Can you try this (it's an idea, untested):
There's two steps:
In tomcat, you can specify what error page to show in case of an error (in web.xml).
Apache has a custom
response taglib, that can send errors.
If you write a
jsp, say 401.jsp, that contains the setstatus tag
And, In web.xml
You are actually sending a 403: SC_FORBIDDEN instead of 401: SC_UNAUTHORIZED
Maybe you don't need the taglib, but can just use
Let me know if it worked.
Regards, Jan