I'd like to suggest that the HTTP attribute "Authorization" is added to the ones captured for -http mode and forwarded as HTTP_AUTHORIZATION. Doing so is in line with CGI 1.1 to support basic authorization in the cgi scripting. This otherwise requires me to rewrite the full HTTP service.
For convenience I've attached a patch doing this on 10.6.3 (2015-03-10).
Alternatively, I'd be happy with a callback solution to allow the front-end server handle the authorization. This maybe is preferrable, but probably involves more coding(?), and significant documentation.
Thanks Ralph, added here: http://www.newlisp.org/downloads/development/inprogress/