The documentation is listed here.
App Engine does not support custom security roles () or alternative authentication mechanisms () in the deployment descriptor. Security restrictions apply to static files as well as to servlets.
This way, you do not go away with many others, and then work on coding with ACLs into your application manually, and this depends on the application.