The FormLoginAuthenticator supports() responds with a true to an attempted json_login request when both have the same login route. Switching to /api/login for json_login fixes the issue, but both could conceivably share the same route if there was a content-type check in supports to either return false when the content was json or true for form data.

BTW - loving the simplicity of the new security code so far, great work!