This security issue has been fixed in EAP 5.1.1 .
Your answer is not to my question.
So far I know, the problem is not fixed since Jboss just change the default setting to non-doctype. If you already used DOCTYPE in your WS in Jboss-WS-Native, you have to change to an other type such as xsd. But you can still use DOCTYPE but on your own risk.
He told me his WS dosen't use the Jboss WS Native. But after I've deleted all the Jboss WS Native components such as the jbossws-native-xxx.jar, the ../deploy/jbossws.sar and ../deployer/jbossws.deployer, the WS doesn't work. And I got "java.lang.ClassNotFoundException: org.jboss.ws.core.jaxws.spi.ProviderImpl"
I wonder how to determine if a WS uses Jboss WS Native or not.
If the application server version you're using has the jbossws-native stack installed, any webservices app you deploy on the application server is using jbossws-native, unless you properly isolate the application and provides different webservices libraries in the deployment, so that the app can still work (but this is neither easy to do nor supported).
As Jim mentioned, the security issue has been dealt with, make sure you're using the latest available EAP product version. Also consider switching to the JBossWS-CXF stack / EAP version.
But I see my colleague have deleted the pakage "jbossws.sar" under /deploy/ and the "jbossws-framework.jar" under /jbossws.deployer. Does this mean enough that his application doesn't use Jboss-WS-Native?
I think my colleague does use a separated classloader for loading his own jars. But seems still use some of the jbossws-native-xxx.jar.
Besdies, we use maven for compiling and deploy. One can include all the non-jbossws jars as dependencies in the WAR. I see there is an advantage to this since the application is independent from Jboss and one can deploy this to othe app-server auch as WebLogic. Right?