Apache CXF -- 2.5 Migration Guide

WS-RM is being updated to support 1.1. Also included are some feature improvements such as sequence demarcation by WS-RM client.
WS-RM components are fully JMX instrumented. Various status information about the WS-RM processing such as sequences, retries, acknowledgments can be monitored over JMX.
WS-MetadataExchange support for server side. CXF services will now respond properly to WS-MEX requests.
<cxf:workqueue> configuration to configure the workqueues that CXF uses.
Karaf commands
- cxf:list-busses
- cxf:list-endpoints [busid]
- cxf:stop-endpoint busid endpointName
- cxf:start-endpoint busid endpointName
New WS-Notification Service and API's (see ws_notification sample)
New Security Token Service (see sts sample)
Initial OAuth support for JAX-RS (see oauth sample)
Initial XML Security and SAML support for JAX-RS.

All the JBI related modules have been removed from CXF. If using CXF with JBI, it's recommended to use the ServiceMix CXF JBI components. Any code that those modules needed from past versions of CXF will be moved into those ServiceMix components.

The AlternativeSelector.selectAlternative method for selecting the Policy alternative to use now requires a new List<List<Assertion>> parameter which, on the server side, is the list of Alternatives that the incoming request matched. The AlternativeSelector can use that to aid in selecting the best response alternative to use.
The PolicyEngine.getEffectiveServerResponsePolicy now takes an additional parameter of the incoming policy alternatives that were matched. It can be null for the previous behavior.

If a MBeanServer is available in the Spring context or as an OSGi server (when running in OSGi), the InstrumentationManger will be automatically enabled and will use that MBeanServer and the CXF MBeans will be registered.
The default bus ID used for the Bus MBean servers when running in OSGi now contains the bundle context SymbolicName to make identifying the appropriate Bus easier.
Many calls that can result in Security checks are now wrapped via AccessControll.doPrivileged calls which can allow finer grained control of the permissions that CXF requires. See https://issues.apache.org/jira/browse/CXF-2683 .
An empty partial response message will be returned as an HTTP 202 response with no content instead of an HTTP 200 with an empty SOAP body message.
The Logging interceptors now log using service specific categories/loggers instead of just LoggingInInterceptor/LoggingOutInterceptor. The names of the logger that is used is org.apache.cxf.services.ServiceName.PortName.PortTypeName. This allows the user to configure specific per service filters and formatters in their logging configuration.