httplib2 will only pass the credentials after a 401 response from the web server, after which the credentials should be sent in an Authorization: header.

I haven't tested this code (insert smiley) but I think this is the sort of thing you need. Basically your credentials won't be in the header if your server hasn't bounced a 401 back to your client (the client needs to know the realm to know what credentials to provide).

class MYREALM_securepage(webapp.RequestHandler):
  def get(self):
      if not 'Authorization' in self.request.headers:
          self.response.headers['WWW-Authenticate'] = 'Basic realm="MYREALM"'
          self.response.set_status(401)
          self.response.out.write("Authorization required")
      else:
          auth = self.request.headers['Authorization']
          (username, password) = base64.b64decode(auth.split(' ')[1]).split(':')
          # Check the username and password, and proceed ...

The credentials will appear in the Authorization header. The steps work like this:

1. Client makes a request to your app with no attempt at authorization
2. Server responds with a "401 Authorization Required" response, and the "WWW-Authenticate" header set to 'Basic realm="something"' (for basic auth).
3. Client responds with an Authorization header set appropriately (see below).

The exact content of the client's Authorization header in step 3 depends on the authorization method used. For HTTP Basic auth, it's the base64-encoded user credentials - see here. For HTTP digest auth, both the server's header and the response from the client are a bit more complicated - see here.