We were really happy to see f:websocket in JSF 2.3, as it's an awesome feature that really bridges the gap stateful applications.
Unfortunately the implementation seems to be problematic in a load balanced environment, or worse off in a session-replicated environment.
The problem stems from it uses a series of ephemeral randomized tokens that are unique to each JVM startup. This means if a failover on the backend occurs, the next JVM will not have the same randomized state and will reject the connection attempt.
This sort of clashes with the built-in URL authentication. I don't really need MyFaces to secure inbound websocket requests if the websocket URL is already protected by the container in web.xml. Essentially if an inbound websocket request contains a valid session id, I just need MyFaces to accept the connection. It's a bit complicated with user channels, as f:websocket allows any serializable value to be used as the user-id, but one would hope the default value would look at request.getRemoteUser().
Is there a way to turn all of the tokenization off so f:websocket is usable in a realistic production environment?
