diff --git a/Dockerfile b/Dockerfile
index afe86021..d74e4cbd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ RUN yum update -y \
 RUN yum install -y wget tar unzip dos2unix patch
     
 ARG GROUPER_CONTAINER_VERSION
-ENV GROUPER_VERSION=2.5.35 \
+ENV GROUPER_VERSION=2.5.36 \
      GROUPER_CONTAINER_VERSION=$GROUPER_CONTAINER_VERSION
 
 # Install Corretto Java JDK
@@ -32,7 +32,7 @@ RUN echo 'Installing Grouper'; \
     cd /opt/grouper/$GROUPER_VERSION/ \
     && $JAVA_HOME/bin/java -cp :grouperInstaller.jar edu.internet2.middleware.grouperInstaller.GrouperInstaller
 FROM centos:centos7 as cleanup
-ENV GROUPER_VERSION=2.5.35 \
+ENV GROUPER_VERSION=2.5.36 \
     TOMEE_VERSION=7.0.0
 RUN mkdir -p /opt/grouper/grouperWebapp/
 RUN mkdir -p /opt/tomee/
@@ -88,6 +88,17 @@ COPY container_files/httpd/* /etc/httpd/conf.d/
 COPY container_files/shibboleth/* /etc/shibboleth/
 RUN cp /dev/null /etc/httpd/conf.d/ssl.conf 
 
+# keep backup of files
+RUN mkdir -p /opt/tier-support/originalFiles ; \
+  cp /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties /opt/tier-support/originalFiles 2>/dev/null ; \
+  cp /etc/httpd/conf/httpd.conf /opt/tier-support/originalFiles 2>/dev/null ; \
+  cp /etc/httpd/conf.d/ssl-enabled.conf /opt/tier-support/originalFiles 2>/dev/null ; \
+  cp /etc/httpd/conf.d/httpd-shib.conf /opt/tier-support/originalFiles 2>/dev/null ; \
+  cp /etc/httpd/conf.d/shib.conf /opt/tier-support/originalFiles 2>/dev/null ; \
+  cp /opt/tomee/conf/server.xml /opt/tier-support/originalFiles 2>/dev/null ; \
+  cp /opt/tomee/conf/Catalina/localhost/grouper.xml /opt/tier-support/originalFiles 2>/dev/null ; \
+  cp /opt/grouper/grouperWebapp/WEB-INF/web.xml /opt/tier-support/originalFiles 2>/dev/null
+
 WORKDIR /opt/grouper/grouperWebapp/WEB-INF/
 EXPOSE 80 443
 HEALTHCHECK NONE
diff --git a/container_files/tier-support/test/grouperContainerUnitTest.sh b/container_files/tier-support/test/grouperContainerUnitTest.sh
index 94263e77..d6018e82 100644
--- a/container_files/tier-support/test/grouperContainerUnitTest.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTest.sh
@@ -5,7 +5,7 @@ if [ "$#" -ne 4 ]; then
   exit 1
 fi
 
-expectedSuccesses=554
+expectedSuccesses=626
 
 export containerName=$1
 export imageName=$2
@@ -27,6 +27,7 @@ export failureCount=0
 . ./grouperContainerUnitTestSelfSigned.sh
 . ./grouperContainerUnitTestScim.sh
 . ./grouperContainerUnitTestWs.sh
+. ./grouperContainerUnitTestWsAuthn.sh
 . ./grouperContainerUnitTestQuickstart.sh
 . ./grouperContainerUnitTestUiSubimage.sh
 . ./grouperContainerUnitTestUiSubimageNonroot.sh
@@ -39,6 +40,7 @@ testContainerSelfSigned
 testContainerUiDifferentPorts
 testContainerScim
 testContainerWs
+testContainerWsAuthn
 testContainerQuickstart
 testContainerDaemon
 testContainerUiSubimage
@@ -47,6 +49,7 @@ testContainerUiSubimageNonroot
 dockerRemoveContainer
 dockerRemoveSubimage
 
