Web service has an XML expansion vulnerability by parsing DTD in the input soap message. Does anyone have a solution for turning off DTD loading/parsing for JAX-WS Web Services implemented using @WebService? JBoss AS 6 ships with CXF web services implementation. There seems to be a way to replace default parser according to http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf. But we are on JBoss5.2.