Page History

It is difficult to control how data members declared public or protected are accessed. Attackers can manipulate such members in unexpected ways. As a result data members must be declared private. Use wrapper accessor methods to expose class members that are to be accessed outside of the package in which their class is declared. Using wrapper methods enables appropriate monitoring and control of the modification of data members (for example, by defensive copying, validating input, and logging). The wrapper methods can preserve class invariants.

...

public class Widget {
  public int total; // Number of elements

  void add() {
    if (total < Integer.MAX_VALUE) {      
      total++;
      // ...
    } else {
      throw new ArithmeticException("Overflow");
    }
  }

  void remove() {  
    if (total > 0) {      
      total--;
      // ...
    } else {
      throw new ArithmeticException("Overflow");
    }
  }
}

As a {{public}} data member, {{total}} can be altered by external code independently of the {{add()}} and {{remove()}} methods. It is bad practice to expose fields from a {{public}} class \[[Bloch 2008|AA. Bibliography#Bloch 08]\].

Compliant Solution (Private)

This compliant solution declares total as private and provides a public accessor so that the required member can be accessed beyond the current package. The add() and remove() methods modify its value without violating any class invariants.

Note that care must be taken when providing references to private mutable objects from acessor accessor methods; see rule OBJ05-J. Defensively copy private mutable class members before returning their references for details.

...

This noncompliant code example shows a static mutable hash map with public accessibility.

public static final HashMap<Integer, String> hm = new HashMap<Integer, String>();

...

Mutable data members that are static must be declared private.

private static final HashMap<Integer, String> hm = new HashMap<Integer, String>();

public static String getElement(int key) { 
  return hm.get(key);
}

...

One example of appropriate public instance variables is the case where the class is essentially a data structure, with no behavior. In other words, if you would have used a struct instead of a class (if Java supported struct), then it's appropriate to make the class's instance variables public.

...

Failing to declare data members private can break defeat encapsulation.

...

Detection of public and protected data members is trivial; heuristic detection of the presence or absence of getter and setter wrapper accessor methods is straightforward. However, simply reporting all detected cases without suppressing those cases covered by the exceptions to this rule would produce excessive false positives. Sound detection and application of the exceptions to this rule is infeasible; however, heuristic techniques may be useful.

...

...