7

I'm developing a web application using Java EE 6 Web Profile. I want to e-mail a new user an activation link for his account. How should I implement this? I'm using JSF2. Is there any specification or recommended way for doing this?

Raedwald
  • 46,613
  • 43
  • 151
  • 237
arg20
  • 4,893
  • 1
  • 50
  • 74
  • Do you want how to create `key` that is required to be sent with activation URL or you want book-markable URL generation in JSF? – Nishant Feb 02 '11 at 05:36
  • exactly, The user registers, and a url with a key is sent to his email like: click on http://mysite.com/activate?key=dsafadsfwe to activate your account. – arg20 Feb 02 '11 at 06:44
  • May be if I could access the url from jsf and get the key parameter or something – arg20 Feb 02 '11 at 06:45
  • 3
    Related: http://stackoverflow.com/questions/3295245/confirmation-link-email-in-jsf – BalusC Feb 02 '11 at 12:59

2 Answers2

16

I have worked on a project that required user to confirm his email-id to activate his registration. The key generation process was like this:

Key Creation

  1. Create a column verification_key in users table that holds unique validation key for a user.
  2. Use SHA256 hash of your unique user-name (email-id in this case) with salt as his password.
  3. Convert the hash to base64 and store in verification_key of that user. This will be unique (for practical purposes, I wouldn't go into probability of collision).

so, bottom line, key = Base64(Hash256(uniqueUserName+"."+password))

......

side note: BTW, nothing restricts you to use password as salt. You may just create an arbitrary string on fly as salt.

Verification

  1. Since we know the verification_key is unique, get the key from request-parameter and find the matching row.
  2. If found, set verification_key as null (this will also reduce chances of collision if any) and take user to "successfully-verified page".
  3. If not found, take the user to "already-activated/key-not-found/401 page".
Nishant
  • 54,584
  • 13
  • 112
  • 127
  • 1
    Hi. This is a very useful answer thanks a lot. I want to know one more thing from your implementation. Once a user is activated, you shouldn't have to check again everytime he tries to do something, so should i have another table, say "pending_users" so if the user is in the user table i can asume he's activated? – arg20 Feb 02 '11 at 15:30
  • 1
    `UUID.randomUUID()` may be used to generate a random number – Christophe Roussy Jan 02 '12 at 16:18
1

An activation URL evokes an impression of a software service processing a 'service'-request.

Good candidates to realize this service include servlets which will perform the user activation/validation and redirect to a JSF success-page

Ryan Fernandes
  • 8,238
  • 7
  • 36
  • 53
  • I have never really used servlets with jsf2 before since I have never really needed them. Can you please show me some fragment of code, please? – arg20 Feb 02 '11 at 07:03