I want to setup the app engine dev server, so that it's available to other people for a preview.
What I'd really like to do before that is enable http authentication for any url served from that site. I don't want anyone to access the service without passing that stage. I could of course build my own http authentication into the app I'm developing, but that's not a perfect solution, because I don't need that feature when the app is deployed.
Is there any good way to solve it?
Are you using Java or Python?
If you're using Python, you can use existing WSGI middleware to handle HTTP basic auth. Here are some options:
Deploy the app to the appengine servers, but use a different app id than the one you will eventually use in production. That way you don't have to develop any extra authentication mechanism, and you don't have to worry about how well the dev app server will handle multiple users worth of load.
Don't make the dev_appserver publicly accessible. It's not designed for it, and it's not secure. To name just one problem, any visitor can go to yourhost/_ah/admin/ and mess with your datastore, and the auth suggestions by lost-theory won't prevent it.
If you absolutely must do this, set up Apache or another webserver as a reverse proxy, implementing authentication and blocking access to /_ah URLs. Peter's suggestion of deploying it to App Engine is a much better one, however.