3.1.0 has been released and is available for download
. The migration guide for CXF 3.1.x is available here
. The main (non-security) features of CXF 3.1.0 are as follows:
- Java 6 is no longer supported.
- Jetty 9 is now supported. Support for Jetty 7 has been dropped.
- A new Metrics feature for collecting metrics about CXF services is available.
- A new Throttling feature is available for easily throttling CXF services.
- A new Logging feature is available that is more powerful than the existing logging functionality.
The security-specific changes and features are as follows:
- CXF 3.1.0 picks up a new major release of WSS4J (2.1.0) and OpenSAML (3.1.0). Please see a recent post on WSS4J 2.1.0 for some migration notes if you are using WS-Security or SAML with CXF.
- The STS now signs issued SAML tokens by default using RSA-SHA256 (previously RSA-SHA1).
- Some security configuration tags have been renamed from "ws-security.*"
to "security.*", as they are now shared with the XML Security JAX-RS module.
The old tags will continue to work as before however without any
change. See the Security Configuration page for more information.
- The SAML/XACML functionality previously available in the cxf-rt-security module is now in a new cxf-rt-security-saml module.
- A new Metadata service for SAML SSO is available. More on this in a future blog post.
- It is now possible to "plug in" custom security policy validators for WS-Security in CXF, if you want to change the default validation logic. See here for a test that shows how to do this.
Can you give a sample code how to implement the throttling?