When Facebook sends real-time updates, they include a X-Hub-Signature in the HTTP header. According to their documentation, they're using SHA1 and the application secret as the key.
Based on a similar question for C# I tried to verify the signature like this ('body' is the message sent by facebook in the body of the request):
String passedSignature = req.getHeader("X-Hub-Signature").substring(5);
Mac hmac = Mac.getInstance("HmacSHA1");
hmac.init(new SecretKeySpec(FACEBOOK_SECRET.getBytes(Charset.forName("UTF-8")), "HmacSHA1"));
String calculatedSignature = Hex.encodeHexString(hmac.doFinal(body.getBytes(Charset.forName("UTF-8"))));
logger.debug("Calculated sigSHA1: " + calculatedSignature + " passedSignature: " + passedSignature);
But the passedSignature is always different from the calculatedSignature.
Anybody can help solving the problem?
Turns out the code is correct, I was using the wrong key :-/
Anyway I hope this could help somebody else.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With