I use the same approach(decorator on selectioned url links). The login form is just a normal Kid generated form. The backend is done through SQLObject on a postgres database.
I don't need the generic infrastructure like MultiAuth(LDAP/AD etc.) The issue I have seen so far for this kind of form-based authentication is when I use JSON/ajax(like the MochiKit ajax_table example). If I protect that link with login, there is a slim chance that whan mochikit received is HTML instead of JSON, this is possible like when the session expired(thus relogin needed). Of course, the ajax js code can be enhanced to deal with this.
