jquery-beginners query- is the password/secret key for auth used in jquery call, exposed to end user?

I am very new to jquery and javascript, hence this query(Please dont mind if it sounds too dumb :( )...

I have seen some libraries in javascript, that clearly mention that if the javascript version of that library is used, then the end user will have access to login credentials/password being used... Does this mean that if I want to call on an API that gives out JSON data (for example), then I cannot use jquery开发者_高级运维 at all? Is it possible to use jquery for authenticating into a service or API, without exposing login credentials to the end user?

I have seen some libraries in javascript, that clearly mention that if the javascript version of that library is used, then the end user will have access to login credentials/password being used...

Yes that is true. The end user (browsers) can see everything that is "in" the browser. Hence , you can use javascript to sniff for whatever you wanted to find. But hey, if you're a good programmer, would you send some login credentials/password to the end user? Would you not want it just in the server?

Does this mean that if I want to call on an API that gives out JSON data (for example), then I cannot use jquery at all?

No! Of course you can use jQuery. I would not care if you include some login credentials/password in JSON data. But if I were you, sure thing, I would not do that. There are some techniques so that your data (on a web app or something) can be secured and yet still use jQuery.

Is it possible to use jquery for authenticating into a service or API, without exposing login credentials to the end user?

Yes! Of course.

jQuery is a client side script (a javascript library ), it can see what the browser have. If your server side script would not send some login credentials/password in the user end, then you would not have problems. Hence, jQuery is not the problem.

comment answers:

can i authenticate with server side code, and only after that call on an API using jquery (so that the server side code handles password etc while client side code invokes that api only after successful authentication) Specifically can I do something like this to authenticate using java/jsp, and then call on the api using jquery? (This is a probable scenario for me)

Yes! Example:

User wants to use functionality A. Before anyone can use A, a user must have good credentials (for example logged in).

Now, here's a not logged in user, trying to use A. jQuery talked to the server. Now server checked if user is logged in. Server will deny the request.

You might asked, "How did the server know that the user was not logged in?". Well, that depends on your server side script.

Just picture this one out in your mind. jQuery is just like an invisible browser that is making your page request to the server.

note: I know that we are talking about jQuery here. But the technique/technology is referred to as AJAX. There are also other javascript libraries that can do this. Even just javascript will do.

You mentioned techniques to secure data+use jquery- pls point me to good resources on those...

Sorry, I can't recommend any. But just keep in mind, it is just like a page without the use of ajax. Accessing/viewing a page that needs credentials, you will have to check for some sessions or database data right?. Same goes when using ajax.

hmmm this link may give you some idea. http://www.roseindia.net/tutorial/jquery/loginValidation.html

Sorry if I'm not good on explaining things. Anyway, cheers!

As long as requests are not made over HTTPS, nothing will be encrypted and one could read the request information from outside.

If you try some developing tools like FF, Firebug installed and Chrome/Safari-Consoles you can read the requests *you*make and see what others could see when you don't use HTTPS.

jQuery is a JavaScript library and hence not responsible for backendprocessing