Depends on what your security concerns are.
My concern was the username and password public. Our web app is MVC and I built a class that creates/logs in the users and passes the SID, RID and JID back out to the front end (Strophe) to then attach to the jabber server to start chatting. See http://xmpp.org/extensions/xep-0206.html for more. Essentially create the xml strings, send to the jabber server and manage the responses as shown in xep 206.