Is the Sonar rule for Spring '"@RequestMapping" methods should be "public"' accurate?

There's a sonar rule for Spring that states: "@RequestMapping" methods should be "public"

And gives these examples:

@RequestMapping("/greet", method = GET)
private String greet(String greetee) {  // Noncompliant

@RequestMapping("/greet", method = GET)
public String greet(String greetee) {  // Compliant

These are the reasons given:

> marking a sensitive method private may seem like a good way to control how such code is called. Unfortunately, not all Spring frameworks ignore visibility in this way. For instance, if you've tried to control web access to your sensitive, private, @RequestMapping method by marking it @Secured ... it will still be called, whether or not the user is authorized to access it. That's because AOP proxies are not applied to non-public methods."

This seems reasonable for private methods, but does it really hold true for default (package-protected) visibility?

i.e.

@RequestMapping("/greet", method = GET)
String greet(String greetee) { 

Source: https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-3751

edit: just to clarify, I'm not asking if a @RequestMapping method has to be public, it doesn't. See spring-restbucks for an example

I'm asking if declaring the method as package-private rather than public is really a vulnerability, as suggested by Sonar.

edit 2: I created a project here to try to demonstrate it: https://github.com/barrycommins/boot2-security

The tests show that the @PreAuthorize rules are applied to the controller method, even though it is package private.
Whether that should be the case, and whether it's reliable, I'm not sure.

From what I can see, it seems like the comments and the existing answer are trying to address the details, when that isn't really your question.

I'm going to make some assumptions, because I haven't investigated the details of this issue. I'm just going to read into this what I see here.

In my opinion, the key thing the error message is trying to convey is that you shouldn't label something non-public if it actually isn't. I think this is debatable, but that is what the error message is saying, again, in my opinion.

The entire point of adding a @RequestMapping annotation is to prepare that method for being called from outside the service. In fact, it implies that the method is ONLY called from outside the service. If you declare that method as package private, that presents a confusing intent.

On the other hand, I can now see an argument to mark methods with @RequestMapping as "private". If the method will truly only ever be called from outside the service, and not from any application code (excluding framework code), how else could you express that except with "private"?