After working with Oracle ADF for a while, I am now developing an application using Oracle Visual Builder. When calling REST services using the action chain component "Call REST", the call is visible in the browser console. (The services are added from the catalog, they are not defined by their specific endpoints)
Using Firefox's Inspection tools I can right click the request, edit it and resend it successfully despite the service using authorization.
In Oracle ADF I would simply call the service in a managed bean, the user wouldn't know I called it.
How can we not let the client/user know we called the service that in Visual Builder (or hide it from the console)? Is there a way to call REST services other than the "Call REST" component in the Action Chain tools?
That's a key difference between the architecture of ADF that was running logic on the server, and VB that runs the logic on the client side. Any web page that calls a REST endpoint (including from JS code) will show the REST call in the browser's log - this is not a VB specific behavior.
The security should be defined on the REST side requiring proper authentication to invoke the REST endpoint.