Mac OS X Lion Server has a nice built-in directory (LDAP) server – when you need to password protect a web page hosted there, you don't want to set up user accounts in old-fashioned "htpasswd" text files. It's much nicer to set up HTTP basic authentication against the users and groups you manage in the Server App.

With some help from the Trac documentation, it was quite easy to make this work. (Please note that I'm not an OS X Server expert, so I might have broken something or missed a better way. Try at your own risk.)

First I enabled mod_auth_basic.so in the Apache web server configuration file /etc/apache2/httpd.conf (seems to be required in addition to mod_auth_apple.so) – for some reason, this line is missing in the <IfDefine MACOSXSERVER> block so I added it there:

LoadModule auth_basic_module libexec/apache2/mod_auth_basic.so

Then I inserted this into /etc/apache2/sites/0000_any_80_.conf:

<Directory "/Library/Server/Web/Data/Sites/Default/secret">
Order allow,deny
Allow from all
AuthName "Secret stuff"
AuthType Basic
AuthUserFile /dev/null
AuthBasicAuthoritative Off
Require valid-user

Instead of "valid-user", you could also limit access by group name:

Require group "dcxadmin"

</Directory>

After an Apache restart (sudo /usr/sbin/apachectl restart), everything worked as expected: I was able to access the password protected directory with a test user account created in Server App.

[Update 2013-02-14: Alvaro Miranda points out an even easier way – OSX Server https with password page.]