Firstly there is nothing un RESTfull regarding your approach, you are using the REST actions exactly as they are intended to be used. Your approach is good.
However you now have two controllers both needing authentication.
Can I suggest a better approach to your controller setup that might give you a better understanding of OO design
Create a base public controller and a base admin controller
Instead of directly descending your controllers from application controller take them from either the base public controller or the base admin controller. Move the before action filter into the application controller, provide an empty authenticate_user method in the base public controller and put the proper authenticate_user method into the base admin controller.
This gives you two benefits
1) You will never forget to apply the filter which means you will never get a situation where you are providing admin access to the public.
When you create a new controller and forget to change the class declaration from ApplicationController to either BasePublicController or BaseAdminController you will immediately get a no method error on authenticate_user method as it no longer exists in the application controller.
2) A natural place holder to separate out any other admin specific functionality from public, i.e. different layouts.
Your base controllers are just files in the controller folder that descend from Application controller, they have no methods in them, just the authenticate_user method and as the filter is declared in the application controller you need to do no more.
Hope that makes sense