Partial Client Certificate request for Apache HTTP

Someting like this should do the magic:

<Directory /myapp2>
  SSLVerifyClient require
</Directory>

<Directory /myapp>
  SSLVerifyClient none
</Directory>

More info about SSLVerifyClient directive here.

The trick here is that you need to do this in tomcat. Since that is what is actually proccessing the request.

Since client auth is on a per connector basis you'll need to create 2 new connectors. One for the base SSL w/ auth, and one for the mod_jk connector (chosen ports arbitrarily chosen as cur+1).

 <!-- Client Auth Connector on port 8444 -->
    <!--
    <Connector port="8444"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS" />
    -->

    <!-- Client auth ajp connector on port 8010 -->
    <Connector port="8010"
               enableLookups="false" redirectPort="8444" debug="0"
               protocol="AJP/1.3" />

Then just setup a secondary mod_jk worker to connect to the client auth SSL in apache for /myapp2

This might work: http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#arbitraryclients

How can I authenticate my clients for a particular URL based on certificates but still allow arbitrary clients to access the remaining parts of the server?

For this we again use the per-directory reconfiguration feature of mod_ssl: httpd.conf

SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt

<Location /secure/area>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>