+
 echo ""
 echo "$successCount successes, $failureCount failures"
 if [ "$successCount" = "$expectedSuccesses" ] && [ "$failureCount" = "0" ]  ; then
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUi.sh b/container_files/tier-support/test/grouperContainerUnitTestUi.sh
index 85c2e6eb..08e0f1a8 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestUi.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestUi.sh
@@ -47,6 +47,7 @@ testContainerUi() {
   assertFileNotContains /etc/httpd/conf/httpd.conf "Options Indexes"
 
   assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "/tmp/logpipe"
+  assertFileContains /opt/tomee/conf/web.xml "<session-timeout>600</session-timeout>"
   assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "grouper-ui;"
 
   assertFileNotContains /opt/grouper/grouperWebapp/WEB-INF/classes/grouper.hibernate.properties grouperPasswordConfigOverride_UI_GrouperSystem_pass.elConfig
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh b/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh
index d3dfdba1..6da3e950 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh
@@ -12,11 +12,11 @@ testContainerUiNoSsl() {
   echo
   echo '################'
   echo Running container as ui without SSL
-  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true -e GROUPER_APACHE_DIRECTORY_INDEXES=true $imageName ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true -e GROUPER_APACHE_DIRECTORY_INDEXES=true -e GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=30 $imageName ui"
   echo '################'
   echo
 
-  docker run --detach --name $containerName --publish 443:443 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true -e GROUPER_APACHE_DIRECTORY_INDEXES=true $imageName ui
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true -e GROUPER_APACHE_DIRECTORY_INDEXES=true -e GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=30 $imageName ui
   sleep $globalSleepSecondsAfterRun
 
   assertFileExists /etc/httpd/conf.d/ssl-enabled.conf.dontuse
@@ -33,6 +33,8 @@ testContainerUiNoSsl() {
   assertFileContains /opt/tier-support/supervisord.conf "user=shibd"
   assertFileNotContains /opt/tier-support/supervisord.conf "__"
   assertFileContains /opt/tomee/conf/server.xml "AccessLogValve"
+  assertFileContains /opt/tomee/conf/web.xml "<session-timeout>30</session-timeout>"
+  
 
   assertEnvVar GROUPER_TOMCAT_LOG_ACCESS "true"
   assertEnvVar GROUPERSCIM_PROXY_PASS "#"
diff --git a/container_files/tier-support/test/grouperContainerUnitTestWs.sh b/container_files/tier-support/test/grouperContainerUnitTestWs.sh
index 69953d61..710f9530 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestWs.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestWs.sh
@@ -26,6 +26,10 @@ testContainerWs() {
   assertFileNotExists "/opt/grouper/grouperWebapp/WEB-INF/lib/grouper-messaging-activemq-$grouperVersion.jar"
   assertFileExists "/opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/grouper-messaging-activemq-$grouperVersion.jar"
 
+  assertFileNotContains /opt/grouper/grouperWebapp/WEB-INF/web.xml "<auth-method>BASIC</auth-method>"
+  assertFileNotContains /opt/tomee/conf/server.xml 'tomcatAuthentication="true"'
+  assertFileContains /opt/tomee/conf/server.xml 'tomcatAuthentication="false"'
+
   assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "Listen 443 https"
   assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf "__"
   assertFileContains /etc/httpd/conf/httpd.conf "Listen 80"
@@ -38,6 +42,7 @@ testContainerWs() {
   assertFileContains /etc/httpd/conf.d/ssl-enabled.conf /etc/pki/tls/certs/localhost.crt
 
   assertFileContains /opt/tomee/conf/Catalina/localhost/grouper-ws.xml 'cookies="false"'
+  assertFileContains /opt/tomee/conf/web.xml "<session-timeout>1</session-timeout>"
 
   assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "grouper-ws;"
 
