Oh, Matt, by now I thought you'd know what I have to say to people who try and roll their own login/security systems.
If you write your own login code, it's virtually certain that someone is going to pwn you.
Security lectures notwithstanding, however, you cannot add user logic to the render phase of the
JSF lifecycle. The architecture is designed to render based on an immutable copy of the Model. The closest you can get is to use render-control options on the View definition such as the "rendered=" and style attributes.
Also, "after the page is rendered", the server disconnects from the client, so nothing further can be done until the client connects again with another request.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.