Since ModeShape 4, the default modeshape-security domain uses the Application Realm. So if you use the out-of-the-box configuration file, you need to run the add-user script and add users to the Application Realm.
When you add those users, you need to make sure you given them one the "admin", "readwrite", "read" and "connect" roles. This last role is required to be able to access any of the Modeshape webapps that are deployed in WF.
So the steps that you mentioned above are correct (although you just need to add users to the Application Realm) but you need to make sure you give your user(s) the above roles. IIRC when using the add-user utility the roles are comma-separated.
If you're using the non-interactive approach, after you've added a user you can just edit the configuration/application-roles.properties file and add the roles there (beware of spaces - don't use spaces after commas because that will create invalid role names)
I've also updated this section in our documentation: Installing ModeShape into Wildfly - ModeShape 4 - Project Documentation Editor