When Facebook sends real-time updates, they include a X-Hub-Signature in the HTTP header. According to their documentation, they’re using SHA1 and the application secret as the key. Based on a similar question for C# I tried to verify the signature like this (‘body’ is the message sent by facebook in the body of the request):

https://stackoverflow.com/questions/17221253/facebook-real-time-update-validating-x-hub-signature-sha1-signature-in-java