http://svn.apache.org/r1658754 added a check of the org.apache.taglibs.standard.xml.accessExternalEntity system property during initialization of XmlUtil. When a SecurityManager is present this check will fail unless permission has been granted for the library to do that. This may affect applications even if they do not use the XML tags because the he JSTL <c:> core library includes a TLV that parses the XML view of the page at translation time, obtaining the parser from the XmlUtil class. If permission has not been granted then the check fails, a NoClassDefError is thrown, and the JSP compilation will fail.
I propose to fix this by ignoring the AccessControlException and falling back to the default set of protocols i.e. none. To enable additional protocols, users would need to pass that property and grant the library permission to read it.
Fixed in http://svn.apache.org/r1664878 and will be included in 1.2.4