diff --git a/modules/idp/src/com/haulmont/idp/IdpAuthConfig.java b/modules/idp/src/com/haulmont/idp/IdpAuthConfig.java index 69ced80825..47f30c9080 100644 --- a/modules/idp/src/com/haulmont/idp/IdpAuthConfig.java +++ b/modules/idp/src/com/haulmont/idp/IdpAuthConfig.java @@ -59,4 +59,14 @@ public interface IdpAuthConfig extends Config { @Property("cuba.idp.ldap.userLoginField") @DefaultString("sAMAccountName") String getLdapUserLoginField(); + + /** + * @return list of users that are not allowed to use external authentication. They can use only standard authentication. + * Empty list means that everyone is allowed to login using external authentication. + * + * @see #getAuthenticationMode() + */ + @Property("cuba.idp.standardAuthenticationUsers") + @Factory(factory = CommaSeparatedStringListTypeFactory.class) + List getStandardAuthenticationUsers(); } \ No newline at end of file diff --git a/modules/idp/src/com/haulmont/idp/controllers/IdpLoginManager.java b/modules/idp/src/com/haulmont/idp/controllers/IdpLoginManager.java index b2231a7d24..fe35595d5c 100644 --- a/modules/idp/src/com/haulmont/idp/controllers/IdpLoginManager.java +++ b/modules/idp/src/com/haulmont/idp/controllers/IdpLoginManager.java @@ -53,7 +53,15 @@ public class IdpLoginManager implements InitializingBean { protected LdapTemplate ldapTemplate; public IdpService.IdpLoginResult login(AuthRequest auth, Locale sessionLocale) throws LoginException { - switch (authenticationConfig.getAuthenticationMode()) { + IdpAuthMode authenticationMode = authenticationConfig.getAuthenticationMode(); + List standardAuthenticationUsers = authenticationConfig.getStandardAuthenticationUsers(); + + if (standardAuthenticationUsers.contains(auth.getUsername())) { + // user can only use STANDARD authentication + authenticationMode = IdpAuthMode.STANDARD; + } + + switch (authenticationMode) { case STANDARD: { LoginPasswordCredentials credentials = new LoginPasswordCredentials( auth.getUsername(),