...
WS-Security supports many ways of specifying tokens. One of these is the UsernameToken header. It is a standard way to communicate a username and password or password digest to another endpoint. Be sure to review the OASIS UsernameToken Profile Specification for important security considerations when using UsernameTokens. Note that the nonce support recommended by the specification for guarding against replay attacks has not yet been implemented either in CXF or WSS4J.
For the server side, you'll want to set up the following properties on your WSS4JInInterceptor (see above for code sample):
...