According to the article “Securing Web Service Integration” by Amila Suriarachchi “WSO2 carbon supports UT even with HTTP basic authentication by converting the POX message”, but I am not sure whether this is relevant to your interests.

However configuring UsernameToken authorization with a JAX-WS client is not as hard as it seems. All you have to do is create a class that implements javax.xml.ws.handler.soap.SOAPHandler and add the security header in the outbound messages by overriding the handleMessage(SOAPMessageContext messageContext) method.

My java version is 1.6.0_26 (with none of the above mentioned patches applied) and the web service client stub classes are generated by JAX-WS RI 2.1.7 according to the wsdl of a web service, secured by the UsernameToken scenario and exposed by a WSO2 Carbon Server (namely Data Services Server-2.6.3)

I use Apache WSS4J for creating the security header – in this case by simply instantiating a org.apache.ws.security.message.WSSecUsernameToken object and setting the username and password via the setUserInfo(String user, String password) method. Also a timestamp element should be added to the security header of the outgoing SOAP message.
A sample implementation could look like this:

public boolean handleMessage(SOAPMessageContext messageContext) {
    Boolean isOutboundMessage = (Boolean) messageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);

    if (isOutboundMessage) {
        SOAPPart messageSoapPart = messageContext.getMessage().getSOAPPart();

        WSSecHeader securityHeader = new WSSecHeader();
        securityHeader.insertSecurityHeader(messageSoapPart);
        WSSecUsernameToken usernameToken = new WSSecUsernameToken();

        usernameToken.setPasswordType(WSConstants.PASSWORD_TEXT);
        usernameToken.setUserInfo("root", "top_secret");

        WSSecTimestamp timestamp = new WSSecTimestamp();

        usernameToken.build(messageSoapPart, securityHeader);
        timestamp.build(messageSoapPart, securityHeader);
    }

    return true;
}

Another important thing to mention is that SOAP header elements may come with a mustUnderstand global SOAP attribute. Referring to the article Working with Headers in JAX-WS SOAPHandlers by Jim White this attribute is used to indicate whether or not the web service receiver or intermediary is required to understand the header element before processing the message.

In case the mustUnderstand element is set to true (soapenv:mustUnderstand=”1″) the getHeaders() method should be coded to tell the runtime environment that the SOAP handler is going to take care of the mustUnderstand header elements by returning a set of QName (qualified name) objects that match the mustUnderstand header elements. Below is the getHeaders() method that handles the Security header.

public Set<QName> getHeaders() {
    final String NAMESPACE_URI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
    final String LOCAL_PART = "Security";
    final String PREFIX = "wsse";

    final QName wssecurity = new QName(NAMESPACE_URI, LOCAL_PART, PREFIX);  
    final Set<QName> headers = new HashSet<QName>();
    headers.add(wssecurity);  

    return headers;  
}

Lastly, before getting the service port and invoking any of its methods you should register an instance of the above mentioned class (let’s say – UsernameTokenSecuritySoapHandler) to the handler chain of your web service client. This can be done by using the following code:

    Service service = new Service();
    service.setHandlerResolver(new HandlerResolver() {
        public List<Handler> getHandlerChain(PortInfo portInfo) {
            List<Handler> handlers = new ArrayList<Handler>();
            handlers.add(new UsernameTokenSecuritySoapHandler());
            return handlers;
        }
    });

In addition – you could find here an excellent article by Young Yang about the JAX-WS API’s handler framework.

Hope this helps.