If you want to use the full WS-Security facilities coming with Apache CXF and hence JBossWS-CXF, you need to go through the Spring configuration, which covers the stack specific aspect of configuring the security engine, similarly to what you did with the jboss-wsse-endpoint.xml on JBossWS-Native stack.
The documentation on WS-Security w/ JBossWS-CXF is at http://community.jboss.org/wiki/JBossWS-StackCXFUserGuide#WSSecurity . Please also consider taking a look at the mentioned Apache CXF doc there.
On the countrary, if you just want to implement and home brew solution for checking some of the WS-Security headers, you can avoid setting up security at all and install your custom handlers / interceptors. Handlers configuration is covered by standard specs and hence can be done in a stack agnostic way (see the @HandlerChain annotation). Alternatively, you can use CXF interceptors, declared through @InInterceptor/@OutInterceptor/.. (see Apache CXF doc on that).