3.3 Migration Guide

The claimType of the Claim class is now a "String" instead of a "URI". This might break existing ClaimsHandler implementations in the STS. In addition, the ClaimsHandler interface now returns a List<String> for getSupportedClaimTypes() instead of List<URI>.
The Claims access control annotations/interceptors now work with JWT tokens (as well as SAML tokens). This resulted in the following package changes:
- ClaimsAuthorizingInterceptor has moved from the cxf-rt-security-saml module to the cxf-rt-security module. The package name of the ClaimsAuthorizingInterceptor has changed: from org.apache.cxf.rt.security.saml.interceptor.ClaimsAuthorizingInterceptor to org.apache.cxf.rt.security.claims.interceptor.ClaimsAuthorizingInterceptor.
- ClaimsAuthorizingFilter has moved from the cxf-rt-rs-security-xml module to the cxf-rt-frontend-jaxrs module. The package name of the ClaimsAuthorizingFilter has changed: from org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter to org.apache.cxf.jaxrs.security.ClaimsAuthorizingFilter

Support for signing HTTP messages via the HTTP Signature draft spec is included (https://tools.ietf.org/html/draft-cavage-http-signatures) in the cxf-rt-rs-security-http-signature module.
Initial support for Java 11 - CXF has been built and tested with Java 11. It is not using the Java 11 modules, but it can be built and the tests pass with Java 11.
MicroProfile Rest Client v1.2 implementation

Spring and Spring Security have been upgraded to 5.x, the Spring Boot dependency is now 2.x. However old versions will currently still work.
JAX-RS and JAXB APIs are now JakartaEE dependencies. All other JakartaEE dependencies will follow with the next major release. Old dependencies can still be used, but this requires exclusions to avoid duplicate transitive dependencies (currently no relocation is in place).

The Apache HTrace module was removed as HTrace has been retired
EhCache 2 OAUTH provider removed - users can use the JCache implementation with EhCache 3