2

我有几件事情要做,例如使用 -

 FB.login(function(response) {
   if (response.authResponse) {
     console.log('Welcome!  Fetching your information.... ');
     FB.api('/me', function(response) {
       console.log('Good to see you, ' + response.name + '.');
     });
   } else {
     console.log('User cancelled login or did not fully authorize.');
   }
 });

我能够获取用户、姓名、用户 ID 等的所有详细信息。

我的问题是如何“安全地”将所有这些信息发送到服务器。我不希望这些信息在发送到服务器的途中被嗅探。我使用 JAVA(Servet/JSP) 语言,请帮助我。我希望有某种方式,如注册插件,Facebook 在 redirect_url 链接上发送所有信息。

问候, Jagpreet Singh


编辑:如果有人需要 Java 代码 -

    // it is important to enable url-safe mode for Base64 encoder
    Base64 base64 = new Base64(true);

    // split request into signature and data
    String[] signedRequest = request.getParameter("signed_request").split("\\.", 2);

    logger.info("Received signed_request = " + Arrays.toString(signedRequest));

    // parse signature
    String sig = new String(base64.decode(signedRequest[0].getBytes("UTF-8")));

    // parse data and convert to JSON object
    JSONObject data = (JSONObject) JSONSerializer.toJSON(new String(base64.decode(signedRequest[1].getBytes("UTF-8"))));

    logger.warn("JSON Value = " + data);

    // check signature algorithm
    if (!"HMAC-SHA256".equals(data.getString("algorithm"))) {
        // unknown algorithm is used
        logger.error("HMAC-SHA256 Algo? = false, returning ERROR");
        return ERROR;
    } else {
        logger.error("HMAC-SHA256 Algo? = true, Checking if data is signed correctly...");
    }

    // check if data is signed correctly
    if (!hmacSHA256(signedRequest[1], fbSecretKey).equals(sig)) {
        // signature is not correct, possibly the data was tampered with
        logger.warn("DATA signed correctly? = false, returning ERROR");
        return ERROR;
    } else {
        logger.warn("DATA signed correctly? = true, checking if user has authorized the APP...");
    }

    // check if user authorized the APP (FACEBOOK User)
    if (!data.has("user_id") || !data.has("oauth_token")) {
        // this is guest, create authorization url that will be passed
        // to javascript
        // note that redirect_uri (page the user will be forwarded to
        // after authorization) is set to fbCanvasUrl
        logger.warn("User has authorized the APP? = false, returning ERROR");
        return ERROR;
    } else {
        logger.warn("User has authorized the APP? = true, Performing User Registration...");

        // this is authorized user, get their info from Graph API using
        // received access token

        // String accessToken = data.getString("oauth_token");
        // FacebookClient facebookClient = new
        // DefaultFacebookClient(accessToken);
        // User user = facebookClient.fetchObject("me", User.class);
    }
4

1 回答 1

1

signed_request当您使用客户端方法进行身份验证时,Facebook 会发送一个参数。您可以将其传递给您的服务器,对其进行身份验证,然后将其解包以获取您需要的信息。它使用您的应用程序机密加密,因此您可以确保它是安全的。

有关详细信息,请参阅signed_request 文档

于 2012-08-31T13:57:37.390 回答