I just faced the same problem, after updating to 4.0.5 from 4.0.3sp1.
It seems that BASIC authentication has been changed so that the prompt now is triggered after the error page, i.e. when an error page is configured there is no prompt anymore..
(I assume your 404 error code was due to not finding the 401.html)
<error-page> <error-code>401</error-code> /error/401.html </error-page>
it works again (at least for me..)..
Perhaps JBoss might want to comment on this? I´d say it´s not possible anymore (4.0.5) to define a 401-error page when having BASIC authentication (which worked with 4.0.3sp1 - i haven´t tried 4.0.4..)