I could, but that means Apache authentication wouldn't work right (since it always throws a 401). I added something to add another mod_python directive that indicates if a location is protected, and redirect if it is and the user isn't logged in; that does work, but doesn't feel right to me. Also, I would like for there to be a single protocol for requiring authentication, and 401 kind of is that protocol. Though I suppose I could add something like a special environmental variable, and make applications redirect to the URL given in that variable if they require login.
There might also be a handler that I'm missing that could rewrite the status of the response.