Invariants cannot cannot be enforced for public nonfinal fields , or final or for final fields that reference a mutable object. A protected member of an exported class represents a public commitment to an implementation detail. Attackers can manipulate such fields to violate class invariants or , or they may be corrupted by multiple threads accessing them concurrently [Bloch 2008]. As a result, fields must be declared private or package-private.
...
In this noncompliant code example, the total field tracks the total number of elements as they are added to and removed from a container using the methods add() and remove() respectively.
...
Accessor methods provide controlled access to fields outside of the package in which their class is declared. This compliant solution declares total as private and provides a public accessor. The The add() and remove() methods modify its value while preserving class invariants.
...
Programmers often incorrectly assume that declaring a field or variable final makes the referenced object immutable. Declaring variables that have a primitive type final does prevent changes to their values after initialization (by normal Java processing). However, when the field has a reference type, declaring the field final only makes the reference itself immutable. The final clause has no effect on the referenced object. According to the The Java Language Specification, §4.12.4, "final Variables" [JLS 2013],
...
Depending on the required functionality, accessor methods may return a copy of the HashMap or a value contained by the HashMap. This compliant solution adds an accessor method that returns the value of an element given its key in the HashMap. Make sure that you do not return references to private mutable objects from accessor methods (see OBJ05-J. Do not return references to private mutable class members for details).
...
This compliant solution declares a public array and provides public methods to get individual items and array size. :
| Code Block | ||
|---|---|---|
| ||
private static final String[] items = {/* ... */};
public static final String getItem(int index) {
return items[index];
}
public static final int getItemCount() {
return items.length;
}
|
Providing direct access to the array objects themselves is safe because String is immutable.
Compliant Solution (Clone the Array)
This compliant solution defines a private array and a public method that returns a copy of the array:
...
Because a copy of the array is returned, the original array values cannot be modified by a client. Note that a manual deep copy could be required when dealing with arrays of objects. This generally happens when the objects do not export a clone() method . Refer to (see OBJ06-J. Defensively copy mutable inputs and mutable internal components for more information).
As before, this method provides direct access to the array objects themselves, but this is safe because String is immutable. If the array contained mutable objects, the getItems() method could return an array of cloned objects instead.
...
This compliant solution constructs a public immutable list from the private array. It is safe to share immutable objects without risk that the recipient can modify them [Mettler 2010].
...
Neither the original array values nor the public list can be modified by a client. For more details about unmodifiable wrappers, refer to OBJ56-J. Provide sensitive mutable classes with unmodifiable wrappers. This solution can also be used when the array contains mutable objects.
...
OBJ01-EX0: Fields with no associated behavior or invariants can be public. According According to Sun's Code Conventions document [Conventions 2009]:
...
OBJ01-EX1: Fields in a package-private class or in a private nested class may be pubic or protected. There is nothing inherently wrong with declaring fields to be public or protected in these cases. Eliminating accessor - methods generally improves the readability of the code , both in the class definition and in the client client [Bloch 2008].
OBJ01-EX2: Static final fields that contain or reference immutable constants may be public or protected.
...