I believe I asked this question before, but I'll try again.

Anyway, I have your standard MVC based web application with a model layer. I would now like to to expose that model layer directly to my client side interface via AJAX. However, all the AJAX request will really do it hit a URL that returns JSON or XML data. So at this point my REST API exposes ALL data access methods throughout my application to the public, by hitting the endpoint. This is obviously no good. So I was wondering if there is a reliable and secure way to restrict the REST API access to the site, or more specifically an internal HTTP request via AJAX. I'm not sure this is possible, but It would be the ideal solution.

Just to have a better idea of what I'm trying to do is essentially decorate JQuery with a data access method specific to my application. So that the below code would essentially make a HTTP request to find a node with the id of 90.

	,success:function(...) {
	,error:function(...) {

pkg: being the path to the DAO to instantiate
method: the method to call
args: arguments for the method call, in this case 90

success: standard JQuery success callback
error: standard error callback

What the above code will do is generate a standard jQuery AJAX request like the below:

      ,success: success // the callback passed by the dao decorator
      ,error: error // the callback passed by the dao decorator

However, the issue becomes that anyone can easily hit the url: http://www.myapp/dao.php/Component.N...e/findById/90/ to get the data. I don't want this, at all, since I will be calling methods that expose vital data and perhaps perform actions that I want to control internally.

So, is there a reliable way to only allow HTTP requests within the domain to access my REST API? In the end I only want to allow internal access to my applications REST API layer. The whole point of this is to allow client-side code to perform data access operations directly, bypassing the controller layer. However, do that I need to make sure that no one can hit the API endpoint directly.