a database server to verify the email/password combo is valid.
  3. If valid, the POJO sends an email to the email address, asking user to reply to email (or click on some provided link, etc.)
  4. The POJO receives notification (how?) that the user has replied to email (or clicked on link, etc.).
  5. The POJO informs the web-application of success (or failure) of authentication, thereby permitting or denying access to the application.

I can write everything except step 4. Essentially I need a way to send an email to a user and then receive some type of response indicating the user received the email.

Anyone know how this can be accomplished? If not, what do you recommend as the next best/simplest solution?

I'm not using a framework as my Java middle tier is very simple. I'd like to keep the solution lean (meaning, don't want to install/implement more than I need; Spring seems overkill). I read up Shiro, but didn't find any evidence it supports email authentication. Any advice is much appreciated to help me avoid writing unnecessary/unproven routines.

ggkmath
  • 4,188
  • 23
  • 72
  • 129
  • What are you really asking? It seems that you understand all the pieces of a solution. What in particular are you unsure about? When a user browses the link you emailed them, you will have a pretty good idea its them because you have tied the authentication code to their account. Perhaps you can have them login, and then compare the authentication code they provided? – Jeremy May 11 '12 at 02:40
  • By including a one-time code in the link (a UUID, for instance) as a parameter. Your web app has a database of outstanding codes (that have been emailed and not yet seen) and matches them up. – Jim Garrison May 11 '12 at 02:47
  • I can see the Java POJO sending the email out to the user. But, how does whatever the user do (e.g. click on a link, or reply to email), make it back to the same Java POJO to compare with what it should be? I can't see the mechanics of how to implement this within the Java POJO that sends the email out. Does the POJO sit and wait for the response? How does the response get back into the original POJO? – ggkmath May 11 '12 at 02:50
  • You don't. The POJO that sends it out just needs to record/persist the one-time code somewhere and send the link with the one-time code embedded in it. When the user clicks on the link, another POJO should extract the one-time code from the link, and then compare it against your recorded/persisted list of one-time codes. – Jonathan May 11 '12 at 02:56
  • The instantiation that sent out the email cannot. It gets invoked again on the web server thread to do the matching when the user clicks the link. – Jim Garrison May 11 '12 at 02:57

2 Answers2

2

there are two controllers involved (two POJOs).

the first connection, for steps 1,2+3 talks to one object in the server. as part of (2) a unique code (the UUID mentioned in comments)is generated and saved to the database.

the second connection, when the user clicks on the link, goes to another controller (another POJO, which could be the same class, or could be a different class, depending on your implementation). that reads the UUID from the link, goes to the database, finds the email associated with the UUID, and marks the email as verified.

update i'm struggling to see what you are missing, but when the user clicks on a link in an email the operating system opens a web browser. the web browser makes a connection to the server. the server receives the HTTP GET request with the UUID in the URL and passes the UUID to the POJO.

some more terms: the process of handling the incoming request in the webserver is typically called "routing" and the general pattern used to structure the code that is called is "MVC". exact details will depend on the application framework you are using. for servlet-based java code there's a mapping from URLs to servlets (servlets are java code implementing a certain interface - a framework might provide the servlet which ultimately invokes what you are calling a POJO, or you might write the servlet yourself, in which case that would be your POJO, although in that case it's a misnomer since it implements a specific interface) in the web.xml file.

also, i guess, the web browser on the client uses TCP to make a connection across the network (almost always this is on top of a protocol called IP because you are using the internet). on top of this, the client "speaks" messages in HTTP. all these different layers are described in the "7 layer osi network model".

there's a huge amount of detail on so many levels. hope that gets you started.

see also http://www.quora.com/What-happens-when-you-type-a-URL-into-your-browser

andrew cooke
  • 45,717
  • 10
  • 93
  • 143
  • Thanks, I understand the general flow. I just need an example how whatever the user "clicks" on in the email triggers the execution of that second POJO. I've only ever communicated with the middle tier from my client application, but now the email needs to talk directly to the middle tier and I don't see how this is done. Again, sorry if it's an obvious question (I'm new to this). Are there some Java or email-related keywords/examples you can refer me to how this could be done? Where does the "link" in the email point to, etc? – ggkmath May 11 '12 at 03:19
  • Thanks! Yes, it may sound silly but I've never accessed a Java method like that before. So, HTTP GET sounds like a good search term. Anything else? – ggkmath May 11 '12 at 03:33
2

The easiest way is to have some code that connects to the mailbox of the destination address, using either POP3 or IMAP, and waits for new, incoming messages.

When you send the email, you can add a Message-ID header. When the user replies to the email, there will be a References that should have the Message-ID that the user is replying too.

When you can use this ID to correlate what they are responding to.

For safety, you may wish to embed the ID within the message itself (since most folks today don't edit replies), so you can look through the body of the message if for some reason the Reference header isn't supplied. There are other techniques that let you give each mail a customer Reply-To address, that's another way this can be done, but that requires some mail server support.

But, anyway, once you have the message structure figured out, you simply listen to the inbox of the address, and look for new messages. As they arrive, your strip the Message IDs, and flag them as appropriate in the DB, or whatever.

As for "waiting" for the message, you must appreciate that it can be a long wait. Rather than having a POJO waiting for it, rather have a simple process that pings the status. You can have a timer that fires every second, and then checks the database to see if it's been updated, etc. Obviously, this is something you want to be able to cancel.

For all of the mail needs, you can use JavaMail -- it does all this, and it pretty straightforward to use.

Will Hartung
  • 115,893
  • 19
  • 128
  • 203
  • just to clarify - the above is how to send an email. not sure if that is also what you are asking about (it's not covered in my answer). – andrew cooke May 11 '12 at 03:41
  • The mechanics here are very helpful, thanks for the details. Is JavaMail the mail server (e.g. it sends emails out and receives them back?) Is Java language used on the server to listen to or ping the inbox, strip Message IDs, send them to the database, etc? Or is another language better for this? Is there any software available that does this or does everyone write their own code? (This looks like what user forums use when you join them; can I borrow whatever code they use?) – ggkmath May 11 '12 at 03:48
  • I started another question to follow-up on this, here: http://stackoverflow.com/questions/10545507/how-to-verify-user-clicks-on-link-in-email-that-i-send-him-her – ggkmath May 11 '12 at 04:35