When using Feature Pack 4, after configuring a REST service to work in SSL only mode using the wc-rest-security.xml configuration file under the Rest.war/WEB-INF/config/com.ibm.commerce.rest-ext directory, you are still able to make non-SSL requests.
Resolving the problem
There are three different approaches to resolve this issue (choose one):
1. Apply Interim Fix JR45150 (contact support to obtain the Interim Fix).
2. Upgrade to WebSphere Commerce Feature Pack 5.
3. Apply the following workaround available for Feature Pack 4:
Change the following directory name from Rest.war/WebContent/WEB-INF/config/com.ibm.commerce.rest-ext to Rest.war/WebContent/WEB-INF/config/com.ibm.commerce.rest.ext
Note, this workaround will not work after upgrading to Feature Pack 5 -- you will need to change the ".ext" directory back to "-ext" after applying either Interim Fix JR45150 or Feature Pack 5.
For more information about securing REST services using SSL read this Information Center article: Securing REST services using Secure Sockets Layer (SSL).