Tomcat 5 standalone, SSL, IE problem...

2004-04-13 Thread Lawrence, Gabriel
Howdy,

I'm running tomcat 5.0.16, jdk 1.4.1_02-b06 on Solaris 8 and am running
into an issue with IE. It seems that when I use IE wihtout SSL things
work fine, but when I use IE with SSL the form posts I'm sending don't
always submit properly. I know it sounds crazy, but, I'm wondering if
there are any known incompatibilities between IE and tomcat ssl? Or any
special configuration settings I need to do in order to make IE and
Tomcat happy together?

Thanks,
-gabe

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Off-topic - Java and X11 Window Server

2004-01-07 Thread Lawrence, Gabriel
If you are running java 1.4 you might be better off setting it up to run in a headless 
environment. I add this to my JAVA_OPTS when running startup.sh for tomcat to do this:

JAVA_OPTS=-Djava.awt.headless=true


Cheers,
-gabe

-Original Message-
From: Patrick Willart [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 07, 2004 11:26 AM
To: Jose Euclides da Silva Junior - DATAPREVRJ; 'Tomcat Users List'
Subject: RE: Off-topic - Java and X11 Window Server


Dear Jose,

This is the document that put me on the right track. Set the DISPLAY variable as an 
environment variable for the user that start Tomcat. The variable has to be set before 
Tomcat is started

snippet of document
To run Xvfb in a manner that pleases Java, try:

/usr/X11R6/bin/Xvfb :1 -screen 0 800x600x24

This will create a virtual display at :1.0 with a size of 800 by 600 pixels and a 
color depth of 24 bits. To ensure that Java draws to this display, you must set the 
DISPLAY environment variable to :1.0 before invoking Java.  If Java throws any 
X11Environment exceptions, try changing the color  depth or screen size. In my 
experience 16 or 24 bits has always worked. /snippet of document

grts,

Patrick

-Original Message-
From: Jose Euclides da Silva Junior - DATAPREVRJ [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 07, 2004 11:51 AM
To: 'Tomcat Users List'; '[EMAIL PROTECTED]'
Subject: RES: Off-topic - Java and X11 Window Server


Dear Patrick,
Where (and HOW ) should i set it?
Thanks in advance,
José Euclides Junior
Projeto DOP201
Infra-estrutura J2EE para as aplicações corporativas da Previdência Social


-Mensagem original-
De: Patrick Willart [mailto:[EMAIL PROTECTED]
Enviada em: quarta-feira, 7 de janeiro de 2004 16:51
Para: Tomcat Users List
Assunto: RE: Off-topic - Java and X11 Window Server


I am not an expert on any *nix system, but faced the same problem once.

I had to set to DISPLAY varirable to :1.0 (export DISPLAY=:1.0). It is important that 
this is set for the same user that is running Tomcat.

grts,

Patrick

-Original Message-
From: Jose Euclides da Silva Junior - DATAPREVRJ [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 07, 2004 10:55 AM
To: '[EMAIL PROTECTED]'
Subject: Off-topic - Java and X11 Window Server


Hi guys,
Have anybody ever seen this error before? The X11 seems to be alive at my environment 
-- Conectiva Linux. The target Java app,GraficoBig, works with a free package, called 
org.jfree.char and org.jfree.gui.

500 Internal Server Error
java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value 
of the DISPLAY variable.
at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
at
sun.awt.X11GraphicsEnvironment.clinit(X11GraphicsEnvironment.java:54)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:115)
at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvironment
.java:53)
at java.awt.Window.init(Window.java:183)
at java.awt.Frame.init(Frame.java:310)
at java.awt.Frame.init(Frame.java:289)
at javax.swing.JFrame.init(JFrame.java:167)
at org.jfree.ui.ApplicationFrame.init(Unknown Source)
at mypackage2.GraficoBig.init(GraficoBig.java:26)
at _Jspbig._jspService(_Jspbig.java:128)
[SRC:Jspbig.jsp:118]
regards,
José Euclides Junior
Projeto DOP201
Infra-estrutura J2EE para as aplicações corporativas da Previdência Social



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: How do you generate a unique number for each request across muliple tomcat instances?

2003-12-16 Thread Lawrence, Gabriel
The hibernate project as a uuid class, you could look at how they do
it... Here's the docs:

http://www.hibernate.org/hib_docs/reference/html/or-mapping.html#or-mapp
ing-s1-4-uuid

-gabe

-Original Message-
From: Tom Ly [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 16, 2003 12:10 PM
To: Tomcat Users List
Subject: Re: How do you generate a unique number for each request across
muliple tomcat instances?


bump

Tom Ly [EMAIL PROTECTED] wrote:That works great in a windows
environment. But on Linux machines,the line will always return 127.0.0.1

Tim Funk wrote:Ideally use a string for uniqueness, not an int. For an
int is too small 
across a cluster.

To get a unique string, concatenate your IP address with 
java.rmi.server.UID(), for example:
String guid = InetAddress.getLocalHost().getHostAddress() + (new
java.rmi.server.UID()).toString());

See the javadocs on UID for more info.

