How to prevent XML Entity Expansion when using org.apache.xalan.processor.TransformerFactoryImpl in JBoss EAP

Solution Verified - Updated -


We need to determine how to prevent XML Entity Expansion when using org.apache.xalan.processor.TransformerFactoryImpl, when trying transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false); as shown below, it fails with:

javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' on this TransformerFactory.

The code looks like:

TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);                     
transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false);  //This is what fails   
Transformer transformer = transformerFactory.newTransformer();

According to the Xerces site:

I should be setting the following

transformerFactory.setFeature("", false);
transformerFactory.setFeature("", true);

Those features are returning an IllegalArgumentException which means they are NOT recognized. The Java XMLConstants features are also not recognized.


  • Red Hat JBoss Enterprise Application Platform (EAP) 6.x
  • Java API for XML Processing (JAXP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In