WARNING: Illegal reflective access by org.apache.poi.util.DocumentHelper (file:/tika-eval-1.17-SNAPSHOT.jar) to method com.sun.org.apache.xerces.internal.util.SecurityManager.setEntityExpansionLimit(int) I should have caught this before the 3.17 release...oh, well. 4.0.0 is just around the corner, right? :)
Sounds like a 3.17.1 might be in order.
Similar to bug 61572, this one also is caused by reflection usage and only causes an output to stderr as far as I see. Some of these reflection usages are needed in 3.x to allow to run/compile against Java 6, 7 and 8 as some internal JDK functionality is different across versions. So let's first investigate if we can get rid of reflection here after we moved to Java 8 in 4.0 and if we may keep the warning in for 3.17. See https://stackoverflow.com/questions/46230413/jdk9-an-illegal-reflective-access-operation-has-occurred-org-python-core-pysys for some more related description.
In trunk I tried to fix this by removing the reflection on com.sun.. packages as we can now expect the attribute to be supported by the internal XML Parser since we know that we use Java 8 there. See r1811145, not sure how a "fix" for 3.17/Java 6 would look like, we cannot remove the reflective access there as it is required for an important security functionality that is not accessible otherwise for some JDKs as far as I remember.
Fixed for trunk/4.0, no easy fix possible for 3.17/Java 6 as far as I see except to build in something like "if !java9". please provide patches if you think this is required before we release the next major release.