> I need to check if app servers like GF disable this by default, or there are
> certain restrictions in terms of file access.
I know that the default Tomcat installation on some Linuces (Debian at
least) prevents any file access for any application using the standard
Java sandboxing model. However I would not rely on that - many people
actually need access in their web app at least to some file system
locations, so they will disable this feature entirely or at least
allow access for some locations, so relying on that feature might be
insecure.
I think one should generally set
http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
to true in the DocumentBuilderFactory when processing XML from the
outside.
Martin