Good question!
Here's my general rule of thumb: If it's a simple validation such as
testing for existence, whether it's an integer, valid date format, etc., put it in the validate() method of the ActionForm. If it's something that could be described as a "business rule", it should be done in the action class, and the actual verification logic should go in a class that is part of the "model" layer of your MVC application.
For example, if a password input cannot be blank, that's a simple rule and can be done in the validate method. If a password has to have at least one upper-case character and one numeric character, but cannot start with a numeric character, that's a business rule, and should be done in the Action class with the rule itself coming from a model-layer class.
The point of making this distinction is to preserve the integrity of the MVC model.