It sounds like anonymous access is enabled at the web tier. You'd want to edit the web.xml at either the web adaptor level or globally on the Tomcat instance.
The update would look something like this:
You'd update the following to match the rose you've defined.
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication Required</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WebAdaptor</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>ArcGIS Web Adaptor</realm-name>
</login-config>
<security-role>
<description>Web Adaptor Users</description>
<role-name>WebAdaptor</role-name>
</security-role>