javax.xml.accessExternalDTD Java System Property

Default Value

The default value of the javax.xml.accessExternalDTD property may vary based on implementation, but it is typically set to all which grants permissions to all protocols.

javax.xml.accessExternalDTD Explained

The javax.xml.accessExternalDTD system property controls which protocols can be used to load XML Entity References or External DTDs. Use of this property may be necessary to avoid XML Entity Injection, or other XML security attacks. According to Oracle's JAXP Security Guide, Setting javax.xml.accessExternalDTD to an empty string "instructs JAXP processors to deny any external connections".

A comma separated list of protocols can be specified.

This property can also be defined in a jaxp.properties file via the `java.xml.config.file` system property.

Possible Values for javax.xml.accessExternalDTD

• empty - an empty string value instructs JAXP processors to deny any external connections
• all - allow all protocols
• http - allow the HTTP protocol
• file - allow file system
• jar[:scheme] - jar files for a given scheme (eg file, http, etc)

Note: This system property only applies to the JAXP (Java API for XML Parsing), if you are using a different XML Parsing API (for example an old Apache Xerces Parser implementation), then this property may not be read by those xml parsing libraries.

It is important therefor to test that these settings were actually applied in your environment.

Related System Properties

Here are some other XML java system properties:

• java.xml.config.file
• jdk.xml.elementAttributeLimit
• jdk.xml.enableExtensionFunctions
• jdk.xml.entityExpansionLimit
• jdk.xml.maxXMLNameLimit

References

• Oracle JAXP Security Guide

Supported Since

Java has supported the javax.xml.accessExternalDTD system property since 1.5.

Setting javax.xml.accessExternalDTD on Startup

You can set the javax.xml.accessExternalDTD java system property during startup of the java runtime using the -D command line argument:

java -Djavax.xml.accessExternalDTD= MyAppMain

You may also be able to specify javax.xml.accessExternalDTD via the JAVA_TOOL_OPTIONS environment variable:

JAVA_TOOL_OPTIONS=-Djavax.xml.accessExternalDTD=

Setting / Reading javax.xml.accessExternalDTD at Runtime

You can set javax.xml.accessExternalDTD at runtime with the following Java code:

System.setProperty("javax.xml.accessExternalDTD", "");

WARNING: Depending on the property and JVM version using setProperty may or may not work if the JDK Java class that uses this variable has already been loaded. The value of the javax.xml.accessExternalDTD system property may be cached within an internal private static variable of the implementing class.

To read the value of javax.xml.accessExternalDTD at runtime, you can use this Java code:

String propertyValue = System.getProperty("javax.xml.accessExternalDTD");
if (propertyValue != null) {
    System.out.println("javax.xml.accessExternalDTD = " + propertyValue);
} else {
    System.out.println("javax.xml.accessExternalDTD was null");
}