Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3619

Wrong administrator removed from role when deleting at the same time with two separate CA admins

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: EJBCA 6.1.3
    • Fix Version/s: EJBCA 6.2.9
    • Component/s: CA GUI
    • Labels:
    • Issue discovered during:
      Customer

      Description

      A wrong administrator will be removed from a role in case where multiple operators are removing them at the same time. This could have some severe problems in case those are super-admins, practically locking-out users from EJBCA installation (in combination with disabling the CLI access).

      Reproduction steps:
      1. Log-in into EJBCA Admin GUI as different EJBCA administrator from two different browser instances.
      2. Open page System Functions -> Administrator Roles in first browser.
      3. Create a new role named "Test Role".
      4. Click on the administrators link for "Test Role".
      5. Add (for example) 4 administrators to "Test Role", using certificate serial number matching, with serials being 1, 2, 3, and 4.
      6. Open page System Functions -> Administrator Roles in second browser.
      7. Click on the administrators link for "Test Role".
      8. Delete administrator with serial number "1" in first browser by clicking on the delete link next to it.
      9. Delete administrator with serial number "1" in second browser by clicking on the delete link next to it.

      Expected results:
      1. Administrator with serial number "1" was removed from the "Test Role".
      2. An error/warning has been displayed when attempting to remove the administrator with serial number "1" from the "Test Role" in the second browser (maybe with small explanation that it could've been removed in some other session?).

      Actual results:
      1. Two administrators ended-up being removed - one with serial number "1", and one with serial number "2".

      Additional information:
      Initially I produced this bug using two tabs in same browser, but then I switched to using separate browsers and admins (just to test a more realistic case). I think the problem is probably in the way deletion is submitted to EJBCA (say, by sending index number, instead of, say, actual serial number or whatever).

      Cause:
      RolesManagedBean is request scoped and JSF apparently deletes by index after re-fetching the list of admins (by fetching the role) just before the deletion is executed.

        Attachments

          Activity

            People

            Assignee:
            johan Johan Eklund
            Reporter:
            branko Branko Majic (Inactive)
            Verified by:
            Mike Agrenius Kushner
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: