The XML Signature secure validation mode was introduced in JDK 7u25 but is only documented in release notes and my blog: https://blogs.oracle.com/mullan/entry/how_to_use_the_xml
We should add a section to the XML Signature Programming Guide (http://docs.oracle.com/javase/8/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html) as to how to enable this mode.
You can use the content of my blog as the basis.
Additionally, we should document the new security property that will be introduced to allow users to configure these restrictions: see JDK-8151893 for more information