Facebook登录插件,服务器端访问用户数据

时间:2012-08-31 12:48:52

标签: java facebook plugins login

我有一些工作要做,例如使用 - 

 FB.login(function(response) {
   if (response.authResponse) {
     console.log('Welcome!  Fetching your information.... ');
     FB.api('/me', function(response) {
       console.log('Good to see you, ' + response.name + '.');
     });
   } else {
     console.log('User cancelled login or did not fully authorize.');
   }
 });

我能够获得用户,姓名,用户ID等的所有详细信息。

我的问题是如何“安全地”将所有这些信息提供给服务器。我不希望在去服务器的路上嗅到这些信息。我使用JAVA(Servet / JSP)语言,请帮助我。我希望有一些像注册插件的方式,Facebook在redirect_url链接上发送所有信息。

此致 Jagpreet Singh

编辑:如果有人需要Java代码 - 

    // it is important to enable url-safe mode for Base64 encoder
    Base64 base64 = new Base64(true);

    // split request into signature and data
    String[] signedRequest = request.getParameter("signed_request").split("\\.", 2);

    logger.info("Received signed_request = " + Arrays.toString(signedRequest));

    // parse signature
    String sig = new String(base64.decode(signedRequest[0].getBytes("UTF-8")));

    // parse data and convert to JSON object
    JSONObject data = (JSONObject) JSONSerializer.toJSON(new String(base64.decode(signedRequest[1].getBytes("UTF-8"))));

    logger.warn("JSON Value = " + data);

    // check signature algorithm
    if (!"HMAC-SHA256".equals(data.getString("algorithm"))) {
        // unknown algorithm is used
        logger.error("HMAC-SHA256 Algo? = false, returning ERROR");
        return ERROR;
    } else {
        logger.error("HMAC-SHA256 Algo? = true, Checking if data is signed correctly...");
    }

    // check if data is signed correctly
    if (!hmacSHA256(signedRequest[1], fbSecretKey).equals(sig)) {
        // signature is not correct, possibly the data was tampered with
        logger.warn("DATA signed correctly? = false, returning ERROR");
        return ERROR;
    } else {
        logger.warn("DATA signed correctly? = true, checking if user has authorized the APP...");
    }

    // check if user authorized the APP (FACEBOOK User)
    if (!data.has("user_id") || !data.has("oauth_token")) {
        // this is guest, create authorization url that will be passed
        // to javascript
        // note that redirect_uri (page the user will be forwarded to
        // after authorization) is set to fbCanvasUrl
        logger.warn("User has authorized the APP? = false, returning ERROR");
        return ERROR;
    } else {
        logger.warn("User has authorized the APP? = true, Performing User Registration...");

        // this is authorized user, get their info from Graph API using
        // received access token

        // String accessToken = data.getString("oauth_token");
        // FacebookClient facebookClient = new
        // DefaultFacebookClient(accessToken);
        // User user = facebookClient.fetchObject("me", User.class);
    }

1 个答案:

答案 0 :(得分:1)

当您使用客户端方法进行身份验证时,Facebook会发送signed_request参数。您可以将其传递给服务器,对其进行身份验证,然后将其解压缩以获取所需的信息。它是使用您的应用程序密钥加密的,因此您可以确保它是安全的。

有关详细信息,请参阅signed_request documentation

相关问题
最新问题