Yes, but you're then making the authorization layer inseparable from your applicative layer, and hence you loose the interest of using separate handlers.
It's pretty hard to truly separate these things. Nobody wants to use basic auth, which means there is a need for forms and handlers. Then you have to keep that information in either cookies or URLs, and there is usually a need to talk to an external data database with a site-specific schema. The result is that plug and play auth schemes only work (unmodified) for the simplest sites.
- Perrin
