By default, IOS routers use enable passwords to authenticate incoming HTTP (web) requests. You could also use local usernames as the authentication mechanism, or you could deploy full-blown AAA-based solution. To enable AAA-based HTTP authentication, you have to define two AAA lists (authentication login and authorization exec) and bind them to the HTTP server with the ip http authentication aaa command. A working configuration example is included below (this one uses AAA-based local username authentication, but of course you can replace that with RADIUS- or TACACS-based one).

aaa authentication login web local
aaa authorization exec web local
!
ip http authentication aaa login-authentication web
ip http authentication aaa exec-authorization web

Warning: the router executes AAA authentication/authorization for every HTTP request sent by the browser. It's thus very hard to integrate this solution with one-time passwords (unless you can cache the credentials on the AAA server).