Broadleaf does not dictate how security should be applied to RESTful endpoints. Broadleaf currently applies no security to services out of the box.
There are a number of mechanisms that can be used. In general, security can be applied in a number of ways.
We recommend using a protocol such as OAuth.
You can also use Spring Security for authentication and authorization.