1

In a web based application we have an User object in the session for each logged in user.

The user is as below

Class User {
    //With setter and getters
      private String userId,
      private String name,
      private Account Account,
 }

Class Account {
     //with setter and getters.
     private String accountNumber;    
 }

When the user logged in a session object is created for him and his userId ,name and Account will be set for him.

After that, every programmer can access the session and read user and his information. But it is possible that one programmer change the Account by mistake.

For example:

 1. TrasnferVO = new TransferVO;
 2. TransferVO.setAccount( user.getAccount() );
 3. TransferVO.getAccount.setAccountNumber("foo");
 4. User user = getUserFromSession();
 5. user.getAccountNumber(); // Now I have foo

At line 2 a new copy of user account should be created and set to TransferVO because the the object reference is passed not its value! So the line 3 will change the user session account number. And we will lost the corrupted accountNumber in session.

Is there any guideline to handle it or every individual programmer must take care of it.

Of course this mistake can happen in every code in the project, but I am looking for a way to make the session object properties, which is very important, immutable.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Alireza Fattahi
  • 42,517
  • 14
  • 123
  • 173
  • 2
    Use the inmmutable pattern, do not create setter methods for the object that shouldn't be modified, and extend your API to be able to create instance/copies of the inmmutable object that may be altered – Nadir Apr 07 '16 at 13:06
  • I don't get it. What prevents you from making all those fields final; so that they are setup exactly once? I really don't get the question. Of course one should make sure that objects that aren't supposed to change ... do not offer means to change their content upon creation. – GhostCat Apr 07 '16 at 13:13
  • @Jägermeister Do you mean make the `User.AccountVO` final ?! I can't because blank final field should be initialized. The `AccountVO` changes for each user – Alireza Fattahi Apr 07 '16 at 13:28
  • @AlirezaFattahi Are we really supposed to understand what is `User.AccounVO`? – Basil Bourque Apr 08 '16 at 01:28
  • Just create a DTO for the purpose. – BalusC Apr 08 '16 at 08:35
  • Dear @BalusC I agreed that it is not a JSP, servlets and session problem. And I tried to explain the situation which happens in my project. I appreciate your answer. – Alireza Fattahi Apr 08 '16 at 15:51

1 Answers1

1

The situation in your Question is not clear.

Make object immutable

To make an immutable object in Java, you have two ways:

  • Encapsulation: mark the members as private, define an interface with no setter methods, and implement that interface on your class. Pass the object as an instance of that read-only interface to your session.
  • Mark the members as final. The members can be assigned a reference to an object (or primitive value) only once. Members marked final cannot be re-assigned.

Remember that in either case above the object assigned to the member may itself be modifiable. Assigning an object to the member of your class is what we are protecting in both cases above, but modifying that assigned object’s own internal members is a separate issue.

Copy the object

Or you can make a copy of an object, then proceed with your modifications on the clone. Perhaps this best suits your situation.

Learn about the marker interface Cloneable and about overriding the protected Object::clone method with a public one. Read:

Community
  • 1
  • 1
Basil Bourque
  • 303,325
  • 100
  • 852
  • 1,154