Please see
http://svn.apache.org/repos/asf/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted_authorized_2.xml
for a policy first case, you need to set a "ws-security.ut.no-callbacks" property.
And here is a test SimpleSubjectCreatingInterceptor :
http://svn.apache.org/repos/asf/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/SimpleSubjectCreatingInterceptor.java
it still extends the org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor (just to make sure) the existing code
relying on it works. So setting the property above should fix the issue for the policy first case.
SimpleSubjectCreatingInterceptor should really extend
http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractUsernameTokenInInterceptor.java
no WSS4J dependency, UsernameToken is a CXF specific class, it can be extended without breaking the subclasses...
Hope this helps, Sergey