...
Classes that are not sensitive, but that maintain other invariants must be sensitive to the possibility of malicious subclasses accessing or manipulating their data, and possibly invalidating their invariants. See OBJ10OBJ08-J. Provide mutable classes with copy functionality to allow passing instances to untrusted code safely for more information.
...
This class fails to prevent malicious subclasses, but does protect the data in SensitiveClass. Its methods are protected by being declared final. For more information on how to handle malicious subclasses, see OBJ10OBJ08-J. Provide mutable classes with copy functionality to allow passing instances to untrusted code safely.
...