A question has come up around the dtd entity parsing denial of service issue raised here:
http://www-128.ibm.com/developerworks/xml/library/x-tipcfsx.html
http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security
Are we allowing for the use of the parser.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) to limit the defaults?
What about disabling doctypes via the http://apache.org/xml/features/disallow-doctype-decl feature:
http://xerces.apache.org/xerces2-j/features.html
This has been added as a feature request
http://jira.jboss.org/jira/browse/JBWS-1582