Ok, I problem was in the following line I didn't send the csrf tokens like in the normal form submissions.
$('<form target="_blank" action="report" method="post"></form>').append(params).appendTo('body').submit().remove();
So what I did is I created the hidden field and insert it like bellow.
<script type="text/javascript">
$(document).ready(function () {
$('#download').click(function(){
var params = $('#params_').clone();
var csrftoken = $("#csrftoken_").clone();
$('<form target="_blank" action="report" method="post"></form>')
.append(params)
.append(csrftoken)
.appendTo('body')
.submit()
.remove();
});
});
</script>
<input type='hidden' id='params_' name='params' value='${params}' />
<input type="hidden" id="csrftoken_" name="${_csrf.parameterName}" value="${_csrf.token}" />
This works....