...
These defensive copies would be unnecessary if untrusted code always invoked object's clone() method on mutable state received from mutable classes and then operated only on the cloned copy. Unfortunately, untrusted code has little incentive to do so, and malicious code has every incentive to misbehave. This compliant solution both provides a clone() method to trusted code and also guarantees that the state of the object cannot be compromised when the accessor methods are called directly from untrusted code.
Compliant Solution (
...
clone(
...
) with final members)
When a mutable class's instance fields are declared final and lack accessible copy methods, provide a clone() method as shown in this compliant solution.
...