I am not sure it is what you want but in the http://www.jboss.org/mod_cluster/native/config.html in the example of VirtualHost you have:
<VirtualHost 10.33.144.3:6666> <Directory /> Order deny,allow Deny from all Allow from 10.33.144. </Directory>
In the Allow from just put the list of box IPs you want httpd to receive (space separated IPs).
I thought AdvertiseSecurityKey would do the trick. Thought it was kind of a password for joining the cluster. Didn't work!
This is noted in the "Current Limitations" section of the project home page.
The AdvertiseSecurityKey would prevent unwanted httpd instances from adding themselves to the set of proxies the java side knows about, but not the opposite.
Won't configuring SSL appropriate client certificates on the java servers do what you want?