-Tim

Tom Ly wrote:

 I have an application where I need to generate a unique int for each 
 request that comes in. I've got about 8 Tomcat instances running 
 spread across four machines(two tomcat's each machine). It's pretty 
 simple with one Tomcat, but with mulitple Tomcats it gets tricky. I 
 tried using InetAddress to get the ip address of the current machine 
 and use that to set the range for each tomcat(since the ip address 
 will always be unique), but since I'm using Linux, it'll always return

 127.0.0.1 as the ip address, so I can use class InetAddress. Any 
 advice on what to do?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard


-
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: CGI not working on Tomcat 5.0.16?

2003-12-15 Thread Lawrence, Gabriel
I've noticed that on tomcat 5 the working directory that it execs the
cgi script in is different then it was on tomcat 4. I haven't solved my
problem yet, but I have isolated that to be my problem.

-gabe

-Original Message-
From: Jonathan Eric Miller [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 15, 2003 2:42 PM
To: Tomcat User List
Subject: CGI not working on Tomcat 5.0.16?


I've been having problems getting CGI to work with Tomcat 5.0.16. I have
it working with Tomcat 4.1. Has anyone else been able to get it to work?

I'm receiving the following error in my localhost_log*.txt log even
though the file listed is there. Has anyone else had this problem?

2003-12-12 16:46:14 StandardContext[]cgi: runCGI (stderr):Can't open
perl script
/opt/jakarta-tomcat-5.0.16/webapps/ROOT/WEB-INF/cgi/awstats.pl:
No such file or directory
2003-12-12 16:46:14 StandardContext[]cgi: runCGI: 1 lines received on
stderr

Jon


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: SSL/Verisign Confusion

2003-09-05 Thread Lawrence, Gabriel
I'm working on a tool to pull out the private key. It should be done by
the end of the day. I will send something to the list when I have it
finished. Kind of funny how just as I'm getting around to a project that
has been on my plate all week someone else needs it too ;-)

-gabe

-Original Message-
From: Dave Wood [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 05, 2003 8:07 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

I realize you can't do this with keytool.  Is there no way to do it at
all?

I'm beginning to think I might be totally hosed here.

Thanks,
Dave

-Original Message-
From: Jay Garala [mailto:[EMAIL PROTECTED]
Sent: Friday, September 05, 2003 8:37 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


NOTE: You cannot export private key from keystore.

-Original Message-
From: Dave Wood [mailto:[EMAIL PROTECTED]
Sent: Friday, September 05, 2003 10:32 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks.  With the exception of the openssl doc, I've been over these
quite a
bit.  The result is the problem I've mentioned where keytool says it
can't
import my certificate because the alias already exists.

After some help I got last night, I think the question boils down to
this:

* once I have extracted my private key from keytool (haven't done this
yet),
how do I take that key, the VeriSign intermediate certificate and my
public
key certificate and get them to play together.  I'm hoping the openssl
stuff
will take care of this, because keytool doesn't really seem to recognize
private keys as things that you can work with directly.

Thanks again,
Dave

-Original Message-
From: Jay Garala [mailto:[EMAIL PROTECTED]
Sent: Friday, September 05, 2003 7:12 AM
To: 'Tomcat Users List'
Subject: RE: SSL/Verisign Confusion


Try the Java keytool help:
 http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Tomcat how-to:
 http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

If you have OpenSSL:
 http://forum.java.sun.com/thread.jsp?forum=2thread=4240

Jay
-Original Message-
From: Dave Wood [mailto:[EMAIL PROTECTED]
Sent: Friday, September 05, 2003 1:04 AM
To: Tomcat Users List
Subject: RE: SSL/Verisign Confusion

Thanks Bill.  I think this highlights something I'm really not
understanding...

Didn't I generate an important private key somewhere along the line
that I
can't just regenerate if I blow away my keystore?  I assumed the
certificate
I got back from verisign would only work if I still had the original
private
key I generated before sending them my request.  Is that wrong?

(I'll take a look at the link you sent...at first glance, it looks a
little
hard to follow, but hopefully not).

Thanks again.

Dave

-Original Message-
From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker
Sent: Thursday, September 04, 2003 11:06 PM
To: [EMAIL PROTECTED]
Subject: Re: SSL/Verisign Confusion


Firstly, it looks like you should wipe you keystore and start again.  To
use
a VS cert with Tomcat, the two options I know are:
1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
2) Using openssl or otherwise, convert your cert+key to a pkcs12 file,
and
use that as your keystore (remember to set 'keystoreType=pkcs12' on
the
Factory in server.xml).


