You should never submit a form to JSP page or perform any kind of data processing inside a JSP -- that's what servlets are for.
What I generally do is to validate the data at the most appropriate level. Sometimes, that's in the controller, but often it's deeper within the model. In either case, any problems are gathered up and if there are validation failures, I redirect back to the JSP with the form, passing the validation problems so that the JSP (and/or any script on the page) can display them to the user for fixup.
What kind of flow is easy and secured and best performance giving?
isn't it? For web applications, we have to compromise on something or the other..
Interesting to know the context of validation over here. To me I would consider 2 different scenarios
1. Server side validation of Input data (for vulnerabilities or malicious input)
2. Business level validations (what the business requires)
For business validations I would prefer layer in business components to do it but for input validation (for security) I would have it in controller or a separate layer itself (after controller) which would make it easier to un-plug the same easily if we feel it is trash.
Any contradictions to change my perspective or make me think over again are highly appreciated
Have Fun with Java
little,little.. little by little makes a lot..