Apache CXF 2.4.7 Release Notes

1. Overview

The 2.4.x versions of Apache CXF are significant new versions of CXF 
that provides several new features and enhancements.  

New features include: 
* Log Browser Console - see the logbrowser sample for an example
* Transformation feature provides for a fast and effective way to transform inbound 
  and/or outbound XML messages, please see the TransformationFeature page for more 
  information.
* JIBX databinding
* Faster startup and reduced spring configuration. The Spring support has been redone
  to be based on the ExtensionManagerBus. This results in much faster startup. It also
  means that all of the imports of META-INF/cxf/cxf-extension-*.xml are no longer 
  needed and are deprecated.  Additionaly, all features are now available when 
  using the ExtensionManager Bus instead of being forced to use Spring.
* WSS4J has been updated from 1.5.x to 1.6. See http://ws.apache.org/wss4j/wss4j16.html
  for the list of new features and upgrade notes for Apache WSS4J 1.6.  Some notable new 
  features for CXF users include:
    * SAML2 support: WSS4J 1.6 includes full support for creating, manipulating and 
    parsing SAML2 assertions, via the Opensaml2 library. See
    http://coheigea.blogspot.com/2011/02/support-for-saml2-assertions-in-wss4j.html 
    for more information.
    * Performance work: A general code-rewrite has been done with a focus on improving 
    performance.
    * Support for Crypto trust-stores: WSS4J 1.6 separates the concept of keystore and 
    truststores. See http://coheigea.blogspot.com/2011/01/wss4j-16-crypto-property-change.html
    for more information.
 * WS-SecurityPolicy support for SAML tokens.
 * Initial OSGi Blueprint support for JAX-WS and JAX-RS
 * A simple framework for building an STS was added to CXF's WS-Security module.   See the
   sts_issue_operation sample to see this being used to generate SAML tokens based on X509 
   certs used for the authentication.


Users are encourage to review the migration guide at:
http://cxf.apache.org/docs/24-migration-guide.html
for further information and requirements for upgrading to 2.4.0.   In particular, the upgrades 
to WSS4J and Neethi will require some migration work if you use the WSS4J API's directly or
have created your own Policy objects or builders.   Additionally, XmlSchema was update to 2.0 
so any custom Aegis types may need to be updated.


2.4.7 fixes over 75 JIRA issues reported by users and the community.


2. Installation Prerequisites 

Before installing Apache CXF, make sure the following products,
with the specified versions, are installed on your system:

    * Java 5 Development Kit
    * Apache Maven 2.2.1 or 3.x
    * Some samples can be built with Apache Ant 1.6 or later


3.  Integrating CXF Into You Application

If you use Maven to build your application, you need merely add
appropriate dependencies. See the pom.xml files in the samples.

If you don't use Maven, you'll need to add one or more jars to your
classpath. The file lib/WHICH_JARS should help you decide which 
jars you need.

4. Building the Samples

Building the samples included in the binary distribution is easy. Change to
the samples directory and follow the build instructions in the README.txt file 
included with each sample.

5. Reporting Problems

If you have any problems or want to send feedback of any kind, please e-mail the
CXF dev list, dev@cxf.apache.org.  You can also file issues in JIRA at:

http://issues.apache.org/jira/browse/CXF


6. Migration notes:

See the migration guide at:
http://cxf.apache.org/docs/24-migration-guide.html
for caveats when upgrading from CXF 2.3.x to 2.4.x.

