RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks

We have RestEasy deployed end points in production. We are able to call the RestEasy end point by submitting the following ( as an example)

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<search><user>&xxe;</user></search>

If we submit the above to a web service built on RestEasy, we can see the contents of /etc/passwd.

This presents a well-documented security issue - XXE (XML eXternal Entity Attack)

If we use SAX directly, we can instruct a parser not to read the external DTD subset by setting the http://xml.org/sax/features/external-general-entities and http://xml.org/sax/features/external-parameter-entities features to false.

For example:
parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

We can also accomplish the same using a custom entity resolver when using the parsers directly.

How do we accomplish the same using RestEasy?

From the documentation, it seems that we would have to write a custom MessageBodyReader, where we actually check for any of these doctype declarations before allowing the call to the proceed to the actual end point.

Jersey also had a similar problem, which seems to have been addressed
http://java.net/jira/browse/JERSEY-323