Malte, well the example is sort of right there in the code. The site_node_authorize proc will check permissions per site node. The site node proc only checks read permissions. For WebDAV, for example, we check the HTTP Method and decide what permission is required for each method.
This is a adaptation of the code I created to use HTTP authenticaiton for RSS feeds, so yes, allowing it to work for arbitrary objects would work as long as you created an index.vuh or a registered procedure to handle that URL as well.
This code does set the ad_conn user_id if they are authenticated, so you can continue to process the request in the normal way, using the familiar OpenACS features.
