A @Controller
method with a @RequestMapping
annotation will be called to handle matching web requests. That will happen
even if the method is private
, because Spring invokes such methods via reflection, without checking visibility.
So marking a sensitive method private
may seem like a good way to control how such code is called. Unfortunately, not all Spring
frameworks ignore visibility in this way. For instance, if you've tried to control web access to your sensitive, private
,
@RequestMapping
method by marking it @Secured
... it will still be called, whether or not the user is authorized to access
it. That's because AOP proxies are not applied to non-public methods.
@RequestMapping("/greet", method = GET) private String greet(String greetee) { // Noncompliant
@RequestMapping("/greet", method = GET) public String greet(String greetee) {