I've found the solution. The problem was silly, because while accessing /api/auth/login I was adding "Authentication" header. Because there was incorrect authentication data, CustomAuthenticationFilter was throwing exception and I got unauthorized. Sending request without "Authorization" header fixed problem. Of course for secured endpoints this header is required.