public String checkOrigin(@Nullable String requestOrigin) {
	if (!StringUtils.hasText(requestOrigin)) {
		return null;
	}
	if (ObjectUtils.isEmpty(this.allowedOrigins)) {
		return null;
	}
	if (this.allowedOrigins.contains(ALL)) {
		if (this.allowCredentials != Boolean.TRUE) {
			return ALL;
		}
		else {
			return requestOrigin;
		}
	}
	for (String allowedOrigin : this.allowedOrigins) {
		if (requestOrigin.equalsIgnoreCase(allowedOrigin)) {
			return requestOrigin;
		}
	}
	return null;
}

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
		FilterChain filterChain) throws ServletException, IOException {
	CorsConfiguration corsConfiguration = this.configSource.getCorsConfiguration(request);
	boolean isValid = this.processor.processRequest(corsConfiguration, request, response);
	if (!isValid || CorsUtils.isPreFlightRequest(request)) {
		return;
	}
	filterChain.doFilter(request, response);
}

public static boolean isPreFlightRequest(HttpServletRequest request) {
	return (HttpMethod.OPTIONS.matches(request.getMethod()) &&
			request.getHeader(HttpHeaders.ORIGIN) != null &&
			request.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD) != null);
}

final class FilterComparator implements Comparator<Filter>, Serializable {
	private static final int INITIAL_ORDER = 100;
	private static final int ORDER_STEP = 100;
	private final Map<String, Integer> filterToOrder = new HashMap<>();

	FilterComparator() {
		Step order = new Step(INITIAL_ORDER, ORDER_STEP);
		put(ChannelProcessingFilter.class, order.next());
		put(ConcurrentSessionFilter.class, order.next());
		put(WebAsyncManagerIntegrationFilter.class, order.next());
		put(SecurityContextPersistenceFilter.class, order.next());
		put(HeaderWriterFilter.class, order.next());
        // CORS filter here
		put(CorsFilter.class, order.next());
		put(CsrfFilter.class, order.next());
		put(LogoutFilter.class, order.next());
        // more codes