We have a web app written in PL/SQL (stored procedures in an Oracle database). We use Apache and mod_owa (a variant on the mod_plsql theme) as HTTP glue. Currently we're on Apache 2.2, but upgrading to 2.4 would be an option.

Our app handles security itself (our own tables of users and roles); like all web apps, logged in users get a cookie. For the sake of this discussion, let's assume our app runs under www.my.com/app

Now we want to be able to serve some ordinary files using Apache to authenticated users (registration of downloads basically). Again, for the sake of discussion, assume that files are served from www.my.com/file

How can we integrate this with Apache's authentication? Functionally, a user logged in to our app should be able to download a file without logging in again elsewhere. Conversely, someone who isn't logged in trying to download the file should be prompted to log in.

What's the best way to achieve this? The easiest way?

Thanks for any tips!