Announcement Announcement Module
No announcement yet.
spring social console application with main method Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • spring social console application with main method

    Hi all,

    I am trying to figure out the spring social and OAuth authentication. In order to do this I cloned the sample project form git clone git:// and I used spring-social-quickstart as I starting point.

    I loded the appication context and I started creating the FacebookConnectionFactory. Everything is going well til I bumped in to the HttpServletResponse line. I don't really want to use this to build web application where users can login to their accounts by using my application. Instead I need this for the custom cms that I am building, in which the content editors would be able to push content to social sites like Facebook, LinkedIn... For example to their company's Facebook profile. This should be done by cms, automatically without further interaction required from the content editors.

    Here is where I am stuck:

    FacebookConnectionFactory connectionFactory = 
        new FacebookConnectionFactory("clientId", "clientSecret");
    OAuth2Operations oauthOperations = connectionFactory.getOAuthOperations();
    OAuth2Parameters params = new OAuth2Parameters();
    String authorizeUrl = oauthOperations.buildAuthorizeUrl(GrantType.IMPLICIT_GRANT, params);
    response.sendRedirect(authorizeUrl); // do I need this?
    // upon receiving the callback from the provider:
    AccessGrant accessGrant = new AccessGrant(accessToken); // I need this token too. Don't know how to get it.
    Connection<Facebook> connection = connectionFactory.createConnection(accessGrant);
    How can I achieve Facebook connection and the ability to post something on my own wall directly from a java console application? Is this even possible in spring social?

  • #2
    anyone? (10 characters)


    • #3
      Sorry for the delayed response. But to be fair, you did ask it on the weekend and I'm sure most of us (me included) were enjoying that time away from the computers.

      So, you're looking to pushing to a company's Facebook page instead of a user's own page. To do that you'll need what Facebook calls a "Page Access Token"...and the only way (that I know of) to get a page access token is to fetch it from the profile of a user who is authorized to publish to that page. So, you'll still need to do the standard connection to get an access token for your CMS users. Then from that you can use methods in the PageOperations interface to work with stuff at a page level...under the covers, PageTemplate will retrieve the page access token for the user (if they are authorized) and use it.

      I see that you're using the low-level OAuth 2 stuff that Spring Social there a reason you chose to do that instead of using ConnectController? Assuming that you're building a web application, ConnectController can handle all of that redirection stuff for you and create connections on behalf of your users. It would be essentially the same arrangement as what you see in the Spring Social Showcase sample. The only *minor* difference is that you'd use stuff in PageOperations to publish to pages.

      If you're not building a web app (let's say your CMS is a desktop app) then you would need to use Resource Owner Credentials Grant to obtain the access token for the user...I can help you with that, too if that's what you want...but I'll spare you the details until I know that's what you're trying to do.

      In short, in order to publish to a page, you'll need to get a page access token. Each user who is authorized to publish to the page is given their own page access token. But if you're using Spring Social's Facebook API binding you don't need to worry about that...just get a regular access token for that user and the operations provided by PageOperations/PageTemplate will deal with obtaining a page access token transparently.


      • #4
        no worries, I am aware that it was weekend.
        I will start by explaining what I am trying to build. It is indeed a web application which will serve as CMS. What they want is ability to optionally push some of their articles/content to their company's social accounts/pages. There is not going to any functionality for their visitors to login on their website true some of the social providers. That is why I don't need the ConnectController to do this.

        The reason that I started exploring spring social by using this low level authentication stuff is because I was not able to find any example how to get this basic functionality that some social sites provide, by using spring social. All of the examples are centered about fancy stuff that social sites provide. I guess the reason for that is very simple, those functionality's are more complex to integrate in an web application.

        Anyway I did some digging in spring social java doc and found out that it actually pretty strait forward to achieve what I want by using spring social.
        taadaa... this is it!

        public static void main(String[] args) {
        TwitterTemplate twitterTemplate = new TwitterTemplate(API_KEY, API_SECRET, ACCES_TOKEN, ACCES_TOKEN_SECRET);
        twitterTemplate.timelineOperations().updateStatus( "hello there");


        As you can see, it is just basic stuff that I want. In this case is that a tweet on my own twitter account.
        Anyway, thank you for your help and your offer to help me even further but, if the Facebook template is anywhere near, as simple as this I think I will manage to do it without bordering you any further. If not you will hear form me .

