I was playing and searching around for how to exclude a URL from the security constraint in the web.xml file in App Engine. For my application everyone has to be authenticated to access anything in the application and I don't want to add every URL to the pattern. So my first security constraint is just the url-pattern to /* and the role-name to * too.

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

If you now want to exclude one or more URLs you just have to add another security-constraint and without the auth-constraint tag. This will exclude these URLs.

<security-constraint>
    <web-resource-collection>
        <url-pattern>/dataReceiverServlet</url-pattern>
    </web-resource-collection>
</security-constraint>