A @RequestMapping method handles all matching requests by default. That means that a method you intended only to be
POST-ed to could also be called by a GET, thereby allowing hackers to call the method inappropriately. For example a
"transferFunds" method might be invoked like so: <img
src="http://bank.com/actions/transferFunds?reciepientRouting=000000&receipientAccount=11111111&amount=200.00" width="1"
height="1"/>
For that reason, you should always explicitly list the single HTTP method with which you expect your @RequestMapping Java method to be
called. This rule raises an issue when method is missing and when the method parameter is configured with more than one
verb. Mixing GET and POST verbs can lead to information leakage. It's easier to setup Spring Security’s CSRF protection when there is only one verb
per @RequestMapping.
@RequestMapping("/greet") // Noncompliant
public String greet(String greetee) {
@RequestMapping("/greet", method = GET)
public String greet(String greetee) {