Currently in our application (pega 7.2.1) we are calling one activity from HTTP service. In the activity "Allow direct invocation from the client or a service" is unchecked. I am curious to know how it is working without any error. It should throw security error at the time of invoking the activity
For making service activity to be used by authenticated user, you need to go security tab of the service activity. You need to check the checkbox "Require authenticatoin to run". Also, you need to have "requires authentication" checkbox in the Service Package.