The Legacy REST Web Services module does not provide functionality for securing repository items. If you need to provide access to repository data to Legacy REST Web Services clients, use one of the following options:
Implement a Java Server Page (JSP) to access and return the repository data to REST clients. See Invoking Java Server Pages (JSPs) with Legacy REST. If your JSP provides access to sensitive resources, make sure to include security measures such as an access control servlet in your Web application.
Use the secured repository system, which works in conjunction with the Oracle Commerce Platform security system to provide fine-grained access control to repository item descriptors, individual repository items, and even individual properties. For more information, refer to the Repository Guide