How to exclude org.apache.xerces and use Java 8's internal XML parser in WildFly 10 to mitigate XXE vulnerability?

[sachithra dilshan]

I'm working with WildFly 10 and Java 8, and I need to exclude org.apache.xerces as the XML parser in my application to mitigate XML External Entity (XXE) vulnerabilities. I would like to use Java 8's internal implementation of Xerces (com.sun.org.apache.xerces.internal) instead

I've tried modifying the jboss-deployment-structure.xml file to exclude the org.apache.xerces module, but it still seems to be used at runtime. Here’s what my current jboss-deployment-structure.xml looks like:

However, WildFly 10 continues to use org.apache.xerces for XML parsing, instead of switching to the internal Java 8 implementation.

I've tested this on WildFly 26.0 with Java 17, where excluding org.apache.xerces works as expected, defaulting to the internal parser (com.sun.org.apache.xerces.internal). But the same approach doesn’t seem to work in WildFly 10 with Java 8.

Has anyone encountered a similar issue with module exclusions in WildFly 10? Is there an alternative way to disable org.apache.xerces and use a different XML parser for my application? Any advice would be greatly appreciated!

[Jose Socola]

Hi,

I use wildfly 26 and works fine, in wildfly 10 i think exclusion works different try with this 

<jboss-deployment-structure>
  <deployment>
    <dependencies>
      <module name="com.sun.org.apache.xerces.internal" />
    </dependencies>
  </deployment>
</jboss-deployment-structure>

or inside the module.xml replace with the other

Regards,

JS