If the OpenEdge REST Manager was not protected in some way, then anyone on the internet could make changes to your Java container. Therefore the REST Manager will incorporate the same Spring Security framework as described in OpenEdge REST applications. Therefore, it will have the same abilities for user authentication and authorization to URIs.
The OpenEdge REST Manager's Spring default configuration uses a user account file local to the Web application and has two default accounts. This configuration is suitable for development environments but is not adequate for deployment environments. The production administrator is encouraged to use one of the provided sample security templates to provide stronger authentication.
When configuring security in either the REST Manager or REST application service the key to success will be to manage the user account's role memberships and use those roles in Spring Security configuration's URI access controls.
In addition to configuring authentication, you may also want to use SSL requests to communicate with the REST Manager. Since the REST Manager is also a Web application similar to the deployed OpenEdge REST applications, the instructions for enabling SSL on the client-application connection also apply.
To even further restrict the access to the REST Manager, you should configure your Web server or Java Servlet Container to only accept the IP addresses of the specific client machines that will be allowed to connect.
