The problem I observed came about when I set SoapUI to use 'No Authorization' after having set up Basic authorisation.
For some strange reason my web service responded even though it is made to fail any unauthorised requests.
I tried a few things including restarting my WebLogic server, restarting SoapUI, changing the request URL, none of this seemed to matter. I even tried the Delete Current option under the Authorization drop down box, that didn't work either. My web service kept on responding when it should not have been.
What I noticed is even when I set No Authorization and deleted the current Authorization settings, the Request Properties box on the left kept the user name and password! Removing these manually in the properties editor made my web service fail as expected.
However, when these were removed manually and I selected to have Basic authentication again, the user name and password were gone (I guess as expected).
This is some odd behaviour I think and it persists between versions 5.0.0 and 5.1.2. I've tested this on OS X Yosemite only.
So to summarise, these are the steps to reproduce the problem:
1. Add Basic authorisation to your request
2. Run the request
3. Select No Authorization
4. Run the request
This assumes that your web service is set up to server only after the user has been successfully authenticated.