I am creating a javascript/HTML app.  NOT an external iframe app.  I will also store data on my own server that the app will access, e.g. player inventories and rankings.

I understand that for my app to request data from my server, I need to use makeRequest with AuthorizationType.SIGNED.  Using that, I will receive owner and viewer id parameters, as well as other parameters such as "oauth_signature" and "oauth_nonce".

So my questions are:

1. From what I understand, there really isn't a way to spoof a makeRequest call since it doesn't take any owner or viewer id as a parameter.  So, on my server, when I get the signed request, should I be trying to validate the signature?  If so, why? (If it is just to make sure the request came from myspace servers, well, I could do that just by filtering incoming requests). Or, if I don't need to validate it, what is the point of all the oauth params?

(If the answer is "yes", does anyone have some Java code to validate the signature?)

2. Do I need any of the parameters to call REST API methods on behalf of the owner?  (It doesn't look like a signed makeRequest gives me any kind of "session" key or equivalent, so I'm guessing the answer is "no").

3. Shouldn't a signed makeRequest somehow indicate whether the owner is signed in or not?  I tried the following: in Firefox, open my app's iframe (the iframe generated by MySpace) in a new tab.  So I have just the app in a tab, without MySpace headers or footers.  Then sign out of MySpace.  Then refresh my app in the tab page.  I still get the same makeRequest request on my server.  I.e. as far as my server knows, the owner is still signed in.

Thanks!

Greg