Dave Wood [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 I'm having a problem getting an SSL certificate from Verisign working
 correctly.  I'm going to include everything I can think of that MIGHT
be a
 problem.  Unfortunately, there are a couple things I can't quite
remember
 for certain.  Here's the situation:

 1. I generated the initial key using an alias other than tomcat
(we'll
 call it company)
 2. I generated the CSR and sent it to verisign.  I still have this
file.
 3. Verisign changed the company name during the verification process
(from
 an acronym to the full spelling of the name)
 4. I now have the certificate that they sent back after the validation
 process.
 5. One thing I can't account for is why when I see this:

 $ keytool -list

 Keystore type: jks
 Keystore provider: SUN

 Your keystore contains 4 entries: (...others removed...)

 company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
 Certificate fingerprint (MD5):
 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't
really
 0's)

 ...I think I must have self-signed or something (I was doing a couple
of
 these things and don't recall exactly), but I'm surprised to see
 trustedCertEntry here.

 The problem I'm having is this:

 $ keytool -import -trustcacerts -alias company -file public.crt
 Enter keystore password: xxx
 keytool error: java.lang.Exception: Certificate not imported, alias
 company already exists

 (but I'm thinking it should be REPLACING this entry, so the fact that
it
 exists shouldn't be a problem???)

 So, I have several questions:

 1. Am I hosed completely because I didn't use tomcat as the alias?
 2. How does the 

RE: Help! heavy traffic is crapping out our site every 5 min! DBCP exceptions

2003-08-14 Thread Lawrence, Gabriel
Try running netstat on the linux box to see how many connections are out
there. This might give you some more visibility into what network
connections are actually being used and where they are going.

-gabe

-Original Message-
From: Barclay A. Dunn [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 08, 2003 10:43 AM
To: Tomcat Users List
Subject: RE: Help! heavy traffic is crapping out our site every 5 min!
DBCP exceptions

your logic seems on target to me.

my sysadmin (who's just as stymied as i am) says that according to his
sources, sockets on linux are open files so if the open file limit is
exceeded, it would affect sockets as well. any thoughts on this?

barclay

-Original Message-
From: Eric J. Pinnell [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 1:38 PM
To: Tomcat Users List
Subject: RE: Help! heavy traffic is crapping out our site every 5 min!
DBCP exceptions


I'm pretty sure can't create socket means it can't connect to the DB
for
some reason.  I would wager the DB (or something) is refusing the
connection.  The fact that it said can't create socket means that
tomcat
is trying to do so.  So that part of it seems alright.

-e

On Fri, 8 Aug 2003, Barclay A. Dunn wrote:

 well, i followed the dbcp comment that says set to 0 for unlimited
and
 that turns out to be wrong.

 i also tried -1 and that is equally unuseful in terms of setting it to
 unlimited.

 so i tried setting maxActive to 10 and so far it is generating
no
 errors. no, i'm wrong. connecs shot up to around 600 or maybe more,
then
we
 started getting the java.sql.SQLException: [Microsoft][SQLServer 2000
Driver
 for JDBC]Error establishing socket.

 the db has an insanely huge connection limit of 99,999 we think.

 barclay

 -Original Message-
 From: Eric J. Pinnell [mailto:[EMAIL PROTECTED]
 Sent: Friday, August 08, 2003 1:27 PM
 To: Tomcat Users List
 Subject: RE: Help! heavy traffic is crapping out our site every 5 min!
 DBCP exceptions


 Is it also unlimited (or insanely huge) on the database?

 -e

 On Fri, 8 Aug 2003, Barclay A. Dunn wrote:

  i adjusted the pool to unlimited and am still getting these errors.
  something else seems to be fekachte.
 
  barclay
 
  -Original Message-
  From: Eric J. Pinnell [mailto:[EMAIL PROTECTED]
  Sent: Friday, August 08, 2003 1:11 PM
  To: Tomcat Users List
  Subject: Re: Help! heavy traffic is crapping out our site every 5
min!
  DBCP exceptions
 
 
  Hi,
 
  Your pool of  connections to your database is exhausted.  Try upping
the
  number.
 
  -e
 
  On Fri, 8 Aug 2003, Barclay A. Dunn wrote:
 
   we are getting a ton of these errors in our catalina.out and i
could
use
   help in fixing it.
  
   i know they are related to our connection pooling, but not what to
do
to
   fix. my understanding of the underlying mechanics of connection
pooling
 is
   somewhat limited.
  
   i have put two different but related error messages in here:
  
   java.sql.SQLException: DBCP could not obtain an idle db
connection,
pool
   exhausted
   at
  
 

org.apache.commons.dbcp.AbandonedObjectPool.borrowObject(AbandonedObject
Pool
   .java:123)
   at
  
 

org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSourc
e.ja
   va:110)
   at
  
 

org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.ja
va:3
   12)
   at com.happypuppy.util.HPSql.getConnection(HPSql.java:21)
   at
org.apache.jsp.index_jsp._jspService(index_jsp.java:222)
   at
  
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:137)
   at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
   at
  
 

org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja
va:2
   04)
   at
  
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:295)
   at
  org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241)
   at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
   at
  
 

org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatc
her.
   java:684)
   at
  
 

org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDisp
atch
   er.java:575)
   at
  
 

org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispat
cher
   .java:498)
   at
  
 

org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.ja
va:8
   22)
   at org.apache.jsp._404_jsp._jspService(_404_jsp.java:373)
   at
  
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:137)
   at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
   at
  
 

org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja
va:2
   04)
   at
  
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:295)
   at
  org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241)
   at

RE: Tomcat not working behind a NAT?

