Core issue
This issue occurs due to the presence of Cisco bug ID CSCeg52439.
In 12.2(25)SE (and other branches of the integrated Cisco IOS HTTP server 1.1), the ip http authentication aaa configuration command causes the router to authenticate/authorize users based on the method lists configured on the console line.
Prior to this version of code (in Cisco IOS HTTP server 1.0), the method list was chosen from the vty that was used for the HTTP session. Vtys are no longer used in Cisco IOS HTTP server 1.1.
Resolution
As a workaround, issue the ip http authentication aaa login-authentication and ip http authentication aaa exec-authorization commands in order to configure the desired method list for HTTP authentication and authorization.