I think it's a best practice to configure xwss in Spring config as much as possible. For instance, you can use the SimpleUsernamePasswordCallbackHandler as opposed to supplying the credentials inline.
Secondly, XWSS does not do a proper configuration check before initializing. So if we'd drop the callbackHandler check, most people will end up with nasty NPEs, which are harder to debug then assertion failures. Even though these failures are not 100% correct, as you pointed out.