For non-catalyst apps, I'd recommend CGI::Application::Plugin::Authorization. It kind of assumes you're also using CGI::Application::Plugin::Authentication.