Of all the places to enforce security, render modules are one of the most questionable. Aside from everything else, one of the most effective ways to hack into a system is to ignore the UI stuff and brute-force jam in your own evil data.
Just as an aside, I can be heard frequently exhorting people NOT to invent their own security systems. Unless they are full-time security professionals, the results are typically very, very flimsy (as in my computer-illiterate kid sister can break in in 10 minutes or less). And the more elaborate the framework being implemented, the more security holes there will be.
The
J2EE standard security framework is a very simple pre-designed, pre-debugged, industry-documentated basis that is quite sufficient for most web applications and can be easily augmented without violating its basic security operations.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.