2003-07-25 Thread Lawrence, Gabriel
Does setting the proxyName help?

See docs at:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/coyote.html



-Original Message-
From: Erin Dalzell [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 25, 2003 4:31 PM
To: 'Tomcat Users List'
Subject: RE: Tomcat not working behind a NAT?

OK, I have a question for all the Tomcat gurus out there.

Here is my scenario:
* tomcat machine is behind NAT
* internal ip address is 2.2.2.2 (ip changed to protect the
innocent!)
* external ip is 3.3.3.3
* client accesses servlet with ip 3.3.3.3.
* inside servlet we call RequestDispatcher rd =
getServletContext().getRequestDispatcher( /another_page.jsp );
* then we call rd.forward( orig_request, response );

My question is, is that forward call a full http request? If so, what ip
address will it use? I think that it is trying to use the 3.3.3.3
address
and the NAT doesn't like it.

Thoughts?

Thanks

emd


Erin Dalzell
eXpresso Product Specialist
Epic Data
604.207.7699


-Original Message-
From: Eric J. Pinnell [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2003 10:05 AM
To: Tomcat Users List
Subject: RE: Tomcat not working behind a NAT?


I still think you are barking up the wrong tree here.  If I had to guess
I
would say that 95% of all internet faceing Tomcat servers are behind
some kind of NAT device.

One thing to consider.  NAT only translates the IP in the IP header and
doesn't change the data payload.  So if you are, for whatever reason,
using an IP address that is getting sent along in the payload and trying
to redirect to it or whatever, NAT won't change that.

Kinda how SQLNet doesn't like NAT devices.  Because the users IP is
embedded in the payload as part of the protocol.  So it goofs up when
the
IP header and the IP in the payload don't match.

But what you are thinking below is the first thing I would do.  Make
sure
the machine on the outside see's the correct hostname/IP number and the
machine on the inside see's that same hostname as the inside IP address.
You can do that via the hosts file if you like.

-e

On Fri, 25 Jul 2003, Erin Dalzell wrote:

 For this particular Servlet call we are not accessing any databases.

 DTDs? Not really familiar with those...I will check.

 I don't think we are trying to resolve hosts.

 Here is something we got from our client:
 --
 The sniffer log showed the NATed address in one of the http requests
...
 following along the line of tomcat not using a localhost for
addressing
 requests even if they're local to the system ...

 What options are there to specify the address for tomcat under which
to
 start ? It must perform a lookup on DNS to translate the address, can
we
use
 the /etc/hosts file to create a 'fixed' address that won't be affected
by
 DNS ? This may not resolve it either ... as which one would you
actually
put
 in to allow both 'local' access vs 'outside' access ...
 --

 
 Erin Dalzell
 eXpresso Product Specialist
 Epic Data
 604.207.7699


 -Original Message-
 From: Tim Funk [mailto:[EMAIL PROTECTED]
 Sent: Thursday, July 24, 2003 5:46 PM
 To: Tomcat Users List
 Subject: Re: Tomcat not working behind a NAT?


 It shouldn't use high ports.
 Are you running any database services or other services?
 Are your dtd's not correct and its trying actually pull foriegn assets
via
 http?
 Are you trying to resolve hosts in your access log? (or similar)

 Use your sniffer to see the type of request being performed on the
hight
 port.

 -Tim

 Erin Dalzell wrote:
  Hi there,
 
  We have just discovered that our tomcat web app is not working
correctly
  behind a NAT. Our actual web app works fine, but when we try to
access
our
  management pages via http. It doesn't work. Any static pages are
served
up
  correctly through our defined tomcat port (6300), but any dynamic
content
  (to several different servlets) don't work.
 
  When we run a sniffer, it looks like tomcat tries to communicate
with
 itself
  on a very high (and random) port. For example, if our tomcat is
accessible
  locally as 10.10.10.10 and externally as 204.1.1.1 and we access
from
  withing our network (10.10.x.x) everything works fine and tomcat is
able
 to
  talk to itself on port 45000. But if I access it from an external
site,
  tomcat tries to communicate with itself on the 204.1.1.1 address and
the
 NAT
  doesn't like it.
 
  So, I have a few questions:
  1) why doesn't tomcat (we are using version 4) use localhost to
  communicate with itself?
  2) anyone else seen this problem?
  3) can the high port be configured?
 
  Thoughts?


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

 This email and any attachments are intended only for use by the
addressees
 named in this email and may contain legally privileged and/or
confidential
 information.  If you are not the 

Internet Explorer SSL issues and tomcat running ssl?

2003-07-21 Thread Lawrence, Gabriel
Howdy,

The mod_ssl faq says to do the following:


The first reason is that the SSL implementation in some MSIE versions
has some subtle bugs related to the HTTP keep-alive facility and the SSL
close notify alerts on socket connection close. Additionally the
interaction between SSL and HTTP/1.1 features are problematic with some
MSIE versions, too. You've to work-around these problems by forcing
Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or
sending the SSL close notify messages to MSIE clients. This can be done
by using the following directive in your SSL-aware virtual host section:


SetEnvIf User-Agent .*MSIE.* \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0

from http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie

Do I need to set something similar in Tomcat? Is it already part of the
coyote connector?