diff --git a/container_files/tier-support/test/grouperContainerUnitTestWsAuthn.sh b/container_files/tier-support/test/grouperContainerUnitTestWsAuthn.sh
new file mode 100644
index 00000000..dfdf4f89
--- /dev/null
+++ b/container_files/tier-support/test/grouperContainerUnitTestWsAuthn.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+testContainerWsAuthn() {
+
+  if [ "$#" -ne 0 ]; then
+    echo "You must enter exactly 0 command line arguments"
+    exit 1
+  fi
+
+  dockerRemoveContainer
+
+  echo
+  echo '################'
+  echo Running container as ws with tomcat authn
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_APACHE_SERVER_NAME=https://a.b.c:443 -e GROUPER_WS_TOMCAT_AUTHN=true $imageName ws"
+  echo '################'
+  echo
+
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_APACHE_SERVER_NAME=https://a.b.c:443 -e GROUPER_WS_TOMCAT_AUTHN=true $imageName ws
+  sleep $globalSleepSecondsAfterRun
+
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libWs/axis2-kernel-1.6.4.jar
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/lib/axis2-kernel-1.6.4.jar
+  assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libScim/stax-api-1.0-2.jar
+  assertFileNotExists /opt/grouper/grouperWebapp/WEB-INF/lib/stax-api-1.0-2.jar
+  assertFileNotExists "/opt/grouper/grouperWebapp/WEB-INF/lib/grouper-messaging-activemq-$grouperVersion.jar"
+  assertFileExists "/opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/grouper-messaging-activemq-$grouperVersion.jar"
+
+  assertFileContains /opt/grouper/grouperWebapp/WEB-INF/web.xml "<auth-method>BASIC</auth-method>"
+  assertFileContains /opt/tomee/conf/server.xml 'tomcatAuthentication="true"'
+  assertFileNotContains /opt/tomee/conf/server.xml 'tomcatAuthentication="false"'
+
+  assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "Listen 443 https"
+  assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf "__"
+  assertFileContains /etc/httpd/conf/httpd.conf "Listen 80"
+  assertFileNotContains /opt/tier-support/supervisord.conf "program:shibbolethsp"
+  assertFileContains /opt/tier-support/supervisord.conf "program:tomee"
+  assertFileContains /opt/tier-support/supervisord.conf "program:httpd"
+  assertFileNotContains /opt/tier-support/supervisord.conf "user=shibd"
+  assertFileNotContains /opt/tier-support/supervisord.conf "__"
+  assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf cachain.pem
+  assertFileContains /etc/httpd/conf.d/ssl-enabled.conf /etc/pki/tls/certs/localhost.crt
+
+  assertFileContains /opt/tomee/conf/Catalina/localhost/grouper-ws.xml 'cookies="false"'
+  assertFileContains /opt/tomee/conf/web.xml "<session-timeout>1</session-timeout>"
+
+  assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "grouper-ws;"
+
+  assertFileContains /etc/httpd/conf.d/grouper-www.conf "3600"
+  assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "__"
+
+  assertFileContains /etc/httpd/conf.d/grouper-www.conf "ServerName https://a.b.c:443"
+  assertFileContains /etc/httpd/conf.d/grouper-www.conf "UseCanonicalName On"
+
+  assertEnvVar GROUPER_APACHE_SERVER_NAME https://a.b.c:443
+  assertEnvVar GROUPERSCIM_PROXY_PASS "#"
+  assertEnvVar GROUPERSCIM_URL_CONTEXT "grouper-ws-scim"
+  assertEnvVar GROUPERWS_PROXY_PASS ""
+  assertEnvVar GROUPERWS_URL_CONTEXT "grouper-ws"
+  assertEnvVar GROUPER_APACHE_AJP_TIMEOUT_SECONDS "3600"
+  assertEnvVar GROUPER_APACHE_NONSSL_PORT "80"
+  assertEnvVar GROUPER_APACHE_SSL_PORT "443"
+  assertEnvVar GROUPER_CHOