Remove Apache Xerces Dependencies
This change can cause issues in some implementation projects if an older JAXP implementation is on the classpath, changing the default XML parsers such as Xerces.
If a project does have a dependency on Xerces which doesn't support the JAXP 1.5 security features and the XML parsers are configured to use this implementation instead of the default JRE this could result in warnings/errors similar to the following:
java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
Steps to mitigate
If your implementation project is affected by this change, follow the steps below to remove any Xerces dependencies:
- Remove all direct and indirect dependencies on the Xerces library from the project so the Xerces implementation bundled with the JRE will be used. Project can be inspected on for this and their dependency graph analysed with mvn dependency:tree. An example of a JAR found in one of the webapps is xercesImpl-2.9.1.jar. An example of a dependency tree line is xerces:xercesImpl:jar:2.9.1:compile. Xerces can be removed from the dependency changes by adding to external dependencies:
<exclusions> <exclusion> <groupId>xerces</groupId> <artifactId>xercesImpl</artifactId> </exclusion> </exclusions>
- Set the system property javax.xml.parsers.DocumentBuilderFactory to use the internal JAXP DocumentBuilder.
Note that although the package is named com.sun this is verified to be working with OpenJDK (Runtime Environment (AdoptOpenJDK)(build 1.8.0_292-b10)).
More information on these properties: