mod_perl handler for file downloads: good call or bad

Errto has asked for the wisdom of the Perl Monks concerning the following question:

I have a web application that consists in part of a collection of static files my users can download. I have my own application logic that needs to control who can download which file. So it occurs to me that I could potentially create a mod_perl handler (maybe Fixup ??) that could intercept the request and accept or reject it - if it's accepted it would simply pass to the ordinary Apache mechanisms for the actual file download.

It also occurs to me that I could write a ContentHandler and do the entire thing myself: send an error code if the user does not have access, or open and write out the file if they do, after adding the appropriate headers (Content-type, Content-disposition etc).

My questions are: is the first approach I outlined even possible? Are there any marked advantages to either approach?

Cheers,

Update: I should point out that I am not using native HTTP authentication here - my notion of "who" is also application-specific.

Comment on mod_perl handler for file downloads: good call or bad

Replies are listed 'Best First'.
Re: mod_perl handler for file downloads: good call or bad by Fletch (Bishop) on Jun 20, 2007 at 16:20 UTC
Sounds more like you want an authorization handler (`PerlAuthzHandler`) which passes or forbids access.	[reply]
Re: mod_perl handler for file downloads: good call or bad by perrin (Chancellor) on Jun 20, 2007 at 17:31 UTC
If the site is popular, make sure you have a reverse proxy. Using mod_perl for large static file downloads will not go well. You can look at things like mod_auth_tkt which let you do the auth check on the proxy after logging in on mod_perl.	[reply]
Re: mod_perl handler for file downloads: good call or bad by clinton (Priest) on Jun 20, 2007 at 16:37 UTC
I second Fletch's recommendation of the PerlAuthzHandler. You COULD serve the files via mod_perl (using $r->sendfile($filename) ), but apache does it faster, so I would rather get out of the way and let it do its thing. Clint	[reply]
Re^2: mod_perl handler for file downloads: good call or bad by Errto (Vicar) on Jun 20, 2007 at 18:18 UTC
Sorry for not mentioning this in the OP, but I don't think I can use an Authz handler, because that seems to require using HTTP authentication, whereas I have my own mechanism for dealing with the "who" aspect.	[reply]
Re^3: mod_perl handler for file downloads: good call or bad by clinton (Priest) on Jun 20, 2007 at 18:24 UTC
You can do anything you like in the PerlAuthzHandler, including returning a login page - HTTP authentication is just how apache implements it by default Clint	[reply]
Re^4: mod_perl handler for file downloads: good call or bad by Errto (Vicar) on Jun 20, 2007 at 19:29 UTC
Re^5: mod_perl handler for file downloads: good call or bad by perrin (Chancellor) on Jun 20, 2007 at 21:24 UTC
Some notes below your chosen depth have not been shown here
Re^5: mod_perl handler for file downloads: good call or bad by clinton (Priest) on Jun 20, 2007 at 19:37 UTC