It should be possible to configure the WebConsole to only accept logins after specified Security Providers are found.
If these security providers are not yet registered in the Service Registry, logging in should be disabled. The local plain username/password approach should not provide the opportunity to log in, in that case.
The configuration to enable this should be provided as a framework property.
This approach is similar to what has been implemented for ConfigAdmin in