CookieCsrfTokenRepository uses Cookie#setAttribute() which breaks compatibility with Servlet API 5

[acutus]

Describe the bug

It seems this fix (#14131) might have broken backwards compatibility with jakarta servlet 5, as it uses the new Cookie#setAttribute()-method.

When using a CookieCustomizer to set SameSite-attribute, upgrading to spring-security-web:6.1.9 causes the error below. Downgrading back to spring-security-web:6.1.5 fixes the issue.

2024-11-26 16:24:18 java.lang.NoSuchMethodError: 'void jakarta.servlet.http.Cookie.setAttribute(java.lang.String, java.lang.String)'
2024-11-26 16:24:18     at org.springframework.security.web.csrf.CookieCsrfTokenRepository.mapToCookie(CookieCsrfTokenRepository.java:200)

To Reproduce
Upgrade to spring security version 6.1.9

Expected behavior
I would expect CookieCsrfTokenRepository() to work in the same manner between 6.1.5 and 6.1.9

Sample
Example of how the tokenRepo is initialized below:

val tokenRepo = CookieCsrfTokenRepository()
tokenRepo.setCookieCustomizer { cookie ->
     cookie.sameSite("lax")
}