Almost any WS-Security testcase in the jbossws-cxf testsuite currently require the endpoint deployment to include an explicit dependency on the 'org.apache.ws.security' module. Most of the times, that's basically due to the need for the user to provide a CallbackHandler class recognizing WSS4J Callback instances and setting passwords (keystores, username auth, ...) in them.
We should provide (abstract?) default callback handlers in JBossWS that the user could rely on for setting passwords without requiring deployments to have visibility over the whole WSS4J.