@crossorigin Spring erlauben alles
http.cors().configurationSource(request -> new CorsConfiguration().applyPermitDefaultValues());
Try this one if you have at least Java 8:
Shy Snail