Your AppServer application may add its own security layer for internal operations and data. There are a number of options recommended in OpenEdge Application Server: Developing AppServer Applications. In particular, a state-managed AppServer application can provide authentication and authorization using a CONNECT procedure. Also, any AppServer application can implement its own login/logout procedures after a connection is established.
As stated previously, the REST application's security framework passes a Client-Principal to the AppServer on each request to identify who the user is and what their login session is. The Client-Principal is available to the AppServer's activate remote procedure, and deactivate procedure via the ABL session's RequestInfo object. The Client-Principal can be used to set the ABL session and/or database connections in the same way, and for the same reasons, as if the REST application were any other ABL client.