404 checked before checking authentication
I just found by accident that if I try to access some nonexistent file in a secured directory I get a 404 error message. if I try to access an existing file I get the authentication box.
That makes it possible for an attacker to find out which files exist in a directory even before going through authentication.
Therefore I think it would be much better to check authentication before trying to retrieve a file.