Hi Derick,
OK... what you are describing is creating a proxy class on the server which has the same methods as Data but without the lock/unlock method - in other words you are hiding the need to lock/unlock from clients.
I know from reading other threads that people have passed the exam by following this strategy, although I personaly do not like it. My problems with it are twofold. First off, by hiding the lock/unlock from clients you are enforcing a locking strategy. This may be OK for the scenario we are given but who knows what locking strategy future clients will want/need to enforce? Secondly, I may be wrong but if Sun felt it important enough to include the cookies in the method signature, this says to me that they too important to hide at the first opportunity.
Your alternative is to pass the resposibilty for the locking through to the client, who must of course follow the (documented) need to follow the lock/update/unlock procedure.
These are just my thoughts on it, although I would say that
you should go with whichever method you would be most comfortable justifying/defending.
Cheers,
Jon