When trying to do basic authentication in Soap header with UserNameToken, token is well read from XML, but badly passed to password callback.
Line 165 of org.apache.ws.security.validate.UsernameTokenValidator :
WSPasswordCallback pwCb =
new WSPasswordCallback(user, null, pwType, WSPasswordCallback.USERNAME_TOKEN, data);
The password is set to null, while it has been correcty read just before.