Account registration and email activation

Hi,

I'm attempting to implement the following use case:

1. User goes to web page and enters email address and password

2. System assigns unique token to this user and sends an email to supplied address. This email contains an activation link that includes the unique token for this user

3. User clicks on link in email and their account is activated

I have seen this done using Spring Security, but would like to know if it is possible (and fairly straightforward) to achieve the same result using standard java libraries (in other words, i'd like to avoid using 3rd party libraries such as spring-security).

Thanks

Just store the token in a DB, when that token is presented as part of a URL activate the user--what specifically are you having a problem with?

With regards to generating a token, is it a good idea to use Java's UUID.randomUUID() method or is there a better approach?

It's probably fine.

I am planning on creating an Activation Servlet that handles the user clicking on the activation link in their email. So, I could create each activation link with a .act extension and then have the Activation Servlet kick in for all requests with the .act extension. I could then obtain the email address and token as request parameters from the activation link and search the database for matching credentials. If a matching user record is found in the database, change the status from PENDING to ACTIVE.

I have never implemented a system like this before and am just asking if this approach is sensible. Or have I over-engineered the solution???

Thanks

Over-engineered? How else could you do it besides what you've listed? That kind of seems like the minimal number of things you could do to make it work (although I wouldn't bother giving that servlet a unique extension).

Thanks for your comments David. If I don't add some kind of extension to the link, how can I specify in my web.xml which requests the Activation Servlet should deal with?

A name? Or map it first? Or use a filter to check for a link parameter? Or... (In other words, there are a lot of answers :)

A name? Or map it first? Sorry to be dumb, but do you have a snippet of an example web.xml which shows these options in practice?

Thanks