But for this to work, wouldn't I have to implement my own Apache module to intercept requests and do authentiation and authorization based on the value of the requested URI?

Rather happily, that's an awful lot easier than it sounds. A skeleton authentication handler looks like this:

 package Apache::AuthAny;
 # file: Apache/AuthAny.pm


 use strict;
 use Apache::Constants qw(:common);


 sub handler {
     my $r = shift;
 
     my($res, $sent_pw) = $r->get_basic_auth_pw;
     return $res if $res != OK; 


     my $user = $r->connection->user;
     unless($user and $sent_pw) {
         $r->note_basic_auth_failure;
         $r->log_reason("Both a username and password must be provided
+", $r->filename);
         return AUTH_REQUIRED;
     }


     return OK;     
 }


 1;
[download]

(that'll authenticate on the *presence* of both a username and password, via HTTP Basic Auth - obviously you'd want to substitute a real-world authentication scheme).

The Eagle book gives full details, and some of it seems to be online here:
http://modperl.com:9000/book/chapters/ch6.html
(found through random Googling).

hth, andye.