Change response.setStatus
to response.sendError
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return false;
}
This actually issues an error (rather than just stating it) - and forces Tomcat to use the error location as defined in the web.xml
As stated in the HttpServletResponse#setStatus(int) javadoc
If this method [setStatus] is used to set an error code, then the container's error page mechanism will not be triggered. If there is an error and the caller wishes to invoke an error page defined in the web application, then sendError(int, java.lang.String) must be used instead.