A @RequestMapping method handles all matching requests by default. That means that a method you intended only to be POST-ed to could also be called by a GET, thereby allowing hackers to call the method inappropriately. For example a "transferFunds" method might be invoked like so: <img src="http://bank.com/actions/transferFunds?reciepientRouting=000000&receipientAccount=11111111&amount=200.00" width="1" height="1"/>

For that reason, you should always explicitly list the single HTTP method with which you expect your @RequestMapping Java method to be called. This rule raises an issue when method is missing.

Noncompliant Code Example

@RequestMapping("/greet")  // Noncompliant
public String greet(String greetee) {

Compliant Solution

  @RequestMapping("/greet", method = GET)
  public String greet(String greetee) {

See