If the server responds with 200, it really looks like a server-side configuration, so you should double check that your URLs are actually protected using a desktop web browser and a tool like Fiddler so you can see everything. Pay particular attention to authentication headers and status codes; at least you should see 401 from the server to get started.
You can also enable diagnostics for Apache HTTP on your device, as well as dump headers and content in LOGCAT so you can make sure everything goes on.
Check the contents of the WWW-Autnenticate header, it will determine which schemes are accepted. The client side will re-request the URL, but it will put the authorization header in its request.
In short, make sure your server side runs outside your application, in an environment that fixes problems more easily.
The client side, it seems that you only activate BASIC authentication (everyone stops using it!), And your endpoint may need only DIGEST or NTLM or KERBEROS or any other authentication scheme than BASIC. Since it looks like you have not configured SSL, be sure to use at least DIGEST or you have clear text problems!
Using form variables (for authentication) works only at the application level, and not at the level of the HTTP protocol, which uses HTTP headers (WWW-Autnenticate, Authorization) and status codes (401, 403) for the authentication process. And again, if you do not configure your server (and client) only for SSL, there will be problems with text text.