Yes you are correct. There is no association between a UsernameToken and a Signature. UsernamToken is just a replacement for HTTP Basic Auth for use in Http transports.
It sounds like jaas cert auth is what you want, but we don't have support for that yet.
It is, however, on the roadmap.
Unfortunately, it is a lower priority than JAX-WS right now.
However, this can change if you are interested in contributing to open source, and have the time to work on submitting a patch. If you decide give it a shot, feel free to post in the developement forum and we can discuss the design.
Well, I'm very interested, but at the moment ... I'm very very busy.
I'll check the status when I have the time.
Thanks for replying to my post.