From ad8ac8770e2976f02dbc5a2eafb7cea377921f79 Mon Sep 17 00:00:00 2001
From: "Christopher L. Shannon" <cshannon@apache.org>
Date: Mon, 27 Apr 2026 17:40:30 -0400
Subject: [PATCH 1/2] Disable the message servlet by default

---
 assembly/src/release/webapps/api/WEB-INF/web.xml | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/assembly/src/release/webapps/api/WEB-INF/web.xml b/assembly/src/release/webapps/api/WEB-INF/web.xml
index 2a1a0103649..07ec39cf27f 100644
--- a/assembly/src/release/webapps/api/WEB-INF/web.xml
+++ b/assembly/src/release/webapps/api/WEB-INF/web.xml
@@ -22,11 +22,14 @@
 
     <display-name>Apache ActiveMQ REST API</display-name>
 
+    <!--
+    Uncomment to enable the MessageServlet
     <servlet>
         <servlet-name>MessageServlet</servlet-name>
         <servlet-class>org.apache.activemq.web.MessageServlet</servlet-class>
         <load-on-startup>1</load-on-startup>
         <async-supported>true</async-supported>
+        -->
         <!--
         Uncomment this parameter if you plan to use multiple consumers over REST
         <init-param>
@@ -43,7 +46,13 @@
             <param-value>-1</param-value>
         </init-param>
         -->
-    </servlet>
+    <!--</servlet>
+
+    <servlet-mapping>
+        <servlet-name>MessageServlet</servlet-name>
+        <url-pattern>/message/*</url-pattern>
+    </servlet-mapping>
+    -->
 
     <servlet>
         <servlet-name>jolokia-agent</servlet-name>
@@ -74,11 +83,6 @@
         <load-on-startup>1</load-on-startup> 
     </servlet>
 
-    <servlet-mapping>
-        <servlet-name>MessageServlet</servlet-name>
-        <url-pattern>/message/*</url-pattern>
-    </servlet-mapping>
-
     <servlet-mapping>
         <servlet-name>jolokia-agent</servlet-name>
         <url-pattern>/jolokia/*</url-pattern>

From 7c811e31112de5a7e7d40140a30fd5d662aa1d3f Mon Sep 17 00:00:00 2001
From: "Christopher L. Shannon" <cshannon@apache.org>
Date: Tue, 12 May 2026 08:47:35 -0400
Subject: [PATCH 2/2] Add warning message and deprecated annotation

---
 .../main/java/org/apache/activemq/web/MessageServlet.java  | 6 ++++++
 assembly/src/release/webapps/api/WEB-INF/web.xml           | 7 ++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java b/activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java
index fa3dd50e095..10675a7cf2c 100644
--- a/activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java
+++ b/activemq-web/src/main/java/org/apache/activemq/web/MessageServlet.java
@@ -48,7 +48,13 @@
  * there will always be a chance of losing messages. Consider what happens when
  * a message is retrieved from the broker but the web call is interrupted before
  * the client receives the message in the response - the message is lost.
+ *
+ * @deprecated - WARNING: The MessageServlet should be used with caution as it is unmaintained
+ * and there are multiple security related issues. This servlet is primarily meant for demo
+ * purposes only and will be removed entirely in a future release. It is recommended to
+ * keep it disabled.
  */
+@Deprecated
 public class MessageServlet extends MessageServletSupport {
 
     // its a bit pita that this servlet got intermixed with asyncRequest/rest
diff --git a/assembly/src/release/webapps/api/WEB-INF/web.xml b/assembly/src/release/webapps/api/WEB-INF/web.xml
index 07ec39cf27f..d260009cd78 100644
--- a/assembly/src/release/webapps/api/WEB-INF/web.xml
+++ b/assembly/src/release/webapps/api/WEB-INF/web.xml
@@ -23,7 +23,12 @@
     <display-name>Apache ActiveMQ REST API</display-name>
 
     <!--
-    Uncomment to enable the MessageServlet
+
+    WARNING: The MessageServlet should be used with caution as it is deprecated and unmaintained
+    and there are multiple security related issues. This servlet is primarily meant for demo
+    purposes only and will be removed entirely in a future release. It is recommended to
+    keep it disabled.
+
     <servlet>
         <servlet-name>MessageServlet</servlet-name>
         <servlet-class>org.apache.activemq.web.MessageServlet</servlet-class>