        Once I am done whit this project I will write a tutorial on how to do this basic stuff with spring social, it may be useful to other, noobs like me. If you don't mind, I can send it to you and maybe you can put it on some of the spring related sites or even documentation.
        Anyway thanks again for your time.

        p.s. sorry for the bad English.


        • #5
          That's great that you figured this out. FacebookTemplate is even simpler because all you need to give it is your access token. My question for you, however, is how are you going to get that access token?

          I wasn't anticipating that you'd use ConnectController for visitors to create connections with...I was thinking that your content creators would use it to create a connection to their Facebook profile, which in-turn would create a FacebookTemplate for you from the access token on the connection. From there, the internals of FacebookTemplate can use that token to obtain the page access token needed to publish to a page.

          So, my question remains: How will you obtain the access token needed to construct FacebookTemplate? I can think of several ways, but I'm curious which approach you'll be taking.


          • #6
            BTW, it just occurred to me that I didn't address the 2nd part of your last post: By all means, please write up anything you see fit for Spring Social. I'm always excited to see community-written articles and will be happy to link to it from the Spring Social homepage.


            • #7
              I am really sorry for the late reply. I am doing this between full time job and evening classes. I hope you understand.

              Back to the subject:

              I did some homework on my own about facebook api. They indeed do not provide access token to access your own account as twitter does. At least not directly. I found out that there is a way to get user access token, for your facebook application, by using Facebook's: Graph API explorer.

              This is what I did:

              1. Create app on Facebook's api pages.
              2. go to Facebook Graph API explorer: Home › Tools › Graph API explorer
              3. press on "Get access token"
              4. In the popup window, select the rights that you would like to have and within this popup window, click again on: "Get access token" button.
              5. In second pop-up window, login to your user account and click on "allow" button. Popup window will close and you will see your access token string in the original Graph API explorer window.

              From here on I can use FacebookTemplate. I suppose that this is sufficient to have my app make posts on my profile and/or pages for which I have rights to post to, considering that I selected all the possible rights, by using Graph API explorer?

              I am also wondering if there is a time limit on this access token that I just retrieved. Do you have any idea?

              Just to be clear. This is the scenario: Company already has one user profile which they use. This is not a co-worker bounded profile. I will just use this profile to retrieve the access token from Graph API explorer, with necessary rights, to post on that profile and/or page for which this profile has rights to post to. Access token will be hard coded in some properties file.

              What do you think?


              • #8
                I just found out that this is not going to work because, offline_access is being deprecated by Facebook.


                • #9
                  First, I do not believe your one-user profile to represent the company is the way Facebook intends you to do this. I could be wrong, but you may want to review Facebook's policies on this. I only suggest this to you, because Facebook typically frowns on accounts being created that are not tied to a real human and if they find out they will terminate that account. (I've seen this done in the case where someone creates an account for no other reason than to test the Facebook API; they have a separate process for that scenario.)

                  I believe the correct approach is the one I outlined above: That is, you have a real human user on Facebook who is authorized to publish to the company's page. In that scenario you must get the page access token for that user. And the only way to do that is to first get that user's token and to retrieve it from their "accounts" (which is what the stuff in PageOperations does for you under the covers).

                  As for the offline_access deprecation, yes I'm aware of that. Currently (as long as your app doesn't have the offline_access deprecation set yet) tokens expire after 2 hours and you can only get a new token by going through the authorization process again (which is exactly what you did in the Graph API explorer). After the deprecation is enforced in July, tokens obtained on server-side apps will have a 60-day expiration and (as I understand it) will only be able to get a new token by going through the authorization process again. Note that as long as the user has not revoked authorization, then they will not be prompted with the authorization screen again and instead Facebook will immediately redirect back to the app with a new authorization code that can be exchanged for a fresh access token.

                  FWIW, I have also done what you do to quickly get an access token via the Graph API Explorer...but I only use it for quick-n-dirty testing and would never consider using that for a real production app (which should be going through the official Facebook-sanctioned process). Furthermore, if you *do* get an access token via the Graph API Explorer (I'm still not recommending this), you should be sure to request the token for your default the token will be granted for the Graph API Explorer itself.


                  • #10
                    You are right, I should not be using user profile to represent the company. I will just use the scenario that you outlined earlier for retrieving the access_token for a user, with the help of ConnectController... User will have the rights to post on the company's page.
                    Thanks for your help. I think that I will be able to realize this. Cheers.


