Задача реализована написанием своего обработчика в классе-контроллере:

    @Resource (name= "authenticationManager")
    private AuthenticationManager authenticationManager;

    @RequestMapping(value="/security_check_json")
    public @ResponseBody IResult<Object> loginJson(
            @RequestParam(required=true, value="j_username") String email, 
            @RequestParam(required=true, value="j_password") String password,
            @RequestParam(required=false) String rememberMe,
            HttpServletRequest request) {
        
        IUser user = userService.getUserByEmail(email);
        if(null != user) {
            UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(email, password, user.getAuthorities());
            token.setDetails(new WebAuthenticationDetails(request));
            Authentication authenticatedUser;
            try {
                authenticatedUser = authenticationManager.authenticate(token);
            } catch (AuthenticationException e) {
                return new Result<Object>(ResultCode.LOGIN_CREDENTIALS_IS_INCORRECT);
            }
            SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
            if("on".equalsIgnoreCase(rememberMe)) {
                //TODO: remember
            }
        } else {
            return new Result<Object>(ResultCode.LOGIN_CREDENTIALS_IS_INCORRECT);
        }
        return new Result<Object>(ResultCode.SUCCESS);
    }

С реализацией rememberMe разбираюсь, по статье здесь.