If you didn't it might be that you are putting <limit get post> or similar and so any other type of authentication i.e. one that is not "get" or "post" (and one that safari appears to do when it should be doing a post) doesn't actually require authentication.
The reason I suspect this is that I am attempting to check one of my pages on browsercam and it all works great IE6-8, FF, Netscape, Opera but NOT safari on the protected page, so it appears that I have the reverse problem, safari won't even attempt to load the page that is protected by an .htaccess file!
I didn't really solve it; the problem just went away. I put it down to my system finding a cached copy of the page previously accessed by either Safari or one of the other browsers I was testing. I haven't noticed it since.