Apache CXF 3.1.0 released

Apache CXF 3.1.0 has been released and is available for download. The migration guide for CXF 3.1.x is available here. The main (non-security) features of CXF 3.1.0 are as follows:

• Java 6 is no longer supported.
• Jetty 9 is now supported. Support for Jetty 7 has been dropped.
• A new Metrics feature for collecting metrics about CXF services is available. 
• A new Throttling feature is available for easily throttling CXF services.
• A new Logging feature is available that is more powerful than the existing logging functionality.

The security-specific changes and features are as follows:

• CXF 3.1.0 picks up a new major release of WSS4J (2.1.0) and OpenSAML (3.1.0). Please see a recent post on WSS4J 2.1.0 for some migration notes if you are using WS-Security or SAML with CXF.
• The STS now signs issued SAML tokens by default using RSA-SHA256 (previously RSA-SHA1).
• Some security configuration tags have been renamed from "ws-security.*" to "security.*", as they are now shared with the XML Security JAX-RS module. The old tags will continue to work as before however without any change. See the Security Configuration page for more information.
• The SAML/XACML functionality previously available in the cxf-rt-security module is now in a new cxf-rt-security-saml module.
• A new Metadata service for SAML SSO is available. More on this in a future blog post.
• It is now possible to "plug in" custom security policy validators for WS-Security in CXF, if you want to change the default validation logic. See here for a test that shows how to do this.