The reason for the "401 Unauthenticated" response is that the user is not considered logged in. As far as I can tell , this is session based and would require cookies to work.
To add cookies to the above curl commands would enable the calls, for example

curl -v --cookie-jar newcookies.txt -H "Accept: application/json" -H "Content-type: application/json" -X POST http://localhost:8080/todo-server/auth/login -d '{"username":"john","password":"123"}'

curl -v --cookie newcookies.txt -H "Accept: application/json" -H "Content-type: application/json" --header "Auth-Token: 5a4cf8a0-3c90-4225-8e70-49c76387ed7f" -X GET http://localhost:8080/todo-server/tags

This works even without the "Auth-Token" header. I'm not exactly sure what this token represents to be honest. But if a header is passed it needs to be specified as a parameter on the route, param("Auth-Token") and also handled in some way.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira