Currently the org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor throws exception if a SecurityContext is not available in the Message instance. It should however simply log the error and let the authentication fail later when the policy engine verifies the contract policy assertions are satisfied.
The early throw of exception prevents WS-MEX from properly working for any endpoint this interceptor is attached to.