[2.x] OPENNLP-1835: Tolerate unsupported XML parser security options

[RankoR]

There's no existing ticket for this issue.

For code changes:

• Have you ensured that the full suite of tests is executed via mvn clean install at the root opennlp folder?
• Have you written or updated unit tests to verify your changes?

What changed

OpenNLP 2.5.9 added stricter XML parser hardening in XmlUtil, including JAXP external-access properties, implementation-specific parser features, and XInclude configuration.

Some XML parser providers, including Android's, reject these optional settings even though they can still create a usable secure parser. This caused XmlUtil.createDocumentBuilder() to fail during OpenNLP model initialization on Android.

We faced this issue in SpeechServices in GrapheneOS: GrapheneOS/SpeechServices#18.

This PR keeps the hardening behavior where supported, but applies provider-specific XML security options defensively:

• unsupported DocumentBuilderFactory attributes are logged and ignored
• unsupported parser features are logged and ignored
• unsupported XInclude configuration is logged and ignored
• actual parser construction failures still remain fatal

A focused regression test was added using a custom DocumentBuilderFactory that rejects these optional settings.

Verification

• ./mvnw -pl opennlp-tools -Dtest=XmlUtilTest test
• ./mvnw -pl opennlp-tools test

Also manually verified with an SpeechServices app on a Pixel device.

[rzo1]

Thanks for the PR. In general, it looks good to me. Left some comments.

We will need to port this to the 3.x line as well.

[jzonthemtn]

@RankoR Thanks for the PR!

[mawiesne]

Thx @RankoR for your initial contribution on the 2.x branch!

[RankoR]

@mawiesne no problem! Do you have any estimates on the release date of this fix?

[mawiesne]

@mawiesne no problem! Do you have any estimates on the release date of this fix?

@RankoR 2.5.10 and 3.0.0-M4 could be out late June / early July - stay tuned. Hint: join OpenNLP dev mailing list