Spring security login with CORS enabled fails with Invalid CORS request

Question

I have a spring boot application (version 1.5.3.RELEASE), and a react based front end, that served from a different host.

I used @CrossOrigin on all endpoint, and worked well, i could GET,POST,PUT, ...etc from my frontend app.

Then i included spring security, allowed CORS in the security setup. Now only GET mapping works, every other fails with Invalid CORS request.

After some search i found a post that says i should remove @CrossOrigin annotation from my controllers, so i did, but nothing changed.

This is my current security set up:

http.authorizeRequests()
    .and()
    .formLogin()
    .loginPage("/login")
    .usernameParameter("login")
    .passwordParameter("password")
    .successHandler(successHandler())
    .permitAll();

http.authorizeRequests()
    .and()
    .logout()
    .logoutUrl("/logout")
    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
    .deleteCookies("JSESSIONID")
    .deleteCookies("gotye-somebody_that_i_used_to_know")
    .permitAll();

http.authorizeRequests()
    .and()
    .rememberMe()
    .rememberMeCookieName("gotye-somebody_that_i_used_to_know")
    .rememberMeParameter("gotye-somebody_that_i_used_to_know")
    .tokenValiditySeconds(1209600)
    .key("lol_nope");

http.authorizeRequests().and().csrf().disable().cors();

With the following CORS configuration:

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Collections.singletonList("http://localhost:3000"));
    configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PATCH", "DELETE", "PUT", "OPTION" "OPTIONS"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}