In making the security patch for nested beans, getMultipartRequestHandler() is
marked protected rather than public, as it is in the nightly build. Since it
returns a binary object, this is not a security risk. I can apply the patch if
we believe there may be a 1.0.2 release.