I can't guarantee to tell you best practices, because I haven't used JSF 2.0 in a real project yet.
About web development in general:
JSF is particularly well suited to make form validation simple. Actually, that's the one big gain when using JSF, while it makes other things much harder than they were with plain Servlets/JSP.
Use required="true" in the tags of mandatory input elements: http://download.oracle.com/javaee/6/tutorial/doc/gjcxv.htmlFor additional validation, check out integrated and custom validators in the tutorialUse h:message (error for one particular field) or h:messages (global) to display validation errors and similar problems for fields: http://download.oracle.com/javaee/6/tutorial/doc/bnarf.html#bnaso
Your chances of making the application really secure and with not too many bugs aren't that good, given the background you stated. But it'll work.