In order for the global CORS config to work, the client must add these two headers in the OPTIONS request.
Origin: http://host.com
Access-Control-Request-Method: POST
However the @CrossOrigin annotation requires just the “Origin” header.
Your client probably adds the “Origin” header but is missing the “Access-Control-Request-Method”…..thats why it works for you with the @CrossOrigin, but doesn’t with the global config.