At the end where you have

return FORBIDDEN if ($encrypt_passwd ne $glas_password);
[download]

you should have

if ($encrypt_passwd ne $glas_password) {
    $r->note_basic_auth_failure;
    $r->log_reason("Invalid password", $r->filename);
    return AUTH_REQUIRED;
}
[download]

Returning FORBIDDEN tells the client that their credentials are valid (ie. they entered a valid username/password combination) but that they aren't allowed to access this resource.

I suggest you take a quick look at the difference between PerlAuthenHandler and PerlAuthzHandler. As I mentioned earlier in this thread, you shouldn't use FORBIDDEN in a PerlAuthenHandler.

I know what you mean about the HTTP spec, I've been meaning to read it thoroughly for the past 6 years, but it's too scary :-)