...
In general, sensitive classes can can be transformed into safe-view objects by implementing all the methods defined by the core interface, including the mutator methods. In this case, the difference is that the mutators need to throw an UnsupportedOperationException so that clients cannot carry out operations that affect the immutability property of the object.
In this solution, an UnmodifiableSensitiveMutable is constructed by extending SensitiveMutable. An interface UnmodifiableInterface consists of the method unmodifiableView() which accepts a SensitiveMutable object as the sole parameter. It returns an equivalent object that is a subtype of the same class, and which is unmodifiable. An exception is thrown if the caller attempts to use the mutator method on the returned object. This object can be passed to untrusted code as required.
...