I found problem in new version of spring boot 2.0.5 with security maters other than mvcMatchers (antMatchers and requestMatchers -> EndpointRequest) when server.servlet.path is set to some path
additionally I found that without using server.servlet.path content negotiation for /
does not work and controller always wins over static files
example behaves little bit different when mvcMatchers will be replaced with equivalent antMatchers inSecurityConfig
changing version of spring security doesn't help
in spring boot release notes I found this commit https://github.com/spring-projects/spring-boot/commit/b93c2b9a9fba057470b03944cdd59e37f1ebbc59
in file DemoApplication.http
and DemoApplication-no-context-path.http
i crated and commented example requests that shows this problem