Below is the copy paste from ThreadLocalAssociation.java:
//This removes a custom callback security handler that might have //been set if using UsernameTokenProfile with digest; doing this //here won't be required anymore once our custom security manager //will be used in our wsse implementation. CallbackHandlerPolicyContextHandler.setCallbackHandler(null);