The security issues with regard to OpenEdge REST applications are the same as is found in any Web application: user authentication, session management, authorization to REST resources, and data-in-transit security. REST application deployment will often be performed in hostile unprotected networks like the Internet. Without the Web application's authentication, authorization, data integrity, and privacy being performed at the web server level you increase the risk of exposing business data to data miners and hackers.
The REST application and REST Manager employ Web application security best practices by employing the security mechanisms commonly provided by the Web server and a built-in Spring Security layer within the applications themselves. These common security layers supply Web applications with proven industry standard user authentication, authorization, and data privacy controls such as SSL before the backend data services (i.e. AppServer) can be attacked. The backend data services may then employ their own application level security without the need to be aware of the Web server environment they operate in. Additionally, because the REST applications employ common Web application security features and technologies, they will support a wider variety of REST clients without the requirements for customizations specifically for OpenEdge.
The security strategy for REST support is composed of these optional components:
Web server (Java container) or REST application authentication using built-in services
Internal REST application authorization to HTTP resources
Using an AppServer as the web application's user authentication service
Data-in-transit security provided by the SSL/TLS for web application's client to web server, and from REST application to an AppServer
The goal is to provide a production administrator with the ability to configure REST application security using standard web application security best practices in a layered and scalable manner that can range from simple to complex as is necessary.
A secondary goal is to divest an OpenEdge REST application developer from needing to incorporate highly technical security features that conform to security best practices in a Web environment. The developer's responsibility is twofold:
To integrate with the web server's secure environment via OpenEdge supplied integration features
To apply AppServer level access controls to application resources.
The following sections describe some of the options available for securing a REST Web application.