Thanks,
-gabe

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Running Tomcat as Non-Root

2003-07-18 Thread Lawrence, Gabriel
Has any one submitted a request to get dropping privs into the JDK? Or
escalating privs to grab one of these ports and then dropping them
again?

As I see this request over and over again on this list I think there is
a large number of people who would like to see it or would vote for it
in the java bug parade.

It also seems rather important for running a secure service to manage
the privs. I know I could use a security manager/policy to restrict what
can happen, but this doesn't restrict native libraries loaded into the
process and requires more work on our part then just allowing the JDK to
loose its privs...

-gabe

-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 18, 2003 12:58 PM
To: Tomcat Users List
Subject: RE: Running Tomcat as Non-Root 


Howdy,
Are you running on a unix OS?  If so, root is normally required if you
want to run on a port  1024.  There are workarounds, but they vary in
complexity and portability, and none are that good at this point.  If
you're running on a port higher than 1024, than you don't need to run as
root at all.

Yoav Shapira
Millennium ChemInformatics


-Original Message-
From: Latesha Williams [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 3:55 PM
To: Tomcat Users List
Subject: Running Tomcat as Non-Root

Is it possible to run Tomcat as a non-root user, with root as the owner
of
the entire Tomcat directory structure and grant file/directory
permissions
to the non-root account?  Please advise.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential,
proprietary and/or privileged.  This e-mail is intended only for the
individual(s) to whom it is addressed, and may not be saved, copied,
printed, disclosed or used by anyone else.  If you are not the(an)
intended recipient, please immediately delete this e-mail from your
computer system and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Running Tomcat as Non-Root

2003-07-18 Thread Lawrence, Gabriel
Right. I'm saying has anyone looked into submitting something to sun
asking them to make it possible to start up a process as root an then
drop down to another user like most native services do? 

I want that bridge between native user credentials and capabilities, and
the ability to switch which nave user I'm running on (assuming the user
I'm running with has that capability.)

This is missing in Java.
-gabe

-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 18, 2003 1:21 PM
To: Tomcat Users List
Subject: RE: Running Tomcat as Non-Root 


Howdy,
Huh???  Have you looked at java.security.AccessController#doPrivileged()
?

The issue is that port binding is a native operation and there's no
bridge between the JDK java.security.Principal and the native user
credentials needed to open the port.

Yoav Shapira
Millennium ChemInformatics


-Original Message-
From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 4:06 PM
To: Tomcat Users List
Subject: RE: Running Tomcat as Non-Root

Has any one submitted a request to get dropping privs into the JDK? Or
escalating privs to grab one of these ports and then dropping them
again?

As I see this request over and over again on this list I think there is
a large number of people who would like to see it or would vote for it
in the java bug parade.

It also seems rather important for running a secure service to manage
the privs. I know I could use a security manager/policy to restrict
what
can happen, but this doesn't restrict native libraries loaded into the
process and requires more work on our part then just allowing the JDK
to
loose its privs...

-gabe

-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 12:58 PM
To: Tomcat Users List
Subject: RE: Running Tomcat as Non-Root


Howdy,
Are you running on a unix OS?  If so, root is normally required if you
want to run on a port  1024.  There are workarounds, but they vary in
complexity and portability, and none are that good at this point.  If
you're running on a port higher than 1024, than you don't need to run
as
root at all.

Yoav Shapira
Millennium ChemInformatics


-Original Message-
From: Latesha Williams [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 3:55 PM
To: Tomcat Users List
Subject: Running Tomcat as Non-Root

Is it possible to run Tomcat as a non-root user, with root as the
owner
of
the entire Tomcat directory structure and grant file/directory
permissions
to the non-root account?  Please advise.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential,
proprietary and/or privileged.  This e-mail is intended only for the
individual(s) to whom it is addressed, and may not be saved, copied,
printed, disclosed or used by anyone else.  If you are not the(an)
intended recipient, please immediately delete this e-mail from your
computer system and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential,
proprietary and/or privileged.  This e-mail is intended only for the
individual(s) to whom it is addressed, and may not be saved, copied,
printed, disclosed or used by anyone else.  If you are not the(an)
intended recipient, please immediately delete this e-mail from your
computer system and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Running Tomcat as Non-Root

2003-07-18 Thread Lawrence, Gabriel
So I'm going to take that as a no. No one has bothered to pester sun
about this. 

And yes, the way things tend to work today is that people run these
things with extra JVMs, although if its running on port 25 they'd all
have to be running as root.

So I realize that its possible that you could only drop privs down to a
single user in the vm, but gee wouldn't that be hugely better then what
we have today, where if I want to run 1024 I have to run as superuser?

