If an external mechanism is employed, a likely candidate is the Java Authentication and Authorization Service (JAAS) (see http://java.sun.com/products/jaas/).
By providing a signature of Repository.login that does not require Credentials, the content repository allows for authorization and authentication to be handled by JAAS (or another external mechanism) if the implementer so chooses.
To use JAAS authentication to create Sessions with end-user identity, invocations of the Repository.login method that do not specify Credentials (i.e., either a null Credentials is passed or a signature without the Credentials parameter is used) should obtain the identity of the already-authenticated user by calling the static getSubject method of javax.security.auth.Subject.
The discovery mechanism for finding what permissions apply is also JAAS-compatible since it uses the JAAS-like concept of actions.