I have a web application that consists in part of a collection of static files my users can download. I have my own application logic that needs to control who can download which file. So it occurs to me that I could potentially create a mod_perl handler (maybe Fixup ??) that could intercept the request and accept or reject it - if it's accepted it would simply pass to the ordinary Apache mechanisms for the actual file download.
It also occurs to me that I could write a ContentHandler and do the entire thing myself: send an error code if the user does not have access, or open and write out the file if they do, after adding the appropriate headers (Content-type, Content-disposition etc).
My questions are: is the first approach I outlined even possible? Are there any marked advantages to either approach?
Update: I should point out that I am not using native HTTP authentication here - my notion of "who" is also application-specific.