worked fine without cookies on the old TODO app

A test.... without headers.... should return 401

curl -3 -v -H "Accept: application/json" -H "Content-type: application/json" -X GET https://todoauth-aerogear.rhcloud.com/todo-server/tags

OK ==> get a 401

Now, a LOGIN:

curl -3 -v -H "Accept: application/json" -H "Content-type: application/json" -X POST https://todoauth-aerogear.rhcloud.com/todo-server/auth/login -d '{"username":"john","password":"123"}'

NOW, use the Auth-Token header (returned on the response of the login):

curl -3 -v -H "Accept: application/json" -H "Content-type: application/json" --header "Auth-Token: 1bca2a61-dd81-48d4-8048-70658c0567aa" -X GET https://todoauth-aerogear.rhcloud.com/todo-server/tags

===> 200 code (without cookies as well)

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira