With new security requirements, all the JSON API's require authentication. Now all the URL's are restricted and can only be bypassed with authentication
Here are the list of JSON services that are now accessible with authentication
"/json/console/app/(:appId)/(~:appVersion)/builder/actions")*
"/json/console/app/(:appId)/(~:appVersion)/builder/binder/columns", method = RequestMethod.POST)*
"/json/console/app/(:appId)/(~:version)/datalist/list")*
"/json/console/app/(:appId)/(~:version)/datalist/options")*
"/json/console/app/(:appId)/(~:version)/envVariable/list")*
"/json/console/app/(:appId)/(~:version)/form/tableNameList")*
"/json/console/app/(:appId)/(~:version)/forms")*
"/json/console/app/(:appId)/(~:version)/forms/options")*
"/json/console/app/(:appId)/(~:version)/message/list")*
"/json/console/app/(:appId)/(~:version)/pluginDefault/list")*
"/json/console/app/(:appId)/(~:version)/userview/list")*
"/json/console/app/(:appId)/version/list")*
"/json/console/app/list")
"/json/console/monitor/activity/list")
"/json/console/monitor/completed/list")
"/json/console/monitor/logs/list")
"/json/console/monitor/running/list")
"/json/console/setting/message/list")
"/json/plugin/(:pluginName)/service")*
"/json/plugin/list")
"/json/plugin/listDefault")
"/json/plugin/listOsgi")
"/json/directory/user/sso")
"/json/workflow/currentUsername")