1. I'm using CGI::Application, which requires you NEVER TO PRINT TO STDOUT. You return your header properties and HTML from a subroutine, which CGI::Application intercepts and prints to stdout. This means I had to read the entire file into a variable, set the mime-type, and then "return" it.
2. Byte-serving (page-at-a-time downloading) of PDFs wouldn't be implemented. This bugged me, but wasn't killer (even though I have a vast amount of large PDFs that we're managing). I could always adapt a script made by adobe to fix this.

Everything was working beautifully- docs on the filesystem were secure, things were humming along.

I started testing- downloading large PDFs (some 4 meg +). It took a little while (no byteserving, you know) but this wasn't a huge issue. Still, something didn't feel quite right about this system.

Then I looked at my HTTPD processes. Some were over 50 meg in size! Oof! This was because I had to slurp the file in and return it, and I'm programming in a persistent mod_perl environment.

Needless to say, I ditched the above system and wrote a mod_perl handler (my first serious one) to take care of access control based on my security system. Now I have byte-serving, sanely-sized HTTPD processes, and a much better solution overall.

When looking at the project at it's start, my intial thought was to write a mod_perl handler or use something like Apache::AuthzDBI, but I dismissed these because I didn't feel comfortable enough in mod_perl using anything beyond Apache::Registry. This was wrong, very wrong. The amount of time I took writing and rewriting was much more than if I had figured out Apache:AuthzDBI.

So, the moral of the story? Use the fruit of OTHER people's labors. Figure out what modules there are that solve your problems and use them. Hand-roll as an academic exercise, or if you absolutely have to.