Versions Compared

Old Version 1

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Kulp

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

New Features:

  • Support for signing HTTP messages via the HTTP Signature draft spec is included (https://tools.ietf.org/html/draft-cavage-http-signatures) in the cxf-rt-rs-security-http-signature module.
  • Initial support for Java 11 - CXF has been built and tested with Java 11.   It is not using the Java 11 modules, but it can be built and the tests pass with Java 11.
  • MicroProfile Rest Client v1.2 implementation

Claims Handling:

  • The claimType of the Claim class is now a "String" instead of a "URI".  This might break existing ClaimsHandler implementations in the STS. In addition, the ClaimsHandler interface now returns a List<String> for getSupportedClaimTypes() instead of List<URI>.
  • The Claims access control annotations/interceptors now work with JWT tokens (as well as SAML tokens). This resulted in the following package changes:
    • ClaimsAuthorizingInterceptor has moved from the cxf-rt-security-saml module to the cxf-rt-security module. The package name of the ClaimsAuthorizingInterceptor has changed: from org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor to org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor.
    • ClaimsAuthorizingFilter has moved from the cxf-rt-rs-security-xml module to the cxf-rt-frontend-jaxrs module. The package name of the ClaimsAuthorizingFilter  has changed: from org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter to org.apache.cxf.jaxrs.security.ClaimsAuthorizingFilter

Major dependency changes:

  • Spring and Spring Security have been upgraded to 5.x, the Spring Boot dependency is now 2.x. However old versions will currently still work.
  • JAX-RS and JAXB APIs are now JakartaEE dependencies. All other JakartaEE dependencies will follow with the next major release. Old dependencies can still be used, but this requires exclusions to avoid duplicate transitive dependencies (currently no relocation is in place).

Removed Features:

  • New cxf-bom artifactId for importing all the CXF artifacts
  • New support for Microprofile OpenAPI (as alternative to Swagger Core 2.0)
  • New samples to show WS-Transaction usage, OpenAPI v3.0 with Microprofile
  • Ability in Logging feature to mask sensitive information
  • New support for SSEs in Microprofile Rest Client
  • OAuth 2.0 Authorization Server Metadata / OpenID Provider Metadata

Major dependency changes:

There have been several major dependency changes and updates.  Several of these updates may have an impact on user applications and configuration.  Check the migration guides for these dependencies for extra information if impacted. 

  • Spring Boot is updated to 2.3.x, Spring to 5.2.x and Spring Security to 5.3.x
  • Apache WSS4J is updated to 2.3.x, Apache Santuario to 2.2.x.
  • Jackson updated to 2.11
  • Dropwizard Metrics are updated to 4.1.x
  • Hibernate Validator is updated to 6.1.x
  • EhCache is updated to 3.8.x
  • The Woodstox Stax2 2 API is updated to 4.2. Woodstox core is updated to 6.2.x.
  • Jakarta dependencies are used where possible, please check your dependency tree for duplicates after updating
    • Jakarta Servlet-API
    • Jakarta XML Bind-API
    • Jakarta XML WS-API
    • Jakarta XML SOAP-API
    • Jakarta JWS-API
    • Jakarta JSON-API
    • Jakarta JSON Bind-API
    • Jakarta Annotation-API
    • Jakarta Activation-API
    • Jakarta EL-API
    • Jakarta Mail-API
    • Jakarta Validation-API
    • Jakarta CDI-API
    • Jakarta Rest-API was already part of a previous release
  • MicroProfile Rest Client is updated to 2.0
  • Brave updated to 5.11
  • Lucene updated to 8.2
  • Mina updated to 2.1
  • Undertow updated to 2.1

Major Notes:

  • Revocation is now disabled by default in the XKMS TrustedAuthorityValidator (it now supports a wider range of revocation checking when enabled).

Removed Features:

  • The Log4jLogger from CXF core is removed. Instead you can use the Slf4jLogger and whatever logging binding you want by including the appropriate jar.
  • The ability to create a JMX Connector has been removed. Local JMX monitoring can be done using standard tools, and remote JMX monitoring is done using the standard JVM JXM options. See the docs for more information.
  • The Apache HTrace module was removed as HTrace has been retired
  • EhCache 2 OAUTH provider removed - users can use the JCache implementation with EhCache 3