<error-page> <error-code>401</error-code> <location>/errors/401.jsp</location> </error-page>But this doesn't work. The user will see your customized page, but they never get asked to log in!
The problem is that 401 is both the signal that authorization failed, AND the signal for the browser to ask for your username and password. When you add your own error page for this, the 401 doesn't get sent back.
The solution is to add these lines near the top of your 401.jsp:
response.addHeader("WWW-Authenticate", "BASIC realm=\"My Web Site\"");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
(For the "realm", use the value that's in your web.xml file.)
See http://issues.apache.org/bugzilla/show_bug.cgi?id=13430 for more details.