What, exactly, is "security" as per your definition? What kinds of attacks, and what kinds of attackers are you trying to guard against?
If they are going to be in the same app, what's the point of the REST service in the first place?
I disagree with this sentiment. It makes sense to provide a web GUI and a REST WS in the same web app if they provide access to the same functionality. It's not clear that this makes a difference with respect to designing security, though.
I want only registered users to access HTML pages and perform operations ( add,delete,update )..I also want to track which user performed which operation. In future I am planning to add authorization, i also want to send userid/password securely.