From JBoss EAP 7.1 Migration Guide:

"5.1.3. WS-Security Changes
If your application contains a custom callback handler that accesses the org.apache.ws.security.WSPasswordCallback class, be aware that this class has moved to package org.apache.wss4j.common.ext.

Most of the SAML bean objects from the org.apache.ws.security.saml.ext package have been moved to the org.apache.wss4j.common.saml package."

Two new RHAMT Rules should be added to address this app migration issue.

Rule 1 When: application uses/references org.apache.ws.security.WSPasswordCallback
Rule 1 Perform: alert the user about the class package name refactoring

Rule 2 When: application uses/references classes from package org.apache.ws.security.saml.ext package
Rule 2 Perform: alert the user that package name refactoring may be needed