Ok, so basically you're trying to use WS-Security UT for invoking an endpoint whose wsdl contract does not advertise that. That's why the ws-security is not automatically configured. So you have 2 options:
A) produce a locally modified version of that wsdl with proper ws-security policy and consume that with your client
B) programmatically (or through jbossws-cxf spring integration) configure ws-security in your client; see e.g. http://anonsvn.jboss.org/repos/jbossws/stack/cxf/tags/jbossws-cxf-4.1.0.Final/modules/testsuite/cxf-spring-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/UsernameTestCase.java