I'm hoping not to re-invent the wheel -- I'm fairly new to Java, but I need a simple but robust algorithm/code/software to perform email verification for users of a web application (e.g. I only need help with step 4 below). That is, I need to verify the user logging in has access to the email address he/she provides during log in.
The steps I have in mind for the Java middle-tier would be:
- Java POJO receives user's email and password from client.
- The POJO talks to a database server to verify the email/password combo is valid.
- If valid, the POJO sends an email to the email address, asking user to reply to email (or click on some provided link, etc.)
- The POJO receives notification (how?) that the user has replied to email (or clicked on link, etc.).
- The POJO informs the web-application of success (or failure) of authentication, thereby permitting or denying access to the application.
I can write everything except step 4. Essentially I need a way to send an email to a user and then receive some type of response indicating the user received the email.
Anyone know how this can be accomplished? If not, what do you recommend as the next best/simplest solution?
I'm not using a framework as my Java middle tier is very simple. I'd like to keep the solution lean (meaning, don't want to install/implement more than I need; Spring seems overkill). I read up Shiro, but didn't find any evidence it supports email authentication. Any advice is much appreciated to help me avoid writing unnecessary/unproven routines.
The easiest way is to have some code that connects to the mailbox of the destination address, using either POP3 or IMAP, and waits for new, incoming messages.
When you send the email, you can add a
Message-ID header. When the user replies to the email, there will be a
References that should have the Message-ID that the user is replying too.
When you can use this ID to correlate what they are responding to.
For safety, you may wish to embed the ID within the message itself (since most folks today don't edit replies), so you can look through the body of the message if for some reason the Reference header isn't supplied. There are other techniques that let you give each mail a customer Reply-To address, that's another way this can be done, but that requires some mail server support.
But, anyway, once you have the message structure figured out, you simply listen to the inbox of the address, and look for new messages. As they arrive, your strip the Message IDs, and flag them as appropriate in the DB, or whatever.
As for "waiting" for the message, you must appreciate that it can be a long wait. Rather than having a POJO waiting for it, rather have a simple process that pings the status. You can have a timer that fires every second, and then checks the database to see if it's been updated, etc. Obviously, this is something you want to be able to cancel.
For all of the mail needs, you can use JavaMail -- it does all this, and it pretty straightforward to use.