Spotlight on GF 4.1 - JAXP accessExternalSchema
GlassFish 4.1 supports recent JDK versions (JDK 7 u65+ and JDK 8 u5+). Sometime, those newer JDKs might have some side effect as they bring new features too. For example, several properties have been introduced in JAXP 1.5 (JDK 7u40+ and JDK 8+). Properties which are used to set restrictions when JAXP is used to process untrusted XML contents. And by default, those restrictions are set!
GF 4.1 is configured to offer the behavior of GF 4.0 used with an older JAXP release (prior to JAXP 1.5), i.e. no restriction on schemas processing. So by default, a GF 4.1 domain.xml is configured with the following JVM option to allow all schemas to be processed: <jvm-options>-Djavax.xml.accessExternalSchema=all</jvm-options>
. This configuration obviously assumes that your external XML content is trusted or at least sanitised by an XML firewall. This is applicable to JAXP 1.5 (and above).
Additional ressources:
Originaly posted on The Aquarium blog.