Wednesday, May 22, 2013

Apache CXF 2.7.5 released

Apache CXF 2.7.5 has been released. The list of issues fixed is available here. The following security fixes of note have been made in this release:
  • The OpenSAML dependency has been upgraded from 2.5.1 to 2.5.3.
  • A change was made to the logic the STS uses to encrypt tokens that it issues. Previously it threw an exception if a key could not be found (at either service or at a more generic level) to use to encrypt the token. Now it only encrypts the token if a matching key can be found. This allows the ability to only encrypt tokens to specific "AppliesTo" endpoint addresses.
  • LDAP groups are now (better) supported as claims in the STS. See the following blog entry for more detail.
  • The CryptoCoverageChecker interceptor has been enhanced so that you can disable coverage checking for SOAP Faults. This is useful for testing/debugging if you want to figure out the root cause of a remote exception.