When used with Apache, the SP includes an Access Control plugin implemented on top of the Apache Require authorization command. The placement rules for this command are dictated by Apache, and include its <Directory>, <File>, and <Location> blocks, as well as .htaccess files. By default, any place you can apply the Require command will trigger the Access Control implementation supplied with the SP's Apache module.
Make sure that any user will have already established a session, or require a session for the same path, or any access attempt will result in a 403.
Location Blocks Take Precedence
.htaccess directives are able to override <Directory> blocks, but they cannot override <Location> blocks. If your .htaccess rules appear not to be executing, check for conflicting directives in the rest of Apache's configuration.