The ServletFileUpload class has disappeared from version tomcat-embed-core-10.1.0 and following

Question

org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload class has disappeared from version tomcat-embed-core-10.1.0 and following (This class is present in version 10.0.27), while the others (Commons FileUpload) seem to be present. In addition, the embedded version number of Commons FileUpload is no longer shown.

I want to upgrade from tomcat-embed-core-10.0.27.jar to tomcat-embed-core-10.1.2.jar

EDIT #1

Is it normal that the file is no longer present?

EDIT #2

Thanks for your answer. Yes, you are right "Yes, it's normal that a new version of a software changes, removes, renames any of its implementation." the problem in this case, is that the comments in the file "org.apache.tomcat.util.http.fileupload.servlet.package-info.class" of tomcat-embedded-core versions > 10.0.27 mentions a typical use case that refers to an absent class. (CF below)

So I wonder, if the absence of this class (org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload) is not a bug?

Answer 1

It would have preferable if they had deprecated it first with a note to use @MultipartConfig

Answer 2

For people who stumble upon this question.

My issue was with 9.x, the question is about 10.x...but the "concept" is the same regardless.

The "tipping point" seems to be around

    <dependency>
        <groupId>org.apache.tomcat.embed</groupId>
        <artifactId>tomcat-embed-core</artifactId>
        <version>9.0.87</version>
    </dependency>

to

    <dependency>
        <groupId>org.apache.tomcat.embed</groupId>
        <artifactId>tomcat-embed-core</artifactId>
        <version>9.0.88</version>
    </dependency>

Aka, with 9.0.88, "org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload" has disappeared.

Now that I've worked through it, I think I see what happened.

This may be a part of the javax/jakarta "debacle". I'll let you internet-search that one on your own.

If you follow this link:

https://commons.apache.org/proper/commons-fileupload/migration.html

(and thank you Olaf in the comments of the original question)

you'll see they are saying

you need to change "org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload" to one of the other concretes.

And there is a javax concrete, and 2 jakarta concrete(s).

That means you need to pay attention to YOUR code base, and if you are using javax or jakarta items.

My code base happened to be javax (an older almost abandoned "app", but we still have to maintain vulerabilities on it).

Below is a list of the import's I had to change. (And of course the primary one)

BEFORE: (note the "tomcat" in the package-names)

import org.apache.tomcat.util.http.fileupload.FileItemIterator;
import org.apache.tomcat.util.http.fileupload.FileItemStream;
import org.apache.tomcat.util.http.fileupload.FileUploadException;
import org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory;
//below is the primary import that got the whole troubleshooting started
import org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload;
import org.apache.tomcat.util.http.fileupload.util.Streams;

AFTER: (note the "commons" in the package names)

(and also REMEMBERING I (happen to) HAVE javax stuff in my code base)

import org.apache.commons.fileupload2.core.DiskFileItemFactory;
import org.apache.commons.fileupload2.core.FileItemInput;
import org.apache.commons.fileupload2.core.FileItemInputIterator;
//below is the primary import .. that is the replacement as per the apache article/link above
import org.apache.commons.fileupload2.javax.JavaxServletFileUpload;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;

Now, from which jar/reference are they available?

IN MY (javax) situation, it was the below setup.

    <!-- at the time of writing, this 9.0.95 version was vulnerabilty free, but still within my 9.0.x needs. -->
    <dependency>
        <groupId>org.apache.tomcat.embed</groupId>
        <artifactId>tomcat-embed-core</artifactId>
        <version>9.0.95</version>
    </dependency>


    <!-- below as AS PER THE apache link above, but you need to read the article and pay attention to the alternate javax/jakarta versions available -->

    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-fileupload2-javax</artifactId>
        <version>2.0.0-M2</version>
    </dependency>

    <!-- below was a different transient dependency that I needed, I got a run time error that a class was missing -->

    <dependency>
        <groupId>commons-io</groupId>
        <artifactId>commons-io</artifactId>
        <version>2.17.0</version>
    </dependency>

Now, you may not need any imports beyond the "swap out" items below. (again, emphasis on javax vs jakarta replacement, I happen to need javax)

//import org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload;
import org.apache.commons.fileupload2.javax.JavaxServletFileUpload;

Now, after I did that, I had a few code tweaks I had to do. A handful, not overwhelming.

Anyways.

So hindsight...this aligns with all the other javax/jakarta headaches.....

Just in case the article (apache one) above dies... here are the other (pick ONE that matches your code) that they listed:

Add one or more these dependencies with the groupId org.apache.commons, and set the artifactId to:

commons-fileupload2-jakarta-serverl5 to use Jakarta Servlets 5.

commons-fileupload2-jakarta-serverl6 to use Jakarta Servlets 6.

commons-fileupload2-javax to use Javax Servlets.

commons-fileupload2-portlet to use Javax Portlets.

All of the above

automatically depends on commons-fileupload2-core.

EXTRAS:

The git-commit where (org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload) was deleted:

https://github.com/apache/tomcat/commit/9ba3b0c57fff311cd898716db19e508183545b28