hello,
I can't guarantee to tell you best practices, because I haven't used JSF 2.0 in a real project yet.
About web development in general:
You need server-side validation anyway, even if you use JavaScript as a "first check".The most user friendly way to present errors in forms is an error message next to the field where the error occurs.
JSF is particularly well suited to make form validation simple. Actually, that's the one big gain when using JSF, while it makes other things much harder than they were with plain Servlets/JSP.
Use required="true" in the tags of mandatory input elements: http://download.oracle.com/javaee/6/tutorial/doc/gjcxv.htmlFor additional validation, check out integrated and custom validators in the tutorialUse h:message (error for one particular field) or h:messages (global) to display validation errors and similar problems for fields: http://download.oracle.com/javaee/6/tutorial/doc/bnarf.html#bnaso
Your chances of making the application really secure and with not too many bugs aren't that good, given the background you stated. But it'll work.
Kai