Remove Apache Xerces Dependencies

Introduction

The release of Bloomreach Experience Manager 14.6.0 introduces improved XML parsing (CMS-14480) and the usage of new XML parser properties that have been supported since JAXP 1.5.

This change can cause issues in some implementation projects if an older JAXP implementation is on the classpath, changing the default XML parsers such as Xerces.

If a project does have a dependency on Xerces which doesn't support the JAXP 1.5 security features and the XML parsers are configured to use this implementation instead of the default JRE this could result in warnings/errors similar to the following:

java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.

Note that Xerces has been removed from brXM since release 12.3.0 (CMS-11122) and this is documented for customers in the 12.3.0 upgrade steps.

Steps to mitigate

If your implementation project is affected by this change, follow the steps below to remove any Xerces dependencies:

Remove all direct and indirect dependencies on the Xerces library from the project so the Xerces implementation bundled with the JRE will be used. Project can be inspected on for this and their dependency graph analysed with mvn dependency:tree. An example of a JAR found in one of the webapps is xercesImpl-2.9.1.jar. An example of a dependency tree line is xerces:xercesImpl:jar:2.9.1:compile. Xerces can be removed from the dependency changes by adding to external dependencies:
```
<exclusions>
  <exclusion>
    <groupId>xerces</groupId>
    <artifactId>xercesImpl</artifactId>
  </exclusion>
</exclusions> 
```
Set the system property javax.xml.parsers.DocumentBuilderFactory to use the internal JAXP DocumentBuilder.
Note that although the package is named com.sun this is verified to be working with OpenJDK (Runtime Environment (AdoptOpenJDK)(build 1.8.0_292-b10)).
```
javax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl
```
For cargo.run:
```
<javax.xml.parsers.DocumentBuilderFactory>com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl</javax.xml.parsers.DocumentBuilderFactory>
```

In certain use cases (for example implementation projects using the Sitemap plugin) it may also be required to set the system property javax.xml.transform.TransformerFactory as follows:

javax.xml.transform.TransformerFactory=com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl

For cargo.run:

<javax.xml.transform.TransformerFactory>com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl</javax.xml.transform.TransformerFactory>

More information on the new properties in JAXP 1.5:

https://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html

Did you find this page helpful?

How could this documentation serve you better?

Did you find this page helpful?

How could this documentation serve you better?

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Remove Apache Xerces Dependencies

Introduction

Steps to mitigate

Did you find this page helpful?

On this page

Did you find this page helpful?