Grails 7, Removing user still has access.

[arjangch]

Expected Behavior

I stop the app and remove Admin user from BootStrap, i expect Admin user has no access any more.

Actual Behaviour

Even Admin user does exist anymore. I can verify that from H2-DB and in grails-spring-security-ui:7.0.0-RC2 console.
Admin user still has access to the app.

You can go page to page no problem. You are still Amin. Even admin user doesn't exist.

Steps To Reproduce

1. create an app with 'grails-spring-security:7.0.0-RC2' or 'grails-spring-security-ui:7.0.0-RC2'.
2. add Admin user and role from BootStrap.groovy
3. Create an GSP page with tags sec:username/ or <sec:loggedInUserInfo field='username'/>
4. start the app.
5. login with Remember Me checked.
6. All work correctly
7. Don't close browser
8. turn OFF the app
9. remove Admin from BootStrap.groovy
10. Start app
11. go back to browser
12. Shift-Reload browser,
13. tags sec:username/ or <sec:loggedInUserInfo field='username'/> still think you are login as Admin

You can go page to page no problem. You are still Amin. Even admin user doesn't exist.

Environment Information

java=21.0.8-zulu
gradle=8.14.3
groovy=4.0.28
grails=7.0.0-RC2

Example Application

https://github.com/arjangch/grails-project-helper/tree/main/example3

Version

7.0.0-RC2

[arjangch]

Is this related to #1183 ?

[jamesfredley]

To clarify:

The app is fully stopped and restarted and the admin user, which was present in the db, is no longer in the db?

[arjangch]

Double check in different laptop. Using FF browser. Using the same Example3 app in my github.

1. Create Admin user and role from BootStrap
2. grails run-app
3. Check h2-db console. Admin is there. SELECT * FROM "user"
4. login as admin / admin
5. Check tags sec:ifNotLoggedIn and sec:username/ and <sec:loggedInUserInfo field='username'/> are all working fine. Click around Admin should have access to everything.
6. Don't close tab.
7. Don't logout
8. stop the app ctrl-c in command line
9. comment out admin user in BootStrap
10. grails run-app
11. Check h2-db console. You are kicked out you need to login again to h2-db console
12. SELECT * FROM "user" admin user is not there any more
13. go back to browser
14. Shift-reload the page
15. Admin user still showing in sec:ifNotLoggedIn and sec:username/
16. in testSpringTags.gsp page <sec:loggedInUserInfo field='username'/> is showing admin user
17. click around. Everything working fine.
18. click on Logout button
19. you are logged out
20. try to login with admin / admin
21. you are not able to login because admin user doesn't exist.

It behaves like it is cached in cookie in browser. Does Remember Me has anything to do with this?

[arjangch]

Just for fun of it. Clean server between restart made no difference.

8.1. gradle clean
8.2. grails clean
8.3. rm -rf build

[matrei]

@arjangch Could you try running the app without Spring Boot Devtools?

[arjangch]

Steps 1-12 above the same result
Step 8. stop the app ctrl-c in command line
Comment out org.springframework.boot:spring-boot-devtools in gradle.groovy
Step 10. grails run-app
Step 11. db-console got kicked out
Tag <sec:loggedInUserInfo field='username'/> doesn't show any username
Main page asking me to login

It seems that is working as it should if i comment out boot:spring-boot-devtools.

[jdaugherty]

This sounds like its expected behavior of including devtools. This doesn't seem like a bug. @arjangch you would agree?

[arjangch]

Correct, it is not a bug.
However, does devtools need to be included in default grails project (out of the box). Or should grails-spring-security doc say remove devtools?
I am sure other people (like me) don't pay attention.