Mike's Notes » Java

Twitter Login to a Java Web Application

mrmikewarren — Tue, 29 Nov 2011 23:35:47 +0000

Having taken Bruce Phillips Shiro tutorial’s app and added a login via Facebook option I’m now going to have a bash at implementing a “log in via twitter” option, I then will hopefully be able to step back and see what generlisations might be appropriate to make some of the code more generic between Facebook and Twitter logins, and also genererally for OAuth.

So first Create a Twitter Application

Do this on dev.twitter.com , with an application name, description and website.

There’s also an optional field for a call back URL, I’ve filled this in with the URL of the servlet that will be handling twitter login’s for my application, although twitter does say ” OAuth 1.0a applications should explicitly specify their oauth_callback URL on the request token step, regardless of the value given here”. So I may have to revisit this to determine which URL exactly should be entered.

This gives a consumer key and secret, and 4 URLS (Request token URL, Authorize URL , Access token URL and Callback URL ), so make a note of these, I’m assuming they may come in useful. Also note twitter’s “rules of the road”, which include things like display of a users twitter avatar if you’re using the twitter login mechanism, I’m not sure if Facebook makes the same requirement but if so will have to check.

Get Twitter4j

I’ll be using twitter4j to do a lot of the work, I’m already using it elsewhere, and been very happy so far with it’s ease of use.

http://twitter4j.org/en/index.html

I’ll be using the Sign in Via Twitter example as my guide (EDIT – I pretty much copy it)

http://twitter4j.org/en/code-examples.html#signinwithtwitter

Code

The first thing to do is add a log in via twitter link to our webpage, unlike the facebook one which is a link to facebook, this will be a link to a servlet implemented by our app.

The example above uses the following link.

Taking the Twitter4j example I then ended up with a TwitterLoginServlet (which maps to “TwitterLogin” linked to above) and a TwitterCallbackServlet.
I did find I had to fix the code below to hardcode the URL of the call back servlet when the app was deployed, possibly because I’m using Nginx as a reverse proxy so it was ending up with 127.0.0.1 instead of the host name, maybe I could fix Nginx configuration to avoid this.
Twitter properties is just a convenience class used in this demo to hold the properties given when the app was created, twitter4J would read in properties from a properties file on the class path by default.

package uk.co.mrdw.shiroexp.servlets;

import java.io.IOException;
import java.util.Properties;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import twitter4j.Twitter;
import twitter4j.TwitterException;
import twitter4j.TwitterFactory;
import twitter4j.auth.RequestToken;
import twitter4j.conf.ConfigurationBuilder;

public class TwitterLoginServlet extends HttpServlet {

private static final long serialVersionUID = 1L;

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
System.out.println( "TwitterLoginServlet:doGet" );
ConfigurationBuilder cb = new ConfigurationBuilder();

Properties props = new TwitterProperties().getProperties();
cb.setDebugEnabled(true)
.setOAuthConsumerKey((String)props.get("twitterConsumerKey"))
.setOAuthConsumerSecret((String)props.get("twitterConsumerSecret"))
.setOAuthRequestTokenURL((String)props.get("twitterRequestTokenURL"))
.setOAuthAuthorizationURL((String)props.get("twitterAuthorizeURL"))
.setOAuthAccessTokenURL((String)props.get("twitterAccessTokenURL"));
TwitterFactory tf = new TwitterFactory(cb.build());
Twitter twitter = tf.getInstance();
request.getSession().setAttribute("twitter", twitter);
try {
StringBuffer callbackURL = request.getRequestURL();
System.out.println( "TwitterLoginServlet:callbackURL:"+callbackURL );
int index = callbackURL.lastIndexOf("/");
callbackURL.replace(index, callbackURL.length(), "").append("/TwitterCallback");

RequestToken requestToken = twitter.getOAuthRequestToken(callbackURL.toString());
request.getSession().setAttribute("requestToken", requestToken);
System.out.println( "requestToken.getAuthenticationURL():"+requestToken.getAuthenticationURL() );
response.sendRedirect(requestToken.getAuthenticationURL());

} catch (TwitterException e) {
throw new ServletException(e);
}

}

/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
*      response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
IOException {
System.out.println("Unexpected doPost ...");
}
}

and the callback servlet (URL it’s mapped to needs to match the callbackURL generated in the login servlet above) …

package uk.co.mrdw.shiroexp.servlets;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import twitter4j.Twitter;
import twitter4j.TwitterException;
import twitter4j.auth.RequestToken;

public class TwitterCallbackServlet  extends HttpServlet {

private static final long serialVersionUID = 1L;

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Twitter twitter = (Twitter) request.getSession().getAttribute("twitter");
RequestToken requestToken = (RequestToken) request.getSession().getAttribute("requestToken");
System.out.println( "TwitterCallbackServlet:requestToken:"+requestToken);
String verifier = request.getParameter("oauth_verifier");
try {
twitter.getOAuthAccessToken(requestToken, verifier);
request.getSession().removeAttribute("requestToken");
} catch (TwitterException e) {
throw new ServletException(e);
}
response.sendRedirect(request.getContextPath() + "/");
}
}

This is pretty much a straight copy of the Twitter4J example.

Just to prove it was working I was able to add the following to the index.jsp

<%
<%@ page import="twitter4j.Twitter"%>
<%@ page import="twitter4j.ProfileImage"%>

....

Twitter twitter = (Twitter) request.getSession().getAttribute("twitter");
if(twitter!=null){
String imageUrl = "";
try {
imageUrl = twitter.getProfileImage(twitter.getScreenName(), ProfileImage.NORMAL).getURL();
} catch (Exception e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
%>
Twitter ID:<%=twitter.getId()%>
Twitter Screen Name:<%=twitter.getScreenName()%>
"/>

<%
}
%>

So that’s the basics of a twitter login to a Java web application working – I know it’s not actually logging in via Shiro at them moment, or doing anything useful, that will come ( I’ll also need to check the Twitter “Rules of the Road” before deploying and make sure I’m complying).

Haven’t looked at what there is in common with the Facebook login yet from a point of view of making the Shiro implementation more generic,
but I can see differences:
Unlike the Facebook example this works wherever its deployed – Facebook uses the URL configured for the application to call back to.
The login link on the web page goes to the web app, not to twitter.
Using Twitter4j has hidden a lot of the nuts and bolts, which is good, but may mean less chance of sharing OAuth code between Facebook and Twitter implementations.

Next step login via google I think, then try and put it all together in a Shiro implementation.

Using Apache Shiro Security to allow login via Facebook – part 2

mrmikewarren — Mon, 28 Nov 2011 12:53:29 +0000

Using Apache Shiro

So in part 1 I got a basic servlet that can be used to determine if a user has logged in via Facebook, and get hold of details like the Facebook users’s ID and name etc.

Now comes configuring and extending Shiro to handle Facebook login.

I’ve taken the approach of creating a new realm for Facebook, which will use a custom CredentialsMatcher (which won’t actually have to do much as it’s Facebook that handles any credentials matching). So with two new classes to be written uk.co.mrdw.security.facebook.FacebookCredentialsMatcher and uk.co.mrdw.security.facebook.FacebookRealm the config in shiro.ini (or embedded in web.xml in the tutorial) will have the following “main” section.

[main]
 realmA = name.brucephillips.somesecurity.dao.RoleSecurityJdbcRealm
 fbCredentialsMatcher = uk.co.mrdw.shiro.facebook.FacebookCredentialsMatcher
 realmB = uk.co.mrdw.security.facebook.FacebookRealm
 realmB.credentialsMatcher = $fbCredentialsMatcher
 securityManager.realms = $realmA, $realmB

(Maybe realmA and and realmB could be better named)

So shiro will first try realmA (the jdbc realm, backed by a users table), and if that realm doesn’t support the token being passed in to the SecurityUtils.getSubject().login(token) it will try realmB, the Facebook realm. So we’ll need a new token class for Facebook to identify facebook logins.

