diff --git a/kypo2-security-user-and-group/src/main/java/cz/muni/ics/kypo/userandgroup/security/config/ResourceServerSecurityConfig.java b/kypo2-security-user-and-group/src/main/java/cz/muni/ics/kypo/userandgroup/security/config/ResourceServerSecurityConfig.java
index 8faea0021a6a2350d7088db0318ec761a391e472..b08d1fbfd395a56e89c80b3a0c617fd4fc1755ef 100644
--- a/kypo2-security-user-and-group/src/main/java/cz/muni/ics/kypo/userandgroup/security/config/ResourceServerSecurityConfig.java
+++ b/kypo2-security-user-and-group/src/main/java/cz/muni/ics/kypo/userandgroup/security/config/ResourceServerSecurityConfig.java
@@ -11,10 +11,9 @@ import org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationSe
 import org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Import;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.*;
+import org.springframework.core.Ordered;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -26,6 +25,7 @@ import org.springframework.security.web.session.HttpSessionEventPublisher;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
 
 import java.util.*;
 import java.util.stream.Collectors;
@@ -58,14 +58,17 @@ public class ResourceServerSecurityConfig extends ResourceServerConfigurerAdapte
     private CustomAuthorityGranter customAuthorityGranter;
 
     @Bean
+    @Primary
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration configuration = new CorsConfiguration();
-        configuration.setAllowedOrigins(Arrays.asList(corsAllowedOrigins));
-        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
-        configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
-        configuration.setExposedHeaders(Arrays.asList("x-auth-token"));
+        configuration.setAllowedOrigins(List.of(corsAllowedOrigins));
+        configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
+        configuration.setAllowedHeaders(List.of("authorization", "content-type", "x-auth-token"));
+        configuration.setExposedHeaders(List.of("x-auth-token"));
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", configuration);
+        FilterRegistrationBean corsFilter = new FilterRegistrationBean(new CorsFilter(source));
+        corsFilter.setOrder(Ordered.HIGHEST_PRECEDENCE);
         return source;
     }