Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9C828CF93 for ; Sat, 29 Jun 2013 20:32:17 +0000 (UTC) Received: (qmail 7237 invoked by uid 500); 29 Jun 2013 20:32:14 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 7091 invoked by uid 500); 29 Jun 2013 20:32:14 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 7082 invoked by uid 99); 29 Jun 2013 20:32:14 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 Jun 2013 20:32:14 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS,UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [194.25.134.19] (HELO mailout06.t-online.de) (194.25.134.19) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 Jun 2013 20:32:09 +0000 Received: from fwd11.aul.t-online.de (fwd11.aul.t-online.de ) by mailout06.t-online.de with smtp id 1Ut1oB-0006Be-Qe; Sat, 29 Jun 2013 22:31:47 +0200 Received: from NamePC (bLtX4ZZFwhwHudugwYEVCjEZzSN-kWyxBPFZHxp8kX+c8aRaswXupZmmgQ9VlEJwod@[93.197.182.81]) by fwd11.t-online.de with esmtp id 1Ut1o8-0udnay0; Sat, 29 Jun 2013 22:31:44 +0200 From: =?utf-8?Q?Konstantin_Prei=C3=9Fer?= To: "'Tomcat Users List'" References: <51CCDE1E.7010402@mhsoftware.com> <51CEFD57.3070204@ice-sa.com> <51CF1D00.6050507@mhsoftware.com> In-Reply-To: <51CF1D00.6050507@mhsoftware.com> Subject: RE: [OT] Accessing HREF Target from Servlet Date: Sat, 29 Jun 2013 22:31:40 +0200 Message-ID: <000001ce7507$a9d40b70$fd7c2250$@t-online.de> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQIVte7L2J0WqvKdEXu945BxxwEMugI8UC5XAtYPM7aYlgtPAA== Content-Language: de X-ID: bLtX4ZZFwhwHudugwYEVCjEZzSN-kWyxBPFZHxp8kX+c8aRaswXupZmmgQ9VlEJwod X-TOI-MSGID: 6d96d3d1-6e7e-482b-8136-17eb39eca9b7 X-Virus-Checked: Checked by ClamAV on apache.org Hi, > -----Original Message----- > From: George S. [mailto:georges@mhsoftware.com] > Sent: Saturday, June 29, 2013 7:45 PM > To: Tomcat Users List > Subject: Re: [OT] Accessing HREF Target from Servlet >=20 >=20 > > > > 1) Why would you need to access that part after the "#" for Auth = stuff ? > > Intuitively, the part after the "#" is inside of a page. So if = access > > to the page is already granted/forbidden by the Auth stuff, the part > > inside of the page should not matter. > I'm doing facebook graph api authentication. In the login cycle, you = send the > user to a page facebook page, and you provide that page with a = redirect_url. > After the user does their login through facebook, they get redirected = back to > the url you supplied. In a case of freakish bizarre (for a server-side > developer), the access token you get is not a parameter on the = request. > IOW, the redirect is to "your_redirect_url.html#access_token=3Dblah", = not > "your_redirect_url.html?access_token=3Dblah". The whole mess is > documented > here: >=20 > = https://developers.facebook.com/docs/facebook-login/login-flow-for-web- > no-jssdk/ >=20 > The part about the token being in the URL but not in the query string = isn't > documented there, but it's documented on another page. I'm guessing = the > reason they did this is so that the access_token would not show up in = the log > files of the destination server. I have also implemented Facebook Login a while ago for a Webapp that = runs under Tomcat 7. However, I do not get the fb-code or access_token = after a "#" in the redirected url - maybe you used a JavaScript-only = variant for the Facebook login? For example, when doing a Facebook Login, my app does the following: 1. It redirects the user to: https://www.facebook.com/dialog/oauth?client_id=3D&scope=3Dema= il&redirect_uri=3Dhttp%3A%2F%2F 2. After the user logs in, the Facebook site redirects to: http://?code=3D#_=3D_ so the App gets a "code" parameter which is needed to get an = access_token. 3. The App can now request an access token by making an HTTP request to = a URL like=20 https://graph.facebook.com/oauth/access_token?client_id=3D&red= irect_uri=3Dhttp%3A%2F%2F&&client_secret=3D&code=3D (using the from the previous redirect, and using the same = parameter as on the first redirect to the Facebook = site. 4. Then the app can request user information from the Facebook Graph = API by making a request to a URL like https://graph.facebook.com/me?fields=3Did,name,first_name,last_name,email= &access_token=3D. You can see a live demo here: = http://bildergalerie.pleier-it.de/?seite=3Dlogin (it is a german app for = sharing pictures). If you click on the Facebook icon, you will be = redirected to FB. After you log in, FB will redirect you to the app with = a URL like=20 http://bildergalerie.pleier-it.de/FBLoginRedirector?code=3D#_=3D_ After that, the app will query the user's name from Facebook's Graph API = and display it in the top right corner. Regards, Konstantin Prei=C3=9Fer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org