In the 3.x implementation admin log-in combined authentication and authorization, and admin access was either denied, granted for read-only access (for monitoring access, for example), or granted for full access.
With authentication and authorization separated more cleanly now, the concept of a "read-only" connection no longer makes sense in the same way, so the related code had been commented out of the RestAdapter.
Especially because the default admin username and password are widely known (and documented), the server needs to deny remote access unless secure admin has been enabled.
It looks as if a few changes to the RestAdapter and a few to the GenericAdminAuthenticator have resolved this. Testing and review underway.