Hi all,

This is mainly a question for a SOAP-based service, but I guess it could work for a frontend that communicates to an EJB backend also. I know that the SOAP client / frontend can get complex objects to present, such as the example User class below. But when a modification to that object is desired, is it more preferred (for security / OOPness / etc) to have the SOAP client / frontend pass back a modified copy of the object, or should it be a more procedural function? See below

class User
{
Long userId;
String firstName;
String lastName;
... get / set as usual ...
}

// this is typical, to send User objects back to the SOAP client
User[] getUsersByFirstName(String firstName)
{
...
}

EXAMPLE 1 (OOP):

void updateUserName(User user) throws UnauthorizedException
{
// check authorization
UserDAO dao = UserDAO.getInstance();
User entry = dao.getById(user.getUserId());
entry.setFirstName(user.getFirstName());
entry.setLastName(user.getLastName());
dao.persist(entry);
}

I wouldn't directly persist the User object passed in, because then the client could've passed in undesired changes to other fields of the User object.

EXAMPLE 2 (Procedural):

void updateUserName(Long userId, String firstName, String lastName)
{
// check authorization
UserDAO dao = UserDAO.getInstance();
User entry = dao.getById(userId);
entry.setFirstName(firstName);
entry.setLastName(lastName);
dao.persist(entry);
}

Which one is generally more preferred? Thanks!

--Scott