I'm still pretty sure that there should be a way to, from a mod_perl2 handler, "pretend" to be Apache starting up a cgi script and then have the output available for further processing.

I'm not following. Why can't you "pre-empt" the access and authentication? A mod_perl access handler can run for static files, CGI scripts, PHP, etc. It's a standard phase provided by the web server.

I think you are overestimating how easy it is to do your own CGI. You can try copying some code from one of the perld HTTP daemons on CPAN, but there's a lot to deal with in terms of proper error handling and security. Better to let mod_cgi do it if you can.

Hmmm... I'll have to ponder that. My original plan had been to use my existing framework only, for the cgi bits, hand the processing off to a "CGI masquerade" module, rather than needing to also do a separate access / authentication that is also used for the CGI-ish bits.

I was thinking that there should be a way for me to run through mod_cgi directly from inside my handler rather than needing to let Apache do the mod_cgi processing. Also, I'd prefer to keep from exposing the .cgi scripts to the outside world.

What you suggest is definitely an interesting approach and I hadn't thought of doing it that way. I'll need to investigate a little bit in how to do the access/authentication as well as building an output filter.

I haven't finished all the bits that I need, but it's definitely turning out to be significantly easier to do this as you suggested than I had originally feared. And, yes, this is mod_perl2, so I can do an output filter.

For anyone else who cares, relevant code (and otherwise) fragments: (Names have been changed to protect the guilty...)

httpd.conf

PerlModule Foo::FooAuth
PerlModule Foo::FooFilter
<Location /foo/cgi-bin/foo.cgi>
    PerlOutputFilterHandler Foo::FooFilter
    PerlAuthenHandler Foo::FooAuth

    require valid-user
</Location>
[download]

package Foo::FooAuth;

use strict;

use Apache2::Const qw(:common);

use Foo::AuthAux; # Provides whoami - uses a cookie set elsewhere

sub handler {
    my $r = shift;

    my $user = whoami($r);
    unless ($user) {
        $r->note_basic_auth_failure;
        return AUTH_REQUIRED;
    }
    $r->user($user);

    $r->subprocess_env(FOO => "bar+$user");

    return OK;
}

1;
[download]

package Foo::FooFilter;

use strict;


use Apache2::Filter;
use Apache2::Const qw(:common);
use Apache2::Request;

use HTML::Template;

use Foo::Config;  # Provides $TMPL_PATH below
use Foo::Auth;
use Foo::AuthAux;  # Provides whoami below

my $BUFF_LEN = 8192;

sub handler {
    my $f = shift;
    my $r = $f->r;

    my $fullbuf;

    while ($f->read(my $buf, $BUFF_LEN)) {
        $fullbuf .= $buf;
    }

    my $tmpl = HTML::Template->new(scalarref => \$fullbuf,
                                   path => $TMPL_PATH,
                                   die_on_bad_params => 0,
                                  );

    my $user = whoami($r);
    my $userinfo = ISPNET::Auth::userinfo($user);

    $tmpl->param(_user => $user,
                 _logo => $userinfo->{logo},
                 _logo_alt => $userinfo->{logo_alt},
# Set _home (would be $ENV{SCRIPT_NAME})...
                );

    $f->print($tmpl->output);

    return OK;
}

1;
[download]

I'm still debating where to put the .cgi scripts (in the filesystem) and have to figure out how to reference them from elsewhere (which will be used to adjust the $tmpl->param(_home => ...) bits, but otherwise, it seems to be working nicely.