Java Spring Tool Suite security

Question

I have a simple java application where I would like all my pages to have access to the style sheet folder and files even if the user has not been authenticated. I have the following code in my WebSecurityConfig.java file:

package com.security;



import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

// Add WebSecurityConfig class to configure security
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    private static final String USER = "USER"; 

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/security").permitAll()
                .antMatchers("/css/**.css").permitAll()
                .antMatchers("/hands_on").hasAnyRole(USER)
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }

}

I have this code in my hands_on.html file:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
    xmlns:th="http://www.thymeleaf.org"
    xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
<title>hands on Demo</title>
<link th:href="@{/css/style.css}" rel="stylesheet" type="text/css" />
</head>
<body>
    <h1>hands on Demo</h1>
</body>
</html>

And I have this code in my login.html file:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
    xmlns:th="http://www.thymeleaf.org"
    xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
<title>Spring Security Demo</title>
<link th:href="@{/css/style.css}" rel="stylesheet" type="text/css" />
</head>
    <body>
        <div th:if="${param.error}">
            Invalid username and password.
        </div>
        <div th:if="${param.logout}">
            You have been logged out.
        </div>
        <form th:action="@{/login}" method="post">
            <div><label> Enter your User Name : <input type="text" name="username"/> </label></div>
            <div><label> Enter your Password: <input type="password" name="password"/> </label></div>
            <div><input type="submit" value="Sign In"/></div>
        </form>
    </body>
</html>

If I start my java application and launch a browser and go to localhost:8080/hands_on I would expect the login page to get displayed and be presented with my style sheet. What happens is the login page gets displayed but without the styles being applied. When I look at my javascript console, I see this:

Refused to apply style from 'http://localhost:8080/css/style.css' because its MIME type ('application/json') is not a supported stylesheet MIME type, and strict MIME checking is enabled.

My style.css file is in the folder security[boot]/src/main/resources/static/css.

I thought I would have access to the style.css file based on the .antMatchers("/css/**.css").permitAll() in my WebSecurityConfig.java file but I guess I am missing something. Ideas?