Also, I think it's better to return DECLINED from your Access handler if you're not returning FORBIDDEN, rather than OK, since there may be other handlers that need to work on the request. And if not now, maybe in the future.
all access handlers run so long as everyone returns an Apache success code (OK or DECLINED). it's the authentication and authorization phases that terminate on OK.
--Geoff
