but a few services are a rather complex CGI scripts (mostly source control stuff). What is the best ways to call them? I didn't find any CPAN module for calling external CGI scripts.

IMHO opinion if it ain't broke don't fix it. Then again some things need to be broken just so you can fix them. :-)

I'm not sure what you mean by "call them" but if you mean dispatch the browser to them then I'd suggest a redirect which is part of CGI.

If you really insist on refactoring those complex CGI scripts then turn them into modules that you reference from your centralized script.

Another way to look at this: Your goal here appears to be providing logging/auditing and a single sign on. Bravo. But why do you need to centralize everything into once script (as implied by your post). No need of that. Here are some steps I'd proceed along:

• Rip out of the "webservices" and CGI scripts any notion of controlling sign-on.
• Add logic to check whatever method of sign-on you are using to verify that:
  1. Authentication has happened successfully
  2. The session is still valid
• Make sure the sub-components do their logging in common with the rest of the components

Whatever your implementation for authentication is using (e.g. LDAP, relational database, Active Directory, /etc/password, .htaccess.. whatever) make sure you generate a session ID for tracking purposes. Make sure you have a timeout function for those who sign in and then leave their browser unattended.

create table session (
      session_id          integer not null primary key,
      session_key         varchar(128) not null,
      userid              varchar(10) not null,
      session_time        bigint not null         -- or whatever 
);

create index session_index on session(session_key,userid)
[download]

there's a sample of a session table in a database that can be referenced by a Perl script to determine if a session has timed out. It goes something like this:

#
#   when a submit happens check session time
use CGI; 
use CGI::Carp;
use DBI;
my $cgi = CGI->new;
my $dbh = DBI->connect('DBI:{driver}:{params}','userid','password') 
     or die "Failed to connect to database" . $DBI::errstr;
my $key = $cgi->param('session_key');

#
# Force a login if no session key is present
print $cgi->redirect('/cgi-bin/login.cgi') unless $key;

# Retrieve session info
my $sth = $dbh->prepare('select userid,session_time from session where
+ session_key = ?')
      or die $dbh->errstr;

$sth->execute($key);

my ($userid,$session_time) = $sth->fetchrow_array();

#
# Empty results?  Session is invalid
print $cgi->redirect('/cgi-bin/login.cgi') unless ($userid) && ($sessi
+on_time);

my $now = time(0);
my $passing=$now - $session_time;

# Check to see if the session has timed out
# 
if ( $passing > SESSION_TIMEOUT ) {
     # timeout happened; invalidate the session
     $sth=$dbh->prepare ('delete from session where session_key = ?')
          or die $dbh->errstr;
     $sth->execute($key);
     print $cgi->redirect('/cgi-bin/login.cgi');
}

#
# Session is valid, update the time stamp
$sth=$dbh->prepare('update session set session_time = ?');
$sth->execute($now);

#
# and proceed on
[download]

I'd make that code a method within a module that the rest of your code can get to.

The other method you'd want to create in your module that checks sessions is a create_session method which generates a string [a-z0-9A-Z] which becomes your session_key.

With all that in place each of your sub-components can now validate accesses against your authentication method without having to reauthenticate.

Another piece of the puzzle would be logging for audit purposes. I'd create a singleton module to handle logging for consistency. One thought would be to log to a database but certainly a flat file would work. The one reason I'd consider a database is so you could create a web application with search abilities to audit activity.

I think I've given you enough to chew on, but there's some thoughts for you.