jboss-deployment-structure.xml add JAXP exclusion

Question

I am implementing XML validation which prevents XXE (External XML Entity) Injection. I borrowed some code from OWASP XXE Prevention Cheat Sheet. My code looks like this -

        SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
        Schema schema = factory.newSchema(xsdFileURL);
        Validator validator = schema.newValidator();
        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
        validator.validate(new StreamSource(new StringReader(xml)));

The code runs correctly on my local windows machine (JDK 1.8.0_92, Wildfly 8.2). But on a QA Red Hat machine with similar config (JDK - 1.8.0_101, Wildfly 8.2), it throws an exception with the message -

Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.

After some reading my suspicion is that during runtime, incorrect class definition is being read for the validator class. How do I fix this?

Update

Turns out Jboss comes with its own implementation of JAXP, and my code needs to pick the JAXP implementation from JDK and not from JBoss. I can do this easily by passing -jaxpmodule argument in standalone.sh (using this, my code picked the correct JAXP implementation as well) -

java -jar jboss-modules.jar -jaxpmodule "javax.xml.jaxp-provider"

But I'd like to do this using jboss-deployment-structure.xml and add an exclusion like this -

<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.2"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <deployment>
    <exclusions>
        <module name="javax.api" />  // is the module name correct?
    </exclusions>   
  </deployment>
</jboss-deployment-structure>

But this isn't working, how can I fix this?

Answer 1

As you mentioned in your update, JBoss/Wildfly does ship its own JAXP implementation - Xalan (and Xerces). As such, it uses that implementation as it builds the classpath for your deployed application(s). You can override this behavior in your jboss-deployment-structure.xml file as follows:

<jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.2">
    <deployment>            
        <exclusions>            
            <module name="org.apache.xalan" />
            <module name="org.apache.xerces" /> 
        </exclusions>
    </deployment>
</jboss-deployment-structure>