The code in the authenticate method in the FacebookLoginServlet will be moved to the FacebookRealm class, and the FacebookLoginServlet will just create a Facebook token and call SecurityUtils.getSubject().login(token).

So we end up with a FacebookRealm class like this


package uk.co.mrdw.shiro.facebook;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

import uk.co.mrdw.shiroexp.servlets.FacebookProperties;

public class FacebookRealm extends AuthorizingRealm {

private static final Properties props = new FacebookProperties().getProperties();
private static final String APP_SECRET = props.get("fbAppSecret").toString();
private static final String APP_ID = props.get("fbAppId").toString();
private static final String REDIRECT_URL = props.get("fbLoginRedirectURL").toString();

@Override
public boolean supports(AuthenticationToken token) {
if (token instanceof FacebookToken) {
return true;
}
return false;
}

@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return new FacebookAuthorizationInfo();
}

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
FacebookToken facebookToken = (FacebookToken) token;

// do all the facebook gubbins
if (facebookToken.getCode() != null && facebookToken.getCode().trim().length() > 0) {
URL authUrl;
try {
authUrl = new URL("https://graph.facebook.com/oauth/access_token?" + "client_id=" + APP_ID
+ "&redirect_uri=" + REDIRECT_URL + "&client_secret=" + APP_SECRET + "&code="
+ facebookToken.getCode());

String authResponse = readURL(authUrl);
System.out.println(authResponse);
String accessToken = getPropsMap(authResponse).get("access_token");
URL url = new URL("https://graph.facebook.com/me?access_token=" + accessToken);
String fbResponse = readURL(url);
FacebookUserDetails fud = new FacebookUserDetails(fbResponse);
return new FacebookAuthenticationInfo(fud, this.getName());
} catch (MalformedURLException e1) {
e1.printStackTrace();
throw new AuthenticationException(e1);
} catch (IOException ioe) {
ioe.printStackTrace();
throw new AuthenticationException(ioe);
} catch (Throwable e) {
e.printStackTrace();
}
}
return null;
}

// ------------------------------------------------------------
// STUFF here should be in a more generic place TODO
// ------------------------------------------------------------

private String readURL(URL url) throws IOException {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
InputStream is = url.openStream();
int r;
while ((r = is.read()) != -1) {
baos.write(r);
}
return new String(baos.toByteArray());
}

private Map getPropsMap(String someString) {
String[] pairs = someString.split("&");
Map props = new HashMap();
for (String propPair : pairs) {
String[] pair = propPair.split("=");
props.put(pair[0], pair[1]);
}
return props;
}
}

I have also added some getters to the FacebookUserDetails class – just extracting data from the json String it’s created with, will be refined as required in the future.

package uk.co.mrdw.shiro.facebook;

import org.json.JSONException;
import org.json.JSONObject;

/**
* Simple class for holding data relating to a facebook user
*
* @author Mike
*
*/
public class FacebookUserDetails {
private String id;
private String firstName;
private String lastName;
private String email;
// jsonString Expected to be something like this
// {
// "education": [{
// "school": {
// "id": "123456789012345",
// "name": "University of Sheffield"
// },
// "type": "Graduate School",
// "with": [{
// "id": "123456789",
// "name": "Daffy Duck"
// }]
// }],
// "first_name": "Mike",
// "id": "121212121",
// "last_name": "Warren",
// "link":
// "http://www.facebook.com/profile.php?id=121212121",
// "locale": "en_US",
// "name": "Mike Warren",
// "updated_time": "2011-08-15T14:51:05+0000",
// "verified": true
// }
private String jsonString;

public FacebookUserDetails(String fbResponse){
jsonString = fbResponse;
JSONObject respjson;
try {
respjson = new JSONObject(fbResponse);
this.id = respjson.getString("id");
this.firstName = respjson.has("first_name") ? respjson.getString("first_name") : " no name" + id;
this.lastName = respjson.has("last_name") ? respjson.getString("last_name") : "";
this.email = respjson.has("email") ? respjson.getString("email") : "-no email-";
} catch (JSONException e) {
System.out.println( "fbResponse:"+fbResponse );
e.printStackTrace();
throw new RuntimeException(e);
}

}

public String toString(){
return jsonString;
}

public String getId() {
return id;
}

public void setId(String id) {
this.id = id;
}

public String getFirstName() {
return firstName;
}

public void setFirstName(String firstName) {
this.firstName = firstName;
}

public String getLastName() {
return lastName;
}

public void setLastName(String lastName) {
this.lastName = lastName;
}

public String getEmail() {
return email;
}

public void setEmail(String email) {
this.email = email;
}
}


The CredentialsMatcher class shouldn’t need to do anything, as Facebook is doing the credentials matching for us.
package uk.co.mrdw.shiro.facebook;

import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.credential.CredentialsMatcher;

public class FacebookCredentialsMatcher implements CredentialsMatcher {

/**
* Just confirms that token is the right type - credentials checking is done by facebook OAuth
*/
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
if(info instanceof FacebookAuthenticationInfo){
return true;
}
return false;
}

}


create a facebook token class, will just be used to hold the “code” provided by Facebook
package uk.co.mrdw.shiro.facebook;

import org.apache.shiro.authc.AuthenticationToken;

public class FacebookToken implements AuthenticationToken {

private static final long serialVersionUID = 1L;
private String code;

public FacebookToken(String code){
this.code = code;
}

@Override
public Object getPrincipal() {
return null;// not known - facebook does the login
}

@Override
public Object getCredentials() {
return null;// credentials handled by facebook - we don't need them
}

public String getCode() {
return code;
}

public void setCode(String code) {
this.code = code;
}
}

And a FacebookAuthenticationInfo class
package uk.co.mrdw.shiro.facebook;

import java.util.ArrayList;
import java.util.Collection;

import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;

public class FacebookAuthenticationInfo implements AuthenticationInfo {

private static final long serialVersionUID = 1L;

private PrincipalCollection principalCollection;

public FacebookAuthenticationInfo(FacebookUserDetails facebookUserDetails, String realmName){
Collection principals = new ArrayList();
principals.add(facebookUserDetails.getId());
principals.add(facebookUserDetails.getFirstName()+" "+facebookUserDetails.getLastName()); // Is this appropriate is the name not really a Principal ?
this.principalCollection = new SimplePrincipalCollection(principals, realmName);
}

@Override
public PrincipalCollection getPrincipals() {
return principalCollection;
}

@Override
public Object getCredentials() {
return null;// no credentials required
}
}


The FacebookLoginServlet then becomes much simpler – basically just use’s Shiro’s login mechanism.
package uk.co.mrdw.shiroexp.servlets;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;

import uk.co.mrdw.shiro.facebook.FacebookToken;

/**
* Simple Facebook Login Handling, doesn't actually do anything except display page confirming login
* successfull.
*
*
* @author Mike
*
*/
public class FacebookLoginServlet  extends HttpServlet {

private static final long serialVersionUID = 1L;

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
System.out.println("FacebookLoginServlet getting..");

String code = request.getParameter("code");
FacebookToken facebookToken = new FacebookToken(code);
try{
SecurityUtils.getSubject().login(facebookToken);
response.sendRedirect(response.encodeRedirectURL("index.jsp"));
}
catch(AuthenticationException ae){
throw new ServletException(ae);
}
}

/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
*      response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
IOException {
System.out.println("Unexpected doPost ...");
}
}


I’ve added a few lines to index.jsp, just to give some feedback on the result of the login via facebook
<%@ page import="org.apache.shiro.SecurityUtils"%>
<%@ page import="org.apache.shiro.subject.PrincipalCollection"%>

...

Is authenticated? <%= SecurityUtils.getSubject().isAuthenticated() %>
Principal:<%= SecurityUtils.getSubject().getPrincipal() %>
Principals:
<% PrincipalCollection principalCollection = SecurityUtils.getSubject().getPrincipals();
if(principalCollection!=null){
for(Object principal : principalCollection.asList()){
//request.out.println(""+principal +"");
%><%=principal %><%
}
}
%>

which ends up with output like this

Is authenticated? true

Principal:121212121

Principals:

121212121

Mike Warren

And that’s it – have just tested it and it works, I can login via facebook and get access to the “secure” page, get a display of the facebook ID as the principal, and can logout via the standard logout link.

