The DNA JCR security approach is JAAS-based and relies on the ability to pass a LoginContext, AccessControlContext, or SimpleCredentials (which are used internally to create a LoginContext) to the ExecutionContext. The Servlet specification does not expose any of these. The REST server is mandatorily limited to what the Servlet specification provides. There needs to be some sort of integration between the Servlet-based REST code and JAAS-based DNA implementation to allow authorization and access to JCR resources to occur based on web credentials.