...
Classes that have security checks in their constructors must beware of finalization attacks, as explained in guideline rule "OBJ05-J. Do not allow access to partially initialized objects."
Classes that are not sensitive but maintain other invariants must be sensitive to the possibility of malicious subclasses accessing or manipulating their data and possibly invalidating their invariants. See guideline rule "OBJ08-J. Provide mutable classes with copy functionality to allow passing instances to untrusted code safely" for more information.
...
This class fails to prevent malicious subclasses but does protect the data in SensitiveClass. Its methods are protected by being declared final. For more information on how to handle malicious subclasses, see guideline rule "OBJ08-J. Provide mutable classes with copy functionality to allow passing instances to untrusted code safely."
...