Disable the message servlet by default (#2000) (#2015)

cshannon · web-flow · commit d82f61f2a3c4 · 2026-05-13T16:53:47.000-04:00
* Disable the message servlet by default * Add warning message and deprecated annotation (cherry picked from commit d8a8540)
diff --git a/activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java b/activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java
@@ -53,7 +53,13 @@
  * there will always be a chance of losing messages. Consider what happens when
  * a message is retrieved from the broker but the web call is interrupted before
  * the client receives the message in the response - the message is lost.
+ *
+ * @deprecated - WARNING: The MessageServlet should be used with caution as it is unmaintained
+ * and there are multiple security related issues. This servlet is primarily meant for demo
+ * purposes only and will be removed entirely in a future release. It is recommended to
+ * keep it disabled.
  */
+@Deprecated
 public class MessageServlet extends MessageServletSupport {
 
     // its a bit pita that this servlet got intermixed with asyncRequest/rest
diff --git a/assembly/src/release/webapps/api/WEB-INF/web.xml b/assembly/src/release/webapps/api/WEB-INF/web.xml
@@ -22,11 +22,19 @@
 
     <display-name>Apache ActiveMQ REST API</display-name>
 
+    <!--
+
+    WARNING: The MessageServlet should be used with caution as it is deprecated and unmaintained
+    and there are multiple security related issues. This servlet is primarily meant for demo
+    purposes only and will be removed entirely in a future release. It is recommended to
+    keep it disabled.
+
     <servlet>
         <servlet-name>MessageServlet</servlet-name>
         <servlet-class>org.apache.activemq.web.MessageServlet</servlet-class>
         <load-on-startup>1</load-on-startup>
         <async-supported>true</async-supported>
+        -->
         <!--
         Uncomment this parameter if you plan to use multiple consumers over REST
         <init-param>
@@ -43,7 +51,13 @@
             <param-value>-1</param-value>
         </init-param>
         -->
-    </servlet>
+    <!--</servlet>
+
+    <servlet-mapping>
+        <servlet-name>MessageServlet</servlet-name>
+        <url-pattern>/message/*</url-pattern>
+    </servlet-mapping>
+    -->
 
     <servlet>
         <servlet-name>jolokia-agent</servlet-name>
@@ -74,11 +88,6 @@
         <load-on-startup>1</load-on-startup> 
     </servlet>
 
-    <servlet-mapping>
-        <servlet-name>MessageServlet</servlet-name>
-        <url-pattern>/message/*</url-pattern>
-    </servlet-mapping>
-
     <servlet-mapping>
         <servlet-name>jolokia-agent</servlet-name>
         <url-pattern>/jolokia/*</url-pattern>