Think I may need to read up on Principals and Roles a bit to see how to integrate shiro authorization capabilities with what I’ve got, but it may be that this is enough for my currrent needs.
I have a few doubts about whether this is the right way to use Shiro, so may well post a follow up post – “Using Shiro properly” to correct mistakes here.

Using Apache Shiro Security to allow login via Facebook – part 1

mrmikewarren — Mon, 28 Nov 2011 12:53:01 +0000

Background

Having got Facebook login working for my message board project in a quick and dirty way I decided to try and switch to using Apache Shiro for my security needs. This should hopefully mean I end up with something a bit more maintainable that could be extended without ending up with a custom made mess.

I’ve now got Shiro working in the message board project, and it has been pretty straighforward to get it running wityh a database tables of users,roles and passwords (encyrpted of course). After looking at the documentation on the Apache Shiro site I’d recommend the tutorial by Bruce Phillips http://www.brucephillips.name/blog/index.cfm/2009/4/5/An-Introduction-to-Ki-formerly-JSecurity–A-Beginners–Tutorial-Part-1

Next step was to allow login via facebook (hoping to add other logins for twitter, google etc. soon) . I have a rough version of facebook login using Shiro working on my message board, but I’m not 100% sure about my approach, so rather than steam ahead with what I’ve done I’m going to try taking a step back and add facebook login to the tutorial project Bruce Phillips has created. At least then I can use this for demonstrating to others what I’ve done, which may be useful for anyone else trying something similar, and also have a simple project that I can experiment with without worrying about other distractions.

So bear in mind that this is my first rough stab at Facebook login with Shiro, I’m new to Shiro and to OAuth/Facebook login, so may well be setting a bad example, if so hopefully I’ll learn and be able to post a follow up with a better way of doing it. Basically feel free to copy stuff hear, but don’t blame me if it’s wrong.

I got some inspiration from Tynamo , which is a Tapestry module for doing exactly this

http://tynamo.org/tynamo-federatedaccounts+guide

which I came accross in the Shiro user forum here

http://shiro-user.582556.n2.nabble.com/Advice-on-Shira-with-FB-Connect-Session-Clustering-Efficiency-td6832777.html

Adding Facebook Login to “Somesecurity” Tutorial App

So copied the “somescurity” project in Eclipse to a new ShiroFacebook project ( found I had to go to “project->properties->Web Project Settings” and change the context root).

Create a Facebook App

This requires you to have URL where the app will be deployed.

In Facebook https://developers.facebook.com/apps select development, and create an App.

First you need to come up with a display name and a namespace for the app.

Then in the Website “I want to allow people to log into my website using Facebook” section you need to provide the URL for your app.

You should then have an App ID, and an App Secret for your application – make a note of these.

Add Login Via Facebook Link

Next add a login via facebook link on index.jsp , which will be like this.

https://www.facebook.com/dialog/oauth?client_id=123456789012345&redirect_uri=http://www.somesite.co.uk/shirofb/FacebookLogin

Where an “App ID” of 123456789012345 and the application will be running at http://www.somesite.co.uk/shirofb .

Create FacebookLogin Servlet

Now we need to create a FacebookLogin servlet to handle the redirection from Facebook.

I found this blog post very helpful:

http://www.richardnichols.net/2010/06/implementing-facebook-oauth-2-0-authentication-in-java/

So from Richard Nichol’s blog above and reading Facebook documentation I’ve ended with the follow servlet .

