Thanks to this similar fetch issue: https://github.com/github/fetch/issues/386

I managed finally. So, to summarize:

1) No need for the Spring Security Config changes, except of Adding this annotation to controllers (you can add it just once to a base controller and all can inherit from it)

@CrossOrigin(origins = " * ", allowedHeaders = " * ")

2) From client side, when using fetch I had to use from both requests (Login and the second one):

credentials: 'include', //'same-origin'

(be attention that when using cors don't use the 'same-origin' value of credentials)

No need to set any cookies manually, the browser should handle it (If you need to write a Java client then it's needed... you can search for CookiesManagement java class and you'll find such implementation)