Okay, this is my fault.

Looks like the current build has a bug that I fixed after the release.
I have a security filter applied on the wrong URL in the current release. I did not catch that early because the plugin pages inherit the parent UI's authentication. So, they work regardless.
Here is what you can try until the next build (2-steps login). This will only work if your RPC client can maintain session cookies (http headers).
The intent is for this to work regardless of whether the client can maintain session cookies, but the bug is breaking that. So, this is just a temporary workaround till the next build.
1. Log in using the secured URL (note:
srpc and 3 paramaters - also result payload is Boolean instead of String):
String host = "http://localhost:8080/json/srpc";
ServiceProxy proxy = new ServiceProxy(host, "service");
Object result = proxy.call("login", "admin", "admin", true);
ObjectMapper mapper = new ObjectMapper();
ActionStatus<Boolean> status = mapper.convertValue(result, ActionStatus.class);
2. Call the normal RPC login (note:
rpc and 2 parameters - result payload is String as documented in the API):
String host = "http://localhost:8080/json/rpc";
ServiceProxy proxy = new ServiceProxy(host, "service");
Object result = proxy.call("login", "admin", "admin");
ObjectMapper mapper = new ObjectMapper();
ActionStatus<String> status = mapper.convertValue(result, ActionStatus.class);
This will be fixed in the next build.