As far as security goes, securing a RESTful web application isn't that different from securing a non-RESTful web application. For example, the transport layer is the same so you can use SSL. In Rails, you can use filters around controllers to enforce authentication/authorization regardless of whether or not the controller is RESTful.
Having said that, I don't have much experience with Rails and I'd be curious to hear from Ben how he sees this.
Lasse, your answer is exactly correct. You can protect RESTful services just as you protect your standard applications.
The only thing I'd add is that you can also use HTTP Basic authentication if you like - it's built into Rails as of version 2.0, and works very nicely for some scenarios.
Stop it! You're embarassing me! And you are embarrassing this tiny ad!
a bit of art, as a gift, the permaculture playing cards