Surely you can see the benefit.
-gabe

-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 18, 2003 1:35 PM
To: Tomcat Users List
Subject: Re: Running Tomcat as Non-Root 


So every Java-based service would need its own JVM instance?  Would you 
want your Java-based MTA on port 25 running as your Tomcat user or vice 
versa?  Isn't that how it would work if you configured the user account
in 
the JVM...all services would run as the same user?  Seems like that
would 
end up being pretty messy to manage.

John

On Fri, 18 Jul 2003 13:24:42 -0700, Lawrence, Gabriel
[EMAIL PROTECTED] 
wrote:

 Right. I'm saying has anyone looked into submitting something to sun
 asking them to make it possible to start up a process as root an then
 drop down to another user like most native services do?

 I want that bridge between native user credentials and capabilities,
and
 the ability to switch which nave user I'm running on (assuming the
user
 I'm running with has that capability.)

 This is missing in Java.
 -gabe

 -Original Message-
 From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July
18, 
 2003 1:21 PM
 To: Tomcat Users List
 Subject: RE: Running Tomcat as Non-Root


 Howdy,
 Huh???  Have you looked at
java.security.AccessController#doPrivileged()
 ?

 The issue is that port binding is a native operation and there's no
 bridge between the JDK java.security.Principal and the native user
 credentials needed to open the port.

 Yoav Shapira
 Millennium ChemInformatics


 -Original Message-
 From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED]
 Sent: Friday, July 18, 2003 4:06 PM
 To: Tomcat Users List
 Subject: RE: Running Tomcat as Non-Root

 Has any one submitted a request to get dropping privs into the JDK?
Or
 escalating privs to grab one of these ports and then dropping them
 again?

 As I see this request over and over again on this list I think there
is
 a large number of people who would like to see it or would vote for
it
 in the java bug parade.

 It also seems rather important for running a secure service to manage
 the privs. I know I could use a security manager/policy to restrict
 what
 can happen, but this doesn't restrict native libraries loaded into
the
 process and requires more work on our part then just allowing the JDK
 to
 loose its privs...

 -gabe

 -Original Message-
 From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
 Sent: Friday, July 18, 2003 12:58 PM
 To: Tomcat Users List
 Subject: RE: Running Tomcat as Non-Root


 Howdy,
 Are you running on a unix OS?  If so, root is normally required if
you
 want to run on a port  1024.  There are workarounds, but they vary
in
 complexity and portability, and none are that good at this point.  If
 you're running on a port higher than 1024, than you don't need to run
 as
 root at all.

 Yoav Shapira
 Millennium ChemInformatics


 -Original Message-
 From: Latesha Williams [mailto:[EMAIL PROTECTED]
 Sent: Friday, July 18, 2003 3:55 PM
 To: Tomcat Users List
 Subject: Running Tomcat as Non-Root

 Is it possible to run Tomcat as a non-root user, with root as the
 owner
 of
 the entire Tomcat directory structure and grant file/directory
 permissions
 to the non-root account?  Please advise.





-
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




 This e-mail, including any attachments, is a confidential business
 communication, and may contain information that is confidential,
 proprietary and/or privileged.  This e-mail is intended only for the
 individual(s) to whom it is addressed, and may not be saved, copied,
 printed, disclosed or used by anyone else.  If you are not the(an)
 intended recipient, please immediately delete this e-mail from your
 computer system and notify the sender.  Thank you.


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




 This e-mail, including any attachments, is a confidential business
 communication, and may contain information that is confidential,
 proprietary and/or privileged.  This e-mail is intended only for the
 individual(s) to whom it is addressed, and may not be saved, copied,
 printed

RE: Running Tomcat as Non-Root

2003-07-18 Thread Lawrence, Gabriel
It's a java problem as the OSes that block access to 1024 ports give
native code api's to open these ports and then loose the root privs.
Java should allow those of us who are interested in running java
services to have the option to take advantage of this. 

I've filed a bug. When I get a bug number I'll post it. If you want to
comment on how you think it's a good idea or a bad idea you can feel
free to do it there. 

Lets take the rest of this discussion off the tomcat list.

-gabe

-Original Message-
From: Lukas Bradley [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 18, 2003 2:02 PM
To: [EMAIL PROTECTED]
Subject: Re: Running Tomcat as Non-Root

Yes, but is this a Java problem, or is this an OS related
problem/feature?

IMHO, since UNIX/LINUX is doing the restricting of port traffic, the
problem
resides with the OS, not with Java.  Adding an API to shift the native
security model is out of scope.

Why don't particular flavors of the OS allow for  1024 to be non-root?

Lukas

Lawrence, Gabriel [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
 So I'm going to take that as a no. No one has bothered to pester sun
 about this.

 And yes, the way things tend to work today is that people run these
 things with extra JVMs, although if its running on port 25 they'd all
 have to be running as root.

 So I realize that its possible that you could only drop privs down to
a
 single user in the vm, but gee wouldn't that be hugely better then
what
 we have today, where if I want to run 1024 I have to run as
superuser?

