Once upon a time there was a project that required a PerlAccessHandler and form-based login. This project lived in the land of mod_perl, so it lived a happy life, with a setup something like:
<Location /not-protected> PerlHandler Apache::Registry SetHandler perl-script Options +ExecCGI </Location> <Location /requireslogin> PerlAccessHandler My::EnforceLogin ErrorDocument 403 /not-protected/login.pl?rm=Bounce PerlHandler Apache::Registry SetHandler perl-script Options +ExecCGI </Location> (/not-protected/login.pl is a CGI::Application-based script, which is why I'm using Apache::Registry) This solution worked fine, and the project was a happy creature. Then one day the project decided to expand to include a second layer of authorization. Now users fell into three groups: No requirements, login required, and logged-in-as-confirmed user. (Any logged in user can become a confirmed user (a one time process) by going through a series of steps, held at, say, /requireslogin/confirm.pl. Thus, you must be logged in before I can check that you are confirmed, but a logged in user may or may not be a confirmed user) I, as caretaker for the innocent little (if growing) project, wanted to add a second access handler. The thought was that /requiresconfirm/ could use the same My::EnforceLogin as /requireslogin/ as well as My::EnforceConfirm. The ErrorDocument would bounce the user to /requireslogin/confirm.pl, and if they weren't logged in, it in turn would bounce them to /not-protected/login.pl I thought this a solid and clever answer, with nice modular little bits, and full code reuse. Sadly, I am not as clever as I thought (again), because a 403 on a 403 (as happens if a non-logged-in user tries to access /requiresconfirm/) doesn't bounce twice but drops to the generic handler. So now I have a few options, and I'm not sure what is the best way to go about this. I've tried using an AuthenHandler with a different ErrorDocument to handle it, but AUTH_REQUIRED began negotiations with th e browser -- undesirable. I could make my handlers do internal redirects (a new task for me). I could do external redirects. I could ask you folks if what I originally intended can work just fine with some minor magic change. OR I could just toss code reuse out and make My::BloatedandRepetativeHandler to check for both. The Cookbook and the Eagle book, so far as I've discovered, don't cover cascading errordocuments. (at least in the Auth* chapters) So I thought I'd check -- I can't be the first (or 1000th) to have this issue, how is it normally handled?