Gangmax Blog

Resolve the 'WARNING: JAXP feature XMLConstants.FEATURE_SECURE_PROCESSING cannot be set on a SAXParserFactory' problem

In a Java project which uses Jersey as the REST client, there’s some warning message while it runs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Jan 24, 2014 10:15:26 AM com.sun.jersey.core.impl.provider.xml.SAXParserContextProvider getInstance
WARNING: JAXP feature XMLConstants.FEATURE_SECURE_PROCESSING cannot be set on a SAXParserFactory. External general entity processing is disabled but other potential security related features will not be enabled.
org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.
	at org.apache.xerces.parsers.AbstractSAXParser.setFeature(Unknown Source)
	at org.apache.xerces.jaxp.SAXParserImpl.setFeatures(Unknown Source)
	at org.apache.xerces.jaxp.SAXParserImpl.<init>(Unknown Source)
	at org.apache.xerces.jaxp.SAXParserFactoryImpl.newSAXParserImpl(Unknown Source)
	at org.apache.xerces.jaxp.SAXParserFactoryImpl.setFeature(Unknown Source)
	at com.sun.jersey.core.impl.provider.xml.SAXParserContextProvider.getInstance(SAXParserContextProvider.java:80)
	at com.sun.jersey.core.impl.provider.xml.SAXParserContextProvider.getInstance(SAXParserContextProvider.java:54)
	at com.sun.jersey.core.impl.provider.xml.ThreadLocalSingletonContextProvider$1.initialValue(ThreadLocalSingletonContextProvider.java:64)
	at java.lang.ThreadLocal.setInitialValue(ThreadLocal.java:141)
	at java.lang.ThreadLocal.get(ThreadLocal.java:131)
	at com.sun.jersey.core.impl.provider.xml.ThreadLocalSingletonContextProvider$2.getValue(ThreadLocalSingletonContextProvider.java:77)
	at com.sun.jersey.core.impl.provider.entity.XMLRootElementProvider.readFrom(XMLRootElementProvider.java:113)
	at com.sun.jersey.core.provider.jaxb.AbstractRootElementProvider.readFrom(AbstractRootElementProvider.java:111)
	at com.sun.jersey.api.client.ClientResponse.getEntity(ClientResponse.java:554)
	at com.sun.jersey.api.client.ClientResponse.getEntity(ClientResponse.java:506)
	at com.sun.jersey.api.client.WebResource.handle(WebResource.java:684)
	at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
	at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
	at com.emc.vipr.client.impl.RestClient.get(RestClient.java:157)
	at com.emc.vipr.client.system.Licensing.get(Licensing.java:25)
	at com.emc.bourne.qe.stresstest.RunEnvironment.addLicense(RunEnvironment.java:403)
	at com.emc.bourne.qe.stresstest.RunEnvironment.init(RunEnvironment.java:383)
	at com.emc.bourne.qe.stresstest.StressTestMain.main(StressTestMain.java:223)

It make nothing wrong but it’s very noisy, so I want to fix it.

After some googling, I know the root cause of this problem is the “xercesImpl-2.6.2.jar” used in this maven project is too old. Upgrading it to the latest version should fix it.

But the “pom.xml” doesn’t have the “xerces” dependency, so:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ mvn dependency:tree

...
[INFO] +- org.milyn:milyn-smooks-javabean:jar:1.5.1:compile
[INFO] |  +- org.milyn:milyn-smooks-core:jar:1.5.1:compile
[INFO] |  |  +- org.milyn:milyn-commons:jar:1.5.1:compile
[INFO] |  |  |  +- org.freemarker:freemarker:jar:2.3.15:compile
[INFO] |  |  |  \- javassist:javassist:jar:3.10.0.GA:compile
[INFO] |  |  +- com.thoughtworks.xstream:xstream:jar:1.4.1:compile
[INFO] |  |  |  +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  |  |  \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] |  |  +- org.mvel:mvel2:jar:2.0.17:compile
[INFO] |  |  +- jaxen:jaxen:jar:1.1.1:compile
[INFO] |  |  |  \- xerces:xercesImpl:jar:2.6.2:compile
[INFO] |  |  \- javax.transaction:jta:jar:1.1:compile
...

I can see the “xercesImpl” dependency was introduced by the “milyn-smooks-javabean” dependency indirectly. Unfortunately, the “milyn-smooks-javabean-1.5.1” is the latest version of this artifact. So upgrading “milyn-smooks-javabean” to fix this problem is impossible.

But there is another way.

Maven supports “exclusions” when defining a dependency. In my case, I can make “xerces” as excluded of the “milyn-smooks-javabean” dependency by marking it as “exclusions”, then add a new “xercesImpl” dependency in my “pom.xml”.

The code is here:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<dependency>
    <groupId>org.milyn</groupId>
    <artifactId>milyn-smooks-javabean</artifactId>
    <version>1.5.1</version>
    <exclusions>
        <exclusion>
            <groupId>xerces</groupId>
            <artifactId>xercesImpl</artifactId>
        </exclusion>
    </exclusions>
</dependency>

<dependency>
    <groupId>xerces</groupId>
    <artifactId>xercesImpl</artifactId>
    <version>2.11.0</version>
</dependency>

Then run the project again, the warning message is gone.

Comments