 Surely you can see the benefit.
 -gabe




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Running Tomcat as Non-Root

2003-07-18 Thread Lawrence, Gabriel
Hey,

that looks really useful. Thanks for pointing it out. Exactly what I'd like to see 
drawn into the platform, but I guess since its here already no need to wait :-)

-gabe


-Original Message-
From:   Bill Barker [mailto:[EMAIL PROTECTED]
Sent:   Fri 7/18/2003 7:40 PM
To: [EMAIL PROTECTED]
Cc: 
Subject:Re: Running Tomcat as Non-Root
While this is flaming out of control ;-):
Let me point out that there is jakarta-commons-sandbox/daemon that allows
you to do this right now (i.e. launch as root, Tomcat binds to port 80, and
then setuid to a non-privileged user before Tomcat actually handles any
request). It also allows you to stop (gracefully) by sending a SIGTERM
signal, or to restart by sending a SIGHUP.  I'm pretty happy with it on the
Linux box that I'm using it on.

Lawrence, Gabriel [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Right. I'm saying has anyone looked into submitting something to sun
asking them to make it possible to start up a process as root an then
drop down to another user like most native services do?

I want that bridge between native user credentials and capabilities, and
the ability to switch which nave user I'm running on (assuming the user
I'm running with has that capability.)

This is missing in Java.
-gabe

-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 1:21 PM
To: Tomcat Users List
Subject: RE: Running Tomcat as Non-Root


Howdy,
Huh???  Have you looked at java.security.AccessController#doPrivileged()
?

The issue is that port binding is a native operation and there's no
bridge between the JDK java.security.Principal and the native user
credentials needed to open the port.

Yoav Shapira
Millennium ChemInformatics


-Original Message-
From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 4:06 PM
To: Tomcat Users List
Subject: RE: Running Tomcat as Non-Root

Has any one submitted a request to get dropping privs into the JDK? Or
escalating privs to grab one of these ports and then dropping them
again?

As I see this request over and over again on this list I think there is
a large number of people who would like to see it or would vote for it
in the java bug parade.

It also seems rather important for running a secure service to manage
the privs. I know I could use a security manager/policy to restrict
what
can happen, but this doesn't restrict native libraries loaded into the
process and requires more work on our part then just allowing the JDK
to
loose its privs...

-gabe

-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 12:58 PM
To: Tomcat Users List
Subject: RE: Running Tomcat as Non-Root


Howdy,
Are you running on a unix OS?  If so, root is normally required if you
want to run on a port  1024.  There are workarounds, but they vary in
complexity and portability, and none are that good at this point.  If
you're running on a port higher than 1024, than you don't need to run
as
root at all.

Yoav Shapira
Millennium ChemInformatics


-Original Message-
From: Latesha Williams [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 3:55 PM
To: Tomcat Users List
Subject: Running Tomcat as Non-Root

Is it possible to run Tomcat as a non-root user, with root as the
owner
of
the entire Tomcat directory structure and grant file/directory
permissions
to the non-root account?  Please advise.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential,
proprietary and/or privileged.  This e-mail is intended only for the
individual(s) to whom it is addressed, and may not be saved, copied,
printed, disclosed or used by anyone else.  If you are not the(an)
intended recipient, please immediately delete this e-mail from your
computer system and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business
communication, and may contain information that is confidential,
proprietary and/or privileged.  This e-mail is intended only for the
individual(s) to whom it is addressed, and may not be saved, copied,
printed, disclosed or used by anyone else.  If you are not the(an)
intended recipient, please immediately delete this e-mail from your
computer system and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED

Trouble with clustering ending tomcat process on 4.1.24

2003-07-14 Thread Lawrence, Gabriel
Howdy,

I've noticed that sporadically my tomcat process dies with the following
error in the Catalina.out. Anyone have any ideas on whats going on?
Obviously an exception of somesort, but why the exception?

Thanks,
-gabe

[InMemoryReplicationManager]   storing attribute 'artifactbinding' with
value 'e
[EMAIL PROTECTED]'
[InMemoryReplicationManager] Session queued for replication
ReplicatedSession id=C54825CD094CEB71F3E891B19D34BA0E
ref=StandardSession[C54825
CD094CEB71F3E891B19D34BA0E]
name=userID; [EMAIL PROTECTED]
name=authResult;
value=edu.ucsd.security.ldapauth.LDAPAuthenticationResu
[EMAIL PROTECTED]
name=artifactbinding;
value=edu.ucsd.security.saml.server.SamlArtifactBi
[EMAIL PROTECTED]
LastAccess=1058226313531

