The REST service typically uses servlet authentication to establish a JCR Session to handle the request. However, it is sometimes desirable that the entire REST service be configured to be read-only for all operations against all repositories, despite what authentication/authorization specify.

Doing so is useful in systems where application(s) are the primary way to access and update the repository content, and ModeShape's REST API is still needed (e.g., for query via JDBC driver). Locking down the REST API to be read-only prevents clients from updating the repository content directly without going through the application(s).