RESTful API hiding hibernate id and version

Let's say I have a User entity with an id and a version managed by hibernate, plus a firstname and a lastname.

I want to have CRUD operations on User instances 开发者_JAVA百科with a RESTful API but I don't want the client to get the user's id and version stored in the database.

A simplistic solution I can think of is to send a representation of the user with modified id and version and to map the "public" values with the database values in a HashMap that lives in the server's memory. I also though of cookies, but I don't think it's a secure solution as they can be hacked by the client. AFAIK, a pure RESTful API must not handle session state on the server.

Is there a secure, scalable and RESTful way to publish resources without exposing their real ids and versions ?

Difficult one. You need the id or some representation of it somewhere in the URI to make GET requests.

Why are you worried about your users obtaining the real id?

One thing you could do is encrypt the user's id before it is sent to the front end and decrypt id in the back end using a symmetric encryption algorithm like AES.

See Symmetric-key algorithm

The best solution is to separate your UserEntity and UserData:

@Embeddable
class UserData {
    String firstName;
    String lastName;
    ... // getters and setters
}

// your mapped class
class UserEntity {
    int id;
    int version;
    UserData data;
    // getters and setters
}

If you're set on 'true' REST then you need to provide the client with the entire state of the object that they'll need to perform an action on it at a later time. Have you considered just applying a salt and some symmetric encryption to fields that you don't want users to be able to modify? Passing the hashes around will increase your payload size obviously, but everything comes with a cost, especially security!