Just want to say that I do exactly what you're doing with C::A, i.e., put DB connection in setup(), and authentication in cgi_prerun(). For authorization, my applications usually only have a few roles, so I usually just check some flags similar to authentication (e.g., is the admin flag set? the sub classes can decide which flag they want.)