Facebook sends a request to this servlet after a user has clicked on the facebook login link on our index.jsp, this request contains a code which is used in the authenticate method to request an access token from facebook, which can be used to get details (id, name etc. ) of the user who has logged in. The Servlet then just prints out a simple piece of html to display the users details, or an error message.

package uk.co.mrdw.shiroexp.servlets;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
* Simple Facebook Login Handling, doesn't actually do anything except display page confirming login
* successfull.
*
*
* @author Mike
*
*/
public class FacebookLoginServlet  extends HttpServlet {

private static final long serialVersionUID = 1L;

/**
* Properties will be as follows, but with values for this app.
* fbAppSecret=1a234bc1234d1234e1f123g1234567g1
* fbAppId=123456789012345
* fbLoginRedirectURL=http://www.yoursite.co.uk/shirofb/FacebookLogin
*/
private static final Properties props = new FacebookProperties().getProperties();

private static final String APP_SECRET = props.get("fbAppSecret").toString();
private static final String APP_ID = props.get("fbAppId").toString();
private static final String REDIRECT_URL = props.get("fbLoginRedirectURL").toString();

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
System.out.println("FacebookLoginServlet getting..");

FacebookUserDetails fud = authenticate(request, response);

if (fud != null) {
response.getWriter().write("Facebook Logged In
"+fud.toString()+"");
response.getWriter().flush();

} else {
try {
System.out.println("fb log in failed");
String errorReason = request.getParameter("error_reason");
String error = request.getParameter("error");
response.getWriter().write("fb login failed" +
" reason:"+errorReason+" error:"+error+"");
response.getWriter().flush();

return;
} catch (Exception e) {
e.printStackTrace();
}
}
}

/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
*      response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
IOException {
System.out.println("Unexpected doPost ...");
}

/**
* Makes call to Facebook to get access_token, and then to get id, name etc.
* for the facebook user relating to that token. Returns FacebookUserDetails
* object for that user, or null if unable to complete authentication.
*
* @param request
* @param response
* @param code
* @return FacebookUserDetails
* @throws MalformedURLException
* @throws IOException
*/
private FacebookUserDetails authenticate(HttpServletRequest request, HttpServletResponse response)
throws MalformedURLException, IOException {
FacebookUserDetails fud = null;
String code = request.getParameter("code");
if (code != null && code.trim().length() > 0) {
URL authUrl = new URL("https://graph.facebook.com/oauth/access_token?" + "client_id="
+ APP_ID + "&redirect_uri=" + REDIRECT_URL + "&client_secret="
+ APP_SECRET + "&code=" + code);

String authResponse = readURL(authUrl);
System.out.println(authResponse);

try {
String accessToken = getPropsMap(authResponse).get("access_token");
URL url = new URL("https://graph.facebook.com/me?access_token=" + accessToken);
String fbResponse = readURL(url);

System.out.println(fbResponse);

fud = new FacebookUserDetails(fbResponse);

} catch (Throwable e) {
e.printStackTrace();
throw new RuntimeException(e);
}
}
return fud;
}

private String readURL(URL url) throws IOException {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
InputStream is = url.openStream();
int r;
while ((r = is.read()) != -1) {
baos.write(r);
}
return new String(baos.toByteArray());
}

private Map getPropsMap(String someString) {
String[] pairs = someString.split("&");
Map props = new HashMap();
for (String propPair : pairs) {
String[] pair = propPair.split("=");
props.put(pair[0], pair[1]);
}
return props;

}

/**
* Simple class for holding data relating to a facebook user
* currentyl just holds jsonString, but could have extra properties added backed by the json
* e.g. id, firstName, lastName, link ,education[], etc.
*
* @author Mike
*
*/
class FacebookUserDetails {

// jsonString Expected to be something like this, although I'm sure it used to include
// email
// {
// "education": [{
// "school": {
// "id": "123456789012345",
// "name": "University of Sheffield"
// },
// "type": "Graduate School",
// "with": [{
// "id": "123456789",
// "name": "Daffy Duck"
// }]
// }],
// "first_name": "Mike",
// "id": "121212121",
// "last_name": "Warren",
// "link":
// "http://www.facebook.com/profile.php?id=121212121",
// "locale": "en_US",
// "name": "Mike Warren",
// "updated_time": "2011-08-15T14:51:05+0000",
// "verified": true
// }
private String jsonString;

FacebookUserDetails(String fbResponse){
jsonString = fbResponse;
}

public String toString(){
return jsonString;
}
}

}

… Next Part 2 Making use of Shiro