Well, if your login page pulls in a CSS URL named something like "/css/prettyPage.css" and it's not in the web ignoring requestmatchers, then you'll be sent to login in order for your login page to be able to display, which will try to pull in "/css/prettyPage.css" which will need a login, which will try to pull in "/css/prettyPage.css", ...
I believe you're using the built in login pages, so that sort of thing shouldn't happen, but user-designed login pages can easily fall into that trap.
Here my security config, although I don't know how much help it will be. The login pages are custom JavaServer Faces pages.
And to avoid the circularity problem I just mentioned, my CSS and JSF URLs are unrestricted: