Billion laughs (entity expansion attack) prevention for Xerces

4162541

Using Java EE 1.8.0_201 (oracle jvm), I'm having a hard time finding any documentation on how to set a global entity expansion limit. I'm setting this on startup currently

System.setProperty("jdk.xml.entityExpansionLimit", String.valueOf(100));

This seems to have no effect, I can still perform a basic billion laughs attack and the thread just runs away. XMLSecurityManager has some logic for setting this but there is no way to provide one for an SAXParserFactory, XMLParser, XMLReader, EntityResolver, etc. I'm also reading that the limit applies to any entity, i.e. if I were to just have a large number of   characters, which would be really bad if true. Is there some hidden documentation about all this that I am missing?

4162541

Furthermore if I try to use the XMLSecurityManager class I get a compilation error

error: package com.sun.org.apache.xerces.internal.utils does not exist

Why do any of these classes' configuration options even exist if they aren't meant to be used?