- Server side validation is mandatory : the request can come from a modified webpage, for example with rules altered with FireBug or any kind of DevTools. Or even easier, the request can be crafted by a malicious user, coming from a page (or a javascript block, or else) created ad-hoc, completely bypassing your page.
Think of it like the door of your house: with it, noone without the right key can enter. Without it, anyone can enter.
- Client side validation is user-friendly and performance friendly: it prevents the user to wait for the server’s negative response, it prevents the network from being flooded with wrong requests that could have been stopped (given the number of users and the possibility of uploading files along with form data, this could reach a critical mass very soon).
Think of it like the door with the intercom outside the building. With it, if you don’t answer to the intercom, people goes away immediately. Without it, people need to enter the building, climb the stairs, knock to your door… just to discover that you are not at home.
You NEED to apply a server-side validation, that in the case of Struts2 is either by validate() or validateXXX() method, or by XML Validation, or using annotations (with the inbuilt Struts2 Annotations per-action, or with the jsr303-validator-plugin by @UmeshAwasthi per-entity).
If you want to reuse your server-side validation as client-side validation you can use the Struts2-jQuery-plugin as described in this answer.
BTW, HTML5 (with fallbacks) and a basic jQuery validation on client side should be enough.
Put the real effort on server-side, then if you still have time and budget, enhance client side.