The REST interface allows to get a lot of informations and possibly dangerous informations. The /server/ URLs should not be active when you use an apache to filter access. This code is used by the Swing client and allows to retrieve some informations, start processes etc. That can be used as an example to do things from outside like start a process to retrieve a report or such. You can define if that part of the server is started in org.adempiere.server/WEB-INF/web.xml.
That should be the blocked in trunk by changing web.xml or we should block some urls like services and command with a System Configurator like "PROVIDE_STATUS_FOR_SWING" or we extract it as a plugin