You can find out all about HTTP authentication in RFC 2617. You can find the user's authentication info in the HTTP header fields of their request after your "Unauthorized" response status.

CGI.pm has an http() function which should allow you to grab arbitrary headers from the request.