How did you secure the REST API?
It sounds similar to a problem I had when I added authentication by the Spring security filter chain. In short, authentication by the Spring security filter chain is not sufficient, you need to translate the authentication result to the engine. The long explanation is here: Authorization does not apply to REST API - #6 by mba