Keystores and trust stores referenced in jboss-wsse-server.xml are relative to deployment. We need to be able to reference keystores that are not part of the EAR file, e.g. using absolute file paths or URL. The reason is that for security reasons, developers don't have access to production keystores. This means in order for us to run in production, the EAR file will need to be unpacked and re-packed to include a different keystore. It's an error prone process that we want to avoid.
I also created a support ticket for this. It is 10530.