Externalize parser properties ----------------------------- Key: JBWS-1582 URL: https://jira.jboss.org/jira/browse/JBWS-1582 Project: JBoss Web Services Issue Type: Feature Request Security Level: Public(Everyone can see) Components: jbossws-native Affects Versions: jbossws-native-3.1.1 Reporter: Thomas Diesler Assignee: Richard Opalka Fix For: jbossws-native-3.1.2 A question has come up around the dtd entity parsing denial of service issue raised here: http://www-128.ibm.com/developerworks/xml/library/x-tipcfsx.html http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150... Are we allowing for the use of the parser.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) to limit the defaults? What about disabling doctypes via the http://apache.org/xml/features/disallow-doctype-decl feature: http://xerces.apache.org/xerces2-j/features.html