Here's what I did to get this working.
I moved the repository that needed separate security into its own directory that was a siblng, not a child, and made a copy of the hgweb.wsgi.
My directory structure now looks like this
c:\hg-pub\hgweb.wsgi
c:\hg-pub\hgweb.config
c:\hg-pub\repo-one\.hg
...
c:\hg\hgweb.wsgi
c:\hg\hgweb.config
c:\hg\repo-two\.hg
c:\hg\repo-three\.hg
And my httpd.conf
file looks like this
WSGIScriptAlias /hg "C:/hg/hgweb.wsgi"
WSGIScriptAlias /pub/hg "C:/hg-pub/hgweb.wsgi"
<Directory "C:/hg-pub">
Order deny,allow
AuthType Basic
AuthName "R1 Secure Area"
AuthBasicProvider file
AuthUserFile c:/apache2.2/repo_one.pwd
Require valid-user
</Directory>
<Directory "C:/hg">
Order deny,allow
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider file
AuthUserFile c:/apache2.2/passwords
Require valid-user
</Directory>
The important things to note are
- The two repository locations are completely separate on disk
- The two WSGIScriptAlias paths are completely independent