I'm writing an EAI (External Authentication Interface) solution that provides Login/Logout pages for some applications
We currently have a F5 load balancer which sits in front of two WebSEAL 6.1 reverse proxies which then balance requests between two applications running on WebSphere Application Server 8.0.0.10
The login pages are being served from a JSF 2.0.6 application and are using client state saving so that we don't have session timeouts
The pages are also using request scoped beans as to be as close to stateless as possible as I can't use JSF 2.2 to use a real stateless flag
We have found an issue with the following scenario and are struggling to come up with a solution
We are using the OmniFaces FullAjaxExceptionHandler to catch the View Expired error that is generated on Step 2
We are also able to recreate the error by forcing WebSEAL to redirect the traffic between the two WebSphere servers and simulate the scenario
This issue seems to be because the view state from one WebSphere server is not compatible with the other WebSphere server, which makes sense
For our purposes we only really need the submitted form details in order to login the user, the view state isn't required from our side
Is there a way to make the client view state from one server compatible or work with the other server?
Any help with this issue would be appreciated.
I'm not sure if I'm allowed to answer my own question, but I did find a solution that works for us.
We have used the OmniFaces enableRestorableView tag to reconstruct the view when it is damaged/missing in these situations.
http://showcase.omnifaces.org/taghandlers/enableRestorableView
In both of our test cases of forcing a break and tampering with the view state in the page the tag allows our application to proceed using the form parameters