I'm making a Java web app on Google App Engine.
Do I need to roll my own brute force protection for my login system - since I'm not using Google Accounts for the user accounts in my system?
Or are there are built-in features that make it easier or don't require me to do everything from scratch?
If you're doing authentication yourself, there's no way for App Engine to know what you're providing is a signin form, as opposed to anything else, so there's no way for it to protect against brute-forcing attempts. As a result, you'll have to implement it yourself.
As an alternative to Google accounts, though, you should consider the built-in OpenID support. Give serious thought to using one or the other - your users are likely to be ill-served if you insist they create yet another account from scratch just for your site.
