diff --git a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
index 2da82ef8b10..4cc231e50cd 100644
--- a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
+++ b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
@@ -17,7 +17,6 @@
 package org.springframework.web.cors;
 
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
@@ -103,7 +102,7 @@ public class CorsConfiguration {
 	}
 
 	private List<String> combine(List<String> source, List<String> other) {
-		if (other == null) {
+		if (other == null || other.contains(ALL)) {
 			return source;
 		}
 		if (source == null || source.contains(ALL)) {
diff --git a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
index 0d76e27b7fa..8d3651c5006 100644
--- a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
+++ b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
@@ -114,11 +114,16 @@ public class CorsConfigurationTests {
 		other.addAllowedHeader("header1");
 		other.addExposedHeader("header2");
 		other.addAllowedMethod(HttpMethod.PUT.name());
-		config = config.combine(other);
-		assertEquals(Arrays.asList("http://domain.com"), config.getAllowedOrigins());
-		assertEquals(Arrays.asList("header1"), config.getAllowedHeaders());
-		assertEquals(Arrays.asList("header2"), config.getExposedHeaders());
-		assertEquals(Arrays.asList(HttpMethod.PUT.name()), config.getAllowedMethods());
+		CorsConfiguration combinedConfig = config.combine(other);
+		assertEquals(Arrays.asList("http://domain.com"), combinedConfig.getAllowedOrigins());
+		assertEquals(Arrays.asList("header1"), combinedConfig.getAllowedHeaders());
+		assertEquals(Arrays.asList("header2"), combinedConfig.getExposedHeaders());
+		assertEquals(Arrays.asList(HttpMethod.PUT.name()), combinedConfig.getAllowedMethods());
+		combinedConfig = other.combine(config);
+		assertEquals(Arrays.asList("http://domain.com"), combinedConfig.getAllowedOrigins());
+		assertEquals(Arrays.asList("header1"), combinedConfig.getAllowedHeaders());
+		assertEquals(Arrays.asList("header2"), combinedConfig.getExposedHeaders());
+		assertEquals(Arrays.asList(HttpMethod.PUT.name()), combinedConfig.getAllowedMethods());
 	}
 
 	@Test