It would be nice if jersey would have a configuration which would allow the entity expansion limit to be changed. Unfortunately, there is no solution using clean JAXP how to configure the limit for one specific sax parser which is exactly what we would need in our message body readers. The only possible way is to define the system property with the limit:
... or define property using command line arguments or environment properties.
Please note, that the system property will be used for all sax parsers on the JVM and not only in jersey message body readers (so it will for example influence all sax/dom parsers used in the server in which Jersey is running).
You can also use a property "elementAttributeLimit" to limit maximum number of attributes in elements.
Also please note that in order to use the secure parsing in jersey the following property must NOT be configured:
... the property would disable secure parsing and limits would be ignored.