Customizing 403 error pages on AEMaaCS Publish?

We are implementing authentication on our AEMaaCS website. We have created a custom Authentication Handler, and have login working correctly.

Our login is unique and we needed to roll our own implementation, with an integration to our in-house user group and permissions service.  Within our authentication handler, we are checking if the user's permissions (coming from a 3rd party integration) matches the permissions demanded by the page.  If they do, we return a valid auth result and let the user view the page.  If they don't, we set the response code to a 403 and do not allow the user to view the contents.

In the event that a user does not have permissions to a page, we are sending back a 403 status code.  This results in a default 403 error page being shown.

How can we customize the 403 behavior such that:

• The URL is preserved.  For instance, if the user accesses /content/mysite/home/protected-page.html via mysite.com/protected-page (we use sling mappings to shorten urls and remove html extensions), we need to keep the user on mysite.com/protected-page but show an error.
• The response contains a 403 status code
• The page contents contains the output of another page in our website.  For instance, we store a content authorable 403 page at /content/mysite/error-pages/403.html.  When the user access mysite.com/protected-page, and encounters a 403 error, we need to show the contents of the /content/mysite/error-pages/403.html resource.

Is there a customization we can make in the Dispatcher to pull this off, or do we need to implement java code?

Thanks!