2. Because trusting the client to provide sane data is insane. A considerable percentage of security exploits work because someone has hacked the client-side processing to return unexpected data in the hopes of breaking the server.
The one penalty you do pay of course, is in whatever work you do to duplicate the validation, But that extra investment in robustness is what separates the "toy" programs from enterprise-grade applications and why the hypothetical 10-year old kid isn't the equivalent of a trained software developer.
Of course, if you use a JSF tagset that can automatically generate both the client- and server-side validations from the same specifications, I won't stop you. In fact, I'm always on the lookout for tools of that type.
An IDE is no substitute for an Intelligent Developer.
John Todd wrote:And by the way, your picked subject for your post is too much misleading.
Thereby I have a small change that the final submit fails, but normally this will not be the case.