KB Article #182545
JAXP0801002: the compiler encountered an XPath expression that exceeds the limit set by 'FEATURE_SECURE_PROCESSING'.
Problem
XPath fails with an error like the following:
ERROR 2000/01/01 00:00:00.000 java exception:
javax.xml.transform.TransformerConfigurationException: JAXP0801002: the compiler encountered an XPath expression containing '125' operators that exceeds the '100' limit set by 'FEATURE_SECURE_PROCESSING'.
at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:990)
at com.vordel.common.xml.secure.SecureTransformerFactory.newTemplates(SecureTransformerFactory.java:144)
Resolution
In 8u331, Java added some limits to XPath processing to prevent XPath expressions from running for too long and consuming too many resources. These new limits are:
jdk.xml.xpathExprGrpLimit
Description: Limits the number of groups an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, aNumberFormatException
is thrown. Default 10.jdk.xml.xpathExprOpLimit
Description: Limits the number of operators an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, aNumberFormatException
is thrown. Default 100.
jdk.xml.xpathTotalOpLimit
Description: Limits the total number of XPath operators in an XSL Stylesheet.Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, aNumberFormatException
is thrown. Default 10000.
These values can be set in your jvm.xml file. Below is a fragment that shows an example of increasing each of the limits by 10. Refer to the guide on System Property Changes for general information how to set system properties in jvm.xml.
<ConfigurationFragment>
<VMArg name="-Dcom.sun.management.jmxremote"/>
<VMArg name="-Djdk.xml.xpathExprGrpLimit=20"/>
<VMArg name="-Djdk.xml.xpathExprOpLimit=110"/>
<VMArg name="-Djdk.xml.xpathTotalOpLimit=10010"/>
</ConfigurationFragment>
In the example given, you can see that the problem was specifically that xpathExprOpLimit was at the default of 100, but the expression contained 125 operators. The fix was to set the value of xpathExprOpLimit to a number greater than 125. While you can also set a value of zero in these limits to disable the limits entirely, note that this also means that you could accidentally DoS your machine with an overly complex XPath.
In addition to these limits from Java, there is also a separate XPath complexity limit built into libxml as described in KB 167807.