                    • #11
                      habuma, I'm not sure that I agree with your assessment that Facebook frowns on a profile tied to a company -- look at the CNN page on Facebook (there are tons of other companies as well, ESPN, NFL, Marvel, Google, etc.), they have their own page where they push content to. Why can't other companies who provide content do the same thing? That's what I am trying to set up. In a nutshell, I have content (stories) stored in my application and I'd like for a content administrator to be able to selectively post that content to one of their pages (since companies can have multiple interest-related pages). The content from the application could be selectively posted to those pages associated with the company's account. It would be nice to have a Spring Social sample whereby you have an application that establishes a connection to their account, then can post that content to a page. The application should not require the end-user to connect to Facebook with their credentials in a session, rather the application would establish that connection and the connections would be stored as singletons to be used whenever posting content. Actually, you would want the application to also allow for the administrator to manage and update the OAuth token and store the updated credentials in a database. Is there any example of how this can be done using Spring Social?
                      Last edited by jack.white; Jan 6th, 2013, 08:37 AM.


                      • #12
                        See Specifically the text under "Why should I convert my personal account to a Facebook Page?":

                        Since personal accounts are meant for individual people, they aren't suited to meet your business needs.
                        Pages offer more robust features for organizations, businesses, brands and organizations.

                        Maintaining a personal account for anything other than an individual person is a violation of Facebook's Statement of Rights and Responsibilities. If you don’t convert your noncompliant account to a Page, you risk permanently losing access to the account and all of its content.
                        So, yeah...I do think Facebook frowns on that.

                        On the surface, the CNN page looks just like any other profile page...but it's not. It's a company page on Facebook, which was setup by someone who is a Facebook user (and is likely employed by CNN). From a visitor's point of view, the distinction is trivial. But internally, a company profile page is a very different thing than a user profile page. That's all I was saying: That you shouldn't use a *user* profile page to represent a company. Instead you should setup a company profile page.

                        You do that by logging into Facebook and then going to From there you can create all kinds of pages, including one that represents your company. This is fairly basic Facebook usage--I've done it myself for some special interest pages such as and (although I've not done much with those).

                        When you post to your *user* profile page, you simply provide a user access token and you post to /me/feed. But when you post to any other kind of page (such as a company page), the client must obtain a second access token for the user; one that allows that user to post to that page. And that user must have been granted authority to do so. But when they post, they post on behalf of the company/organization/etc not on their own behalf. There are currently no examples of such interaction, but I suppose it would be useful.

                        Again, you're perfectly welcome to try to setup a *user* profile and have it represent a company. You might get away with it. But I caution you, because Facebook often reviews those kinds of profiles and disables them if they feel they violate their usage rules.

                        Besides, the approach I outlined above is better because it pushes much of the security for that brand page to be handled by Facebook. You can have one or more admins allowed to post to the page and easily revoke that permission for any given user without upsetting the permission for any other users.


                        • #13
                          I understand what you're saying, I'm sure you know this much better than I, still I believe that is a subtle distinction. In reality (very likely), the "user" who maintains the CNN pages (because there are multiple domain specific pages in addition to the main CNN page) is a pseudo-individual. I might be wrong, but it would seem unlikely that companies such as CNN would have their pages owned, in essence, by an employee who could leave. Even if they have multiple administrators who could continue posting on their behalf, what's to stop the owner from hijacking the CNN pages after they leave?
                          Still, I will march forward following the path that you outlined above as it is clear from your elegant explanation that that is the proper process to follow to remain within Facebook guidelines (again, thanks for the detailed explanation). Given the scenario we have outlined, it would be enormously helpful if you could add such a use case to the spring social sample projects that your team has developed. Many thanks for the spring-social package, we are making use of it in other scenarios in our application.


                          • #14
                            Originally posted by jack.white View Post
                            Even if they have multiple administrators who could continue posting on their behalf, what's to stop the owner from hijacking the CNN pages after they leave?
                            Well, assuming that they have multiple administrators, one of the other administrators could remove the original creator as an administrator and block them from hijacking the page. The creator isn't necessarily the owner. I could be wrong, but I believe that if I created a page and assigned you as a co-administrator, you could turn around and remove me as an admin, thus transferring control completely away from me.

                            Even then, I'm certain that Facebook would (per some of their other policies regarding brands and trademarks) ensure that CNN retain ownership of that page. Of course, if that failed, then there are always legal remedies for such behavior (but I doubt it would go that far).