7. Specific issues, features, and improvements fixed in this version


** Bug
    * [CXF-3809] - Tests failing with: The signature or decryption was invalid
    * [CXF-3916] - partial response problem with SOAP 1.1 use of WS-Addressing
    * [CXF-3993] - WS-RM's blueprint configuration fails to parse RMAssertion entries
    * [CXF-4006] - Possible classloader leak due to ThreadLocal
    * [CXF-4034] - Allow SecurityConstants.SIGNATURE_CRYPTO and ENCRYPT_CRYPTO to be used on processing side
    * [CXF-4052] - Crypto cache issues and the PolicyBasedWSS4JInInterceptor used as a singleton
    * [CXF-4055] - Parameter Handler not Invoked if Constructor or Static Methods Succeed
    * [CXF-4056] - Faults on server are echoing headers back to the client
    * [CXF-4057] - Echoed Addressing headers can cause client hangs and timeouts
    * [CXF-4060] - oneway camel scenario is accessing the user principal too late, resulting in IllegalStateException
    * [CXF-4061] - Some of the characters in the URI path component are url-encoded  
    * [CXF-4066] - AbstractTransportFactory registers itself as extension, before being fully initialized
    * [CXF-4067] - JAX-RS WebClient proxy sometimes fails to set Content-Type from @Consumes
    * [CXF-4072] - NPE in PhaseInterceptorChain 
    * [CXF-4086] - Providers.getContextResolvers is only partially implemented 
    * [CXF-4088] - Class.getGenericSuperclass also needs to be checked by ProviderFactory
    * [CXF-4094] - Refreshing Spring application context leads to NPE
    * [CXF-4095] - schemaLocation attribute for swaRef namespace "http://ws-i.org/profiles/basic/1.1/xsd"  is wrongly removed 
    * [CXF-4099] - SignedParts, EncryptedParts policy assertions are silently ignored on the client side if specified alone
    * [CXF-4105] - Slf4jLogger doesn't mapping the level as the SLF4JBridgeHandler does
    * [CXF-4109] - UriInfo getHost caches first request's host and always returns that on subsequent calls
    * [CXF-4110] - Java first @Policy annotations aren't working
    * [CXF-4113] - Header fields duplication in generated wsdl file when using aegis databinding
    * [CXF-4115] - The operation property of the MessageContext may return wrong value if erroneous request is sent
    * [CXF-4117] - Argument type mismatch when using Implicit Headers and @RequestWrapper with Service from WSDL
    * [CXF-4121] - Default WebApplicationException mapper dramatically increases the response time
    * [CXF-4122] - CXFRequestData should get chance to setEnableRevocation from message context When use WS-SecurityPolicy 
    * [CXF-4124] - DynamicClientFactory has issues with schemas embedding in file based WSDL's
    * [CXF-4125] - StackOverflowError when requesting WADL
    * [CXF-4128] - Code Gen plugin fails silently when generated classes have name collisions
    * [CXF-4129] - DynamicClientFactory no longer works with JDK provided JAXB impl
    * [CXF-4130] - Server using Provider implementation writes contents of SOAP body in SOAP header
    * [CXF-4131] - org.apache.cxf.transport.http.finalizeConfig()  duplicate property listener and possible memory leak
    * [CXF-4133] - CachedOutputStream lost charsetName param
    * [CXF-4141] - response_code 500 ignored when set in JAXRSOutInterceptor.handleWriteException 
    * [CXF-4147] - Wrong wsdl generated from impl class annotated with @SOAPBinding(parameterStyle = ParameterStyle.BARE)
    * [CXF-4149] - org.apache.cxf.endpoint.ClientImpl raises 
    * [CXF-4153] - FIQL Parsers Beanspector, replaces "is", "set" and "get" in method names
    * [CXF-4155] - Fault "object is not an instance of declaring class" is related to AOP/CGLIB
    * [CXF-4163] - WSDLToJava Error: Thrown by JAXB: 'CodeGroup' is already defined ... OTA_CommonTypes.xsd
    * [CXF-4164] - Robust-InOnly processing with WS-RM must must delay updating the sequence until message delivery
    * [CXF-4166] - CXF does not always respect SecurityPolicy TokenInclusion for the AsymmetricBinding
    * [CXF-4171] - Static resource resolution not possible with CXFNonSpringJaxrsServlet
    * [CXF-4172] - Default JAX-RS XML, JSON and Form providers are open to the hash collision attacks
    * [CXF-4177] - ClientProxyImpl does not order Path parameter values according to the template order
    * [CXF-4178] - ClientProxyImpl does not support Multipart annotations
    * [CXF-4181] - CXF error when parsing a SOAP 1.2 fault: Invalid QName in mapping
    * [CXF-4183] - SOAP Fault cause NullPointerException
    * [CXF-4188] - Robust-InOnly processing with WS-RM to perform AtMostOnce delivery assurance check
    * [CXF-4192] - WSDLValidator doesn't pass the test for WSI-BP-1.0 R2726
    * [CXF-4195] - http-config conduit doesn't work on the http conduit for WsdlUrl
    * [CXF-4197] - Get the schema validation error when using the simple frontend configuration with blueprint 
    * [CXF-4200] - UriInfoImpl.getPathSegments(decode) does not pass 'decode' flag to getPath()
    * [CXF-4203] - CXF bundle need to imports the jaas related package
    * [CXF-4227] - AttachmentDeserializerTest contains buggy code for reading an InputStream.
    * [CXF-4231] - Incorrect handling of "If-None-Match" and "If-Modified-Since" request header combination



** Improvement
    * [CXF-1636] - Have WSS4J in/out interceptors require nonces and timestamps when using UsernameTokens?
    * [CXF-4049] - Check external CryptoProvider from message context properties in Wss4jInInterceptor
    * [CXF-4085] - introduce org.apache.cxf.jaxws.checkPublishEndpointPermissionWithSecurityManager for EndpointImpl so that get chance to bypass SecurityManager Check in some cases
    * [CXF-4092] - Confusing error message "No initiator token id" in AssymetricBindingHandler
    * [CXF-4107] - JsonpInIinterceptor should set a default callback value if no callback query parameter is available
    * [CXF-4116] - Equal URI templates should use a string comparison as the last step
    * [CXF-4119] - support Certificates revocation check before encrypt when use CXF WS-SecurityPolicy
    * [CXF-4120] - JMS Transport content-type should be consistent with the HTTP transport
    * [CXF-4134] - GZIPOutInterceptor compiles Patterns constantly; they should be compiled once and reused
    * [CXF-4143] - Make class name of PolicyBasedWSS4JOutInterceptorInternal externally available
    * [CXF-4169] - make nested exception causes available at the client
    * [CXF-4175] - CXF2.5.3 not compatible with jetty7.6.x 
    * [CXF-4182] - Make jaxws.provider.interpretNullAsOneway property configurable using a string value
    * [CXF-4204] - CXF https transport should support to specify the cert alias name
    * [CXF-4211] - Update the CXF bundle of "net.sf.ehcache" importing to be optional
    * [CXF-4217] - Introduce Nullable annotations to override the default handling of empty payloads by JAXB providers
    * [CXF-4230] - Update Javadoc of GZIPFeature

** New Feature
    * [CXF-2864] - Support UsernameToken derived keys
    * [CXF-3635] - WS-Trust SPNego (WCF message level spnego)
    * [CXF-4091] - add a robust in-only processing option for oneway call
    * [CXF-4096] - add a robust in-only processing option for oneway call with WS-Addressing

** Task
    * [CXF-4135] - Allow xsd shema file as a jaxb binding file to pass into JAXB schmeCompiler



