problem description

I introduced spring security into the spring boot project to do things like login authentication. Because it is a separate project at the front end, my front end has such a login request

        function login(){
            $.ajax({
                useDefaultXhrHeader: false,
                type:"post",
                url:"http://127.0.0.1:8080/user/login",
                data:{"userName": document.getElementById("userName").value,
                    "password":document.getElementById("password").value},
                dataType:"json",
                success:function (result) {
                    console.log(result);
                    if(result["code"] == 0) {
                        showVideoByAll();
                        setCookie("username",result["username"],1);
                        alert("login success");
                 //       location.href = "./index.html";
                    } else {
                        alert("invalid password or userName")
                    }
                },
                error:function () {
                    alert("error")
                }
            });
        }

after logging in, I use ajax to call the background interface

    function showVideoByAll(){/**/
            $.ajax({
                useDefaultXhrHeader: false,
                type:"GET",
                url:"http://127.0.0.1:8080/video/selectVideoByAll",
                data:"",
                dataType:"json",
                success:function (result) {
                    alert("success")
                   console.log(result);
                },
                error:function () {
                  alert("error");
                }
            });
        }

this is the background security configuration

 @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .formLogin()
                .loginProcessingUrl("/user/login")
                .usernameParameter("userName")
                .passwordParameter("password")
                .successHandler(myAuthenticationSuccessHandler)
                .failureHandler(myAuthenticationFailureHandler)
                .and()
                .authorizeRequests()
                .antMatchers("/user/register","/user/login",
                        "/swagger-ui.html",
                        "/swagger-resources/**",
                        "/webjars/**",
                        "/v2/api-docs",
                        "Swagger2Config").permitAll()
                .anyRequest().authenticated()
                .and()
                .logout()
                .logoutUrl("/user/logout")
                .logoutSuccessHandler(myLogoutSuccessHandler)
                .permitAll()
                .and()
                .cors().and()
                .csrf().disable();
    }

you can see that I have configured

  .csrf().disable();

this is part of the background controller code

@RestController
@CrossOrigin
@RequestMapping("/video")
public class VideoController {
    @Autowired
    private VideoDAO videoDAO;

    /**
     * @return
     */
    @RequestMapping(value = {"/selectVideoByAll"}, method = RequestMethod.GET)
    public ResultModel selectVideoByAll() {
        try {
            List<Video> videoList = videoDAO.selectVideoByAll();
            Map<String, Object> map = new HashMap<String, Object>();
            map.put("content", videoList);
            return ResultUtil.result(0, "", map);
        } catch (Exception e) {
            return ResultUtil.result(404, e.getMessage(), null);
        }
    }
    ...

I successfully logged in at the front end,

,showVideoByAll()

showVideoByAllcookielogin,.

,,,api.,.

so, can someone help me? Thank you, sincerely ask for advice!