There's a number of ways to tell to the JAXB provider how objects can be serialized.
The simplest way is to mark a given type with @Xml Root Element annotation.
For example: Alternatively to using @Xml Root Element and Collection wrappers, one can provide an Object factory which will tell JAXB how to marshal a given type (in case of Collections - its template type).
Another option is to return/accept a JAXBElement directly from/in a given method.
Starting from CXF 2.6.0 it is possible to control the depth of large XML and JSON payloads on the per-endpoint basis in order to limit the risk of the denial of service attacks.