I have come across an issue with our plugin's REST API endpoints and UI being accessible from outside of the VSPhere environment and am thinking there must be a way to secure them with perhaps some kind of web.xml or other configuration change since this must be a fairly common concern for all plugins.
To get more specific, our plugin deploys the server side jar file and presents various rest apis, for example https://myserver/my-war-name/rest/getStuff . I can hit the getStuff endpoint outside of the vsphere environment from a browser window, both one that is logged into the vsphere sever/client and from another browser that isn't. To clarify a bit more, from the SDK samples, it would be the ability to hit the /list endpoint in the ChassisController.java file. I don't see any mechanism in the samples that is securing those endpoints.
So the question is if there is a VSphere pattern/mechanism for better securing these REST endpoints (and access to other parts of our plugin such as the angular/clarity UI portions)?