Spring Security Restore Servlet 5 Compatiblity for CookieCsrfTokenRepository

Describe the bug

It seems this fix (https://github.com/spring-projects/spring-security/issues/14131) might have broken backwards compatibility with jakarta servlet 5, as it uses the new Cookie#setAttribute()-method.

When using a CookieCustomizer to set SameSite-attribute, upgrading to spring-security-web:6.1.9 causes the error below. Downgrading back to spring-security-web:6.1.5 fixes the issue.

2024-11-26 16:24:18 java.lang.NoSuchMethodError: 'void jakarta.servlet.http.Cookie.setAttribute(java.lang.String, java.lang.String)'
2024-11-26 16:24:18     at org.springframework.security.web.csrf.CookieCsrfTokenRepository.mapToCookie(CookieCsrfTokenRepository.java:200)

To Reproduce Upgrade to spring security version 6.1.9

Expected behavior I would expect CookieCsrfTokenRepository() to work in the same manner between 6.1.5 and 6.1.9

Sample Example of how the tokenRepo is initialized below:

val tokenRepo = CookieCsrfTokenRepository()
tokenRepo.setCookieCustomizer { cookie ->
     cookie.sameSite("lax")
}

Comment From: jzheaux

Thanks @acutus for reaching out. I'm pushed a fix to 6.2.x, 6.3.x, and main (6.4.x). Can you check the next SNAPSHOT available build and see if it addresses your issue?