Say I have a simple structure:

app = webapp2.WSGIApplication([
    (r'/', 'pages.login'),
    (r'/profile', 'pages.profile'),
    (r'/dashboard', 'pages.dash'),
], debug=True)

Basically all pages require authentication except for the login. If visitor tries to reach a restrictive page and he isn't authorized (or lacks privileges) then he gets redirected to the login view.

The question is about the routing design. Should I check the auth and ACL privs in each of the modules (pages.profile and pages.dash from example above), or just pass all requests through the single routing mechanism:

app = webapp2.WSGIApplication([
    (r'/', 'pages.login'),
    (r'/.+', 'router')
], debug=True)

I'm still quite new to the GAE, but my app requires authentication as well as ACL. I'm aware that there's login directive on the server config level, but I don't know how it works and how I can tight it with my ACL logic and what's worse I cannot estimate time needed to get it running. Besides, it looks only to provide only 2 user groups: admin and user.

In any case, that's the configuration I use:

handlers:
- url: /favicon.ico
  static_files: static/favicon.ico
  upload: static/favicon.ico
- url: /static/*
  static_dir: static
- url: .*
  script: main.app
  secure: always

Or I miss something here and ACL can be set in the config file? Thanks.