tags:

views:

394

answers:

1
+1  Q: 

Facebook canvas page in Java - optional app authorization?

I have canvas FBML app for facebook in Java. I am trying to get current user id using facebook java api in a controller, but without forcing every user to grand app access through facebook.com/login.php.

The trouble is that I don't understand a facebook app workflow. In order to get userid I need to provide fb sessionid. In order to get session it seems like I have to forward all users to http://www.facebook.com/login.php?api_key=... which will prompt them for extra permissions. The thing is I don't want to force everyone to give me extra permissions or to be logged in. Guests should be also able to use the app with limited functionality.

How do I separate guests and those who didn't give me permissions from the rest without redirecting everyone without session to permissions page all the time?

Thanks.

+1  A: 

I don't know anything about the details of the Java API, but I can tell you about the two ways to get a user ID. The first, as you know about, is to require the user to authenticate the application. You don't necessarily need to redirect the user anywhere to do this if you're using FBML and put requirelogin="1" on some HTML links or form elements and an in-page "Authorise this app" popup will appear. Once they've authorised the app you'll get the fb_sig_user parameter passed in each request.

Secondly, you may get the user ID of a visitor passed to you in another parameter without them having authorised your app. This comes in the form of fb_sig_canvas_user, and you get it once the user has interacted with your application in some way. This may be from clicking on a link in an FBML canvas page or clicking on a feed story published by another user. fb_sig_canvas_user allows you to identify the user but not to make any API calls on their behalf. You can still prompt them to publish stories and send invites.

With both methods, though, there'll be some users who arrive at your application and you have no way of knowing who they are - not even their user ID. This is to protect the privacy of users and there's no way around it - you either have to get them clicking on something, or get them to authorise.

Karl B  2010-01-29 20:56:45
Thanks. I ended up putting `<fb:if-is-app-user>` tag on the page asking guests if they want to authorize by visiting login.php link.
serg  2010-01-29 21:39:34
possible you could post your details of your servlet/filter configuraiton that works? i'm interested to see a working example of the auth handshake process.
emeraldjava  2010-09-15 17:21:20

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java