A method with a @RequestMapping annotation part of a class annotated with @Controller (directly or indirectly through a
meta annotation - @RestController from Spring Boot is a good example) will be called to handle matching web requests. That will happen
even if the method is private, because Spring invokes such methods via reflection, without checking visibility.
So marking a sensitive method private may seem like a good way to control how such code is called. Unfortunately, not all Spring
frameworks ignore visibility in this way. For instance, if you’ve tried to control web access to your sensitive, private,
@RequestMapping method by marking it @Secured … it will still be called, whether or not the user is authorized to access
it. That’s because AOP proxies are not applied to private methods.
In addition to @RequestMapping, this rule also considers the annotations introduced in Spring Framework 4.3: @GetMapping,
@PostMapping, @PutMapping, @DeleteMapping, @PatchMapping.
Noncompliant code example
@RequestMapping("/greet", method = GET)
private String greet(String greetee) { // Noncompliant
Compliant solution
@RequestMapping("/greet", method = GET)
public String greet(String greetee) {
