Is it mandatory to use SSL?

I'm developping a web site for a broker (JSF 2 + richfaces + oracle 10g), and i wanted to have your opinion concerning HT开发者_高级运维TPS (because i think it's not necessary in my case, since the user won't give any important details).

So:

• to enter the web site, the user has to authenticate himself (using JAAS)
• there's a page showing Stock Market data (it's financial data, so it's not that important)
• the user can buy/sell stocks : he gives quantity, price, the account ( not bank account) for which he will buy/sell
• the user can see his accounts, what stocks he has, past operations, etc....

Is it necessary to use SSL in my case ?

Yes, it sure sounds like it. Authentication usually involves sending a username/password combination to the server. That should never be done in clear text, so that requirement alone would make SSL a good idea. Furthermore, buying and selling stocks sounds like something that you would want to do in a secure manner.

I don't even understand what your concern is. Having an SSL protected website does not mean that you have to write a single line of code. It's just a question of buying an ssl certificate and configuring your web server.

I think it is necessary indeed, as it involves real money. Even if the user doesn't give away any details, there still can be man-in-the-middle attacks between the user and your server, which would enable anybody to gain access to the server with his credentials.

If it doesn't involve real money (it's not clearly written out), then you won't necessarily need it.

If the user is passing anything sensitive (and I'd say the number for a stock trading account is hugely sensitive) then HTTPS is crucial, in my opinion.

The way I'm seeing what you described, you have a user identifying himself/herself, and then you're passing basically all the info about his/her account over the web. Definitely secure that as much as possible.

There is not "good" way to get authentication tokens securly (in your case passwords) without using HTTPS or a one-time-password system.

In any case, I would sure want this type of access to be HTTPS secured else I might not trust it.