With the help of Chris Dail's excellent blog post I managed to secure my CXF-powered web service with 'basic-authentication'. This is how I did it:

Step 1: Download BasicAuthAuthorizationInterceptor.java from Chris blog and put it in src/java.

Step 2: Add this to resources.groovy

securityInterceptor(BasicAuthAuthorizationInterceptor) {
  users = ['wsuser':'secret']
}

Step 3: Add this to BootStrap.groovy

class BootStrap {
  def myWebServiceFactory
  def securityInterceptor

  def init = { servletContext ->
    myWebServiceFactory.getInInterceptors().add(securityInterceptor)
  }
}

Done!

SOAP requests must now provide the right username and password to access the web service.

In this example I have a grails service called MyWebService that exposes web service methods. In BootStrap you access it's factory by appending "Factory" to the service class name.

Next step for me is to use Shiro plugin to authenticate requests instead of hard coded usernames and passwords.