Role-name * means that you want your users to be logged in to access the resource :
If the authorization constraint specifies a user role of *, then any users signed in with a Google Account can access the URL
https://developers.google.com/appengine/docs/java/config/webxml?hl=FR#Security_and_Authentication
If you want test.html to be available to anyone, its URI must not be in the scope of any <security-constraint>
.