ModeShape provides an API both for authorization & authentication, allowing clients to extend & plug in their own implementations. See Custom authentication providers - ModeShape 4 - Project Documentation Editor for more details.
Is there any chance we can utilize Servlet authorization for this? When I deploy my applications into Wildfly they are secured with two modifications: 1) the inclusion of a keycloak.json file and 2) the specification of the /web-app/login-config/auth-method element within the Servlet configuration web.xml file. The ModeShape documentation says all I need to do is "create a 'org.modeshape.jcr.api.ServletCredentials' instance with the servlet's HttpServletRequest" ...
The way servlet authorization & authentication essentially works is via a ServletCredentials instance being passed to session.login like so:
repository.login(new ServletCredentials(httpRequest), workspaceName)
and relies subsequently on the following methods from HttpServletRequest: httpRequest.getUserPrincipal() && httpRequest.isUserInRole(roleName)
I don't know how Keycloak works, but if it integrates with HTTP auth, then your use case should work.