Hi,
i found possible problem with HTTP Bearer JWT.

If you need create dynamically CORS by own policy JAXRS filter, then it will be problem with expired/invalid (any other problem) JWT token. You will see CORS exception on expired/invalid JWT because wildfly-elytron refuse request before own policy JAXRS filters (as e.g. @PreMatching ContainerRequestFilter, ContainerResponseFilter).