The syntax of WS-SecurityPolicy policies is enforced more strictly. Some policies that worked with versions of Apache CXF prior to 2.6 will not load in CXF 2.6 as a result.

When using the TextMessage message format, Apache CXF now leaves the contents as a String and uses java.io.Reader and java.io.Writer to boost performance. Previously, Apache CXF would convert a String to or from byte[], which required the use of encoders, increasing memory usage, and so on. Some interceptors and features of Apache CXF may expect or require the InputStream and OutputStream types, instead of the Reader and Writer types. In this case, you may need to use the BytesMessage message format instead.