file sync interval: 60091
file sync: 1
ServerLifecycleListener: destroyMBeans: Throwable
javax.management.InstanceNotFoundException: MBeanServer cannot find
MBean with O
bjectName
Catalina:type=Valve,sequence=18528421,path=/a4,host=asdfasdf.ucsd.edu,se
rvic
e=Tomcat-Standalone
at
mx4j.server.MBeanServerImpl.findMBeanMetaData(MBeanServerImpl.java:52
8)
at
mx4j.server.MBeanServerImpl.unregisterMBean(MBeanServerImpl.java:1165
)
at
org.apache.catalina.mbeans.MBeanUtils.destroyMBean(MBeanUtils.java:22
89)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv
erLifecycleListener.java:930)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv
erLifecycleListener.java:1165)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv
erLifecycleListener.java:1114)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv
erLifecycleListener.java:1296)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv
erLifecycleListener.java:1268)
at
org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv
erLifecycleListener.java:873)
at
org.apache.catalina.mbeans.ServerLifecycleListener.lifecycleEvent(Ser
verLifecycleListener.java:254)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycl
eSupport.java:166)
at
org.apache.catalina.core.StandardServer.stop(StandardServer.java:2219
)
at
org.apache.catalina.startup.Catalina$CatalinaShutdownHook.run(Catalin
a.java:624)
Stopping service Tomcat-Standalone
[InMemoryReplicationManager] Stopping

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: In memory session replication and session listeners?

2003-06-13 Thread Lawrence, Gabriel
Flip,

Got it. That's an easy, crafty way to do it. Will try it out and let you
know how it works. 

-gabe

-Original Message-
From: Filip Hanik [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 12, 2003 9:19 PM
To: Tomcat Users List
Subject: RE: In memory session replication and session listeners?

The session listener is only notified on the machine the value actually
gets
set.
Session data doesn't get replicated using the
setAttribute/removeAttribute
methods, but pure serialization.

And for now, the clustering doesn't have a public API to send your own
data
through it.
one way you an do it, is to implement the java.io.Externilizable
interface,
and when the data gets
deserialized, then set the stuff in your global variable, just remember
to
only set it once.

do you see where I am going with this?

Filip

 -Original Message-
 From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED]
 Sent: Thursday, June 12, 2003 4:18 PM
 To: Tomcat Users List
 Subject: In memory session replication and session listeners?


 I'm using the tomcat 4 clustering stuff found at:

 http://cvs.apache.org/~fhanik/index.html

 And I have one issue. I have a service that tracks some information
that
 is reported outside the users session. This is examined by a different
 client then the users client. I want to keep this global information
in
 sync across my loadbalanced servers, as I can't necessarily predict
 which server the this different client is going to hit.

 The way it works without clustering is that I have a session listener
 set up that gets notified whenever data is added to a users session.
 This then triggers a update to my global store as well. What I think
I'm
 seeing is that when session information is replicated to my other
 server, the fact that something was set isn't triggering a session
 listener call on the other server. Does that mesh with peoples
 understanding?

 Is there a way I can get it to?

 Thanks!
 -gabe

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



In memory session replication and session listeners?

2003-06-12 Thread Lawrence, Gabriel
I'm using the tomcat 4 clustering stuff found at:

http://cvs.apache.org/~fhanik/index.html

And I have one issue. I have a service that tracks some information that
is reported outside the users session. This is examined by a different
client then the users client. I want to keep this global information in
sync across my loadbalanced servers, as I can't necessarily predict
which server the this different client is going to hit. 

The way it works without clustering is that I have a session listener
set up that gets notified whenever data is added to a users session.
This then triggers a update to my global store as well. What I think I'm
seeing is that when session information is replicated to my other
server, the fact that something was set isn't triggering a session
listener call on the other server. Does that mesh with peoples
understanding? 

Is there a way I can get it to?

Thanks!
-gabe

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Why does Oracle in JSP uses multiple ports.

2003-06-09 Thread Lawrence, Gabriel
There was a config option to stop this and make oracle just use 1521
that I used a couple years back for this very purpose...

Here's a discussion about how the problem and how to get oracle to just
use a single port:

http://www.stunnel.org/examples/oracle.html

-gabe

-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 09, 2003 8:01 AM
To: Tomcat Users List
Subject: Re: Why does Oracle in JSP uses multiple ports.

I have just learned that the thin driver uses 1521 to begin the
conversation. 
But that is just a handshake. The handshake then says - Let's finish
the 
rest of our work on another higher port where the higher port is a
range of 
ports.

So you need a whole range of ports open. :(

-Tim

Brad Rhoads wrote:
 My client had to open port 1521 between the webserver and Oracle DB
server.
 This makes sense. But he also had to open port 33047 for our
application
 pointing to the test SID and 40147 for the copy of the app pointing to
the
 prod SID. Both ProdApp and TestApp are exactly the same except for the
 Oracle SID.
 
 Here's part of the log from their Check Point firewall (before they
opened
 up these other ports):
 
 service sqlnet2-1521 is port 1521
 service WebServer is port 40147
 
 
 NumberDateTimeAction  Service Source
Destination Protocol
 45488  5Jun2003   8:30:17 Accept  sqlnet2-1521WebServer
synapse.berlinind   tcp
 45489  5Jun2003   8:30:17 DropSynapseWeb
WebServer   synapse.berlinind   tcp
 45708  5Jun2003   8:31:50 DropSynapseWeb
WebServer   synapse.berlinind   tcp
 
 
 Every SQL request sent through one 1521 which was accepted, and 2
40147s
 which were dropped.
 
 Can anyone explain this?
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]