For xsl Transformation I am using this interface: javax.xml.transform.Transformer
The implementation is saxon.jaxp.TransformerImpl
I need to make this Transformer safe for XML External Entity (XXE) Attacks. Right now if there is an external entity it gets called and could be used for denial of Service Attack.
Is there a way to configure the Transformer ? I know how to do it with the saxon Parser but I only have the Transformer class and I do not know how to get the Parser out from it.
First (and sorry this is a bit cynical) you need to decide whether you are trying to protect against attacks, or whether you are trying to get past the security checks performed by some scanning tool. These aren't the same thing.
Assuming you are genuinely trying to protect against attacks, the first thing is to decide whether the stylesheet author is trusted.
If you're running untrusted stylesheets then you need to be very careful indeed; in particular, don't obsess about XML entity attacks because there are plenty of other ways an untrusted stylesheet can access data on your machine or go into an infinite loop.
If you're running trusted stylesheets (but against untrusted XML documents) then things are much easier: and the simplest way of doing it is to take control of all XML parsing yourself by supplying a URIResolver. Then you only need to worry about how to configure the parser to be secure, rather than trying to control it indirectly via the XSLT engine.