Prevent XML Entity Expansion When Using org.apache.xalan.processor.TransformerFactoryImpl in JBoss EAP

Solution Verified - Updated -


  • Prevent XML Expansion
  • Cannot create TransformerFactory impl
  • Log shows error:

    javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' on this TransformerFactory.
  • Feature is not recognized

    org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
    java.lang.IllegalArgumentException: Nicht unterstützt: http://javax.xml.XMLConstants/property/accessExternalDTD
  • OWASP recommends to guard the XML parser against XXE


  • Red Hat JBoss Enterprise Application Platform (EAP) 6 - 7.1
  • Java API for XML Processing (JAXP)
  • Setting transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false);

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In