【Global Acquiring】
1. Android WebView Settings Reference Code
java
WebSettings webSettings = mWebView.getSettings();
webSettings.setJavaScriptEnabled(true);
webSettings.setSupportMultipleWindows(true);
webSettings.setJavaScriptCanOpenWindowsAutomatically(true);
webSettings.setPluginState(WebSettings.PluginState.ON); //enable plugin. Ex: flash. deprecated on API 18
//whether the zoom controls display on screen.
webSettings.setBuiltInZoomControls(true);
webSettings.setSupportZoom(true);
webSettings.setDisplayZoomControls(false);
//disable the webview font size changes according the phone font size.
webSettings.setTextZoom(100);
webSettings.setSaveFormData(true);
webSettings.setUseWideViewPort(true);
webSettings.setLoadWithOverviewMode(true);
webSettings.setAllowFileAccess(true);
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
webSettings.setMixedContentMode(WebSettings.MIXED_CONTENT_ALWAYS_ALLOW);
CookieManager.getInstance().setAcceptThirdPartyCookies(this, true);
}
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN) {
webSettings.setAllowUniversalAccessFromFileURLs(true);
}
webSettings.setAppCacheEnabled(true);
String appCacheDir = getDir("cache", Context.MODE_PRIVATE).getPath();
webSettings.setAppCachePath(appCacheDir);
webSettings.setAppCacheMaxSize(1024*1024*20);
webSettings.setDomStorageEnabled(true);
webSettings.setDatabaseEnabled(true);
webSettings.setCacheMode(WebSettings.LOAD_DEFAULT);
try {
mWebView.removeJavascriptInterface("searchBoxJavaBridge_");
mWebView.removeJavascriptInterface("accessibility");
mWebView.removeJavascriptInterface("accessibilityTraversal");
} catch (Exception e) {}
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
mWebView.enableSlowWholeDocumentDraw();
}2. Signature Verification Failure Issues
- Ensure the same key pair is used for signing and verification: Check whether the public key and private key are paired. Confirm that the public key provided by Payloco is used for signature verification.
- Verify data consistency: Output the data to be signed in logs before signing and verification, and compare whether the two are exactly the same. Check if the original request body has been modified (spaces/line breaks/encoding). Note that line break characters vary between different platforms (Windows/Linux).
- Ensure the same algorithm is applied: Check if the algorithm strings used for signing and verification in the code are completely consistent. Make sure the signature algorithm SHA256withRSA is adopted.
- Check encoding handling: Ensure that both parties use the same encoding method when encoding conversion (e.g., Base64) is required.
- Standardize data format: For example, JSON data can be used in compact mode (removing unnecessary spaces) or standardized serialization (e.g., sorting by field names).
- Enable debugging logs: Print logs at key steps, such as data to be signed, signature results, data and signatures during verification, for comparison.
- Use standard libraries and standardized implementations: Avoid self-implementing complex signature processes; adopt mature libraries and tools instead.
- Incorrect private key format (PKCS#8 format is mandatory).
- The X-Signature parameter is not carried in the request header.
- Framework configuration pitfalls
- Filter order issues: In the Spring framework, if the signature verification filter is executed before the CharacterEncodingFilter, the request body may become invalid after being read multiple times.
- Parameter parsing interference: The request body automatically parsed by the framework (e.g., via @RequestBody) may have modified the original data (e.g., date formatting).
- Differences in HTTP tool behaviors: When using HttpServletRequest.getParameter() to read parameters, if the Content-Type is not application/x-www-form-urlencoded, the return value may be null.