JDK-8354537 : Release Note: Streamline XPath API's Extension Function Control
  • Type: Sub-task
  • Component: xml
  • Sub-Component: jaxp
  • Affected Version: 25
  • Priority: P4
  • Status: Resolved
  • Resolution: Delivered
  • Submitted: 2025-04-14
  • Updated: 2025-09-03
  • Resolved: 2025-05-05
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 25
25Resolved
Description
Restrictions on extension functions has been removed in the XPath API, specifically those imposed by [FEATURE_SECURE_PROCESSING (FSP)](https://docs.oracle.com/en/java/javase/23/docs/api/java.xml/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING) and the `jdk.xml.enableExtensionFunctions` property. Previously, for extension functions to work, even with a user-defined [XPathFunctionResolver](https://docs.oracle.com/en/java/javase/24/docs/api/java.xml/javax/xml/xpath/XPathFunctionResolver.html), FSP had to be set to false and `jdk.xml.enableExtensionFunctions` true. For example, an XPath created via the following factory would fail with an XPathExpressionException when encountering an Extension Function:

            XPathFactory xpf = XPathFactory.newInstance();
            xpf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);


With this change, extension functions now work solely based on the presence of a properly registered [XPathFunctionResolver](https://docs.oracle.com/en/java/javase/24/docs/api/java.xml/javax/xml/xpath/XPathFunctionResolver.html), making extension straightforward:

            XPathFactory xpf = XPathFactory.newInstance();
            xpf.setXPathFunctionResolver(new MyXPathFunctionResolver());

The default value of FSP has also been changed from false to true. Since extension functions are no longer governed by this setting, and the default XPath limits already conform to the secure configurations, this update has no effect on standard XPath behavior.

Additional information can be found in [The FEATURE_SECURE_PROCESSING Security Directive](https://docs.oracle.com/en/java/javase/25/security/java-api-xml-processing-jaxp-security-guide.html#GUID-B38FA75E-7452-4881-B2C2-5E668BF77334) and [The JAXP Property for Extension Functions](https://docs.oracle.com/en/java/javase/25/security/java-api-xml-processing-jaxp-security-guide.html#GUID-92646422-B817-4994-BA6F-FF5AF0B4D5D4).