Customzied 401 Not Authorized Error Page in Tomcat

By default, if the user cancels login or gives the wrong password 3 times, they'll see Tomcat's ugly error page. You'd like to use your own customized page, so you add something like:
But this doesn't work. The user will see your customized page, but they never get asked to log in!

The problem is that 401 is both the signal that authorization failed, AND the signal for the browser to ask for your username and password. When you add your own error page for this, the 401 doesn't get sent back.

The solution is to add these lines near the top of your 401.jsp:

response.addHeader("WWW-Authenticate", "BASIC realm=\"My Web Site\"");
(For the "realm", use the value that's in your web.xml file.)

See for more details.