There are several configuration properties to help secure, or disable security, for XML processing. One example is resteasy.document.secure.processing.feature which enables or disables the XMLConstants.FEATURE_SECURE_PROCESSING setting. In new JDK's (24+) this behaves differently.

We need to review all these features set in the org.jboss.resteasy.plugins.providers.jaxb.SecureUnmarshaller and determine what is still valid. We may or may not need to deprecate some of these as they may contradict each other.

Reference Links:

• https://docs.oracle.com/en/java/javase/25/docs/api/java.xml/module-summary.html
• https://docs.oracle.com/en/java/javase/25/security/java-api-xml-processing-jaxp-security-guide.html
• https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

See WFLY-20280 for some test failure details.