Apache httpd ignores Location authentication configuration in VirtualHost

Question

I have the following configuration in a config file for httpd:

    Listen 6666
    <VirtualHost server-name:6666>

    ServerName server-name
    LogLevel trace6
    LogFormat "%h %p %l %u %t %D \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{X-Forwarded-For}i %{X-Tor-Application}i \"BALANCER_WORKER_ROUTE: %{BALANCER_WORKER_ROUTE}e\"" combined
    CustomLog /var/log/httpd/virtualhost2.log combined
    ErrorLog /var/log/httpd/modcluster_error_log

    EnableMCPMReceive

    <Location /mod_cluster-manager>
            SetHandler mod_cluster-manager
            AuthType Basic
            AuthName "MCM Authentication Control"
            AuthUserFile /etc/modclusterpasswd
            Require user root
    </Location>
</VirtualHost>

I would expect that when I run a curl command to the mod_cluster-manager endpoint, the request will only be served if I pass the username and password. However, the request is granted regardless.

I have also tried putting "Require all denied" inside my Location tag, but the modcluster manager page is still served regardless of this.

In my custom error log I can see the following:

[core:trace3] [pid 12219:tid 139843900258048] request.c(312): [client 10.247.246.158:35656] request authorized without authentication by access_checker_ex hook: /mod_cluster-manager

I don't get any logs from authz/authn etc to indicate that the request is being processed for authentication.

In the Apache httpd source code (httpd_request.h) I can see:

/**
* This hook is used to apply additional access control and/or bypass
* authentication for this resource. It runs *before* a user is authenticated,
* but after the access_checker hook.
* This hook should be registered with ap_hook_check_access_ex().
* If "Satisfy any" is in effect, this hook may be skipped.
*
* @param r the current request
* @return OK (allow access), DECLINED (let later modules decide),
*         or HTTP_... (deny access)
* @ingroup hooks
* @see ap_hook_check_access_ex
*/
AP_DECLARE_HOOK(int,access_checker_ex,(request_rec *r))

And also in request.c:

else if (access_status == OK) {
            ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
                          "request authorized without authentication by "
                          "access_checker_ex hook: %s", r->uri);

This appears to be the source of the output I am seeing in the log.

What could be causing my authentication configuration to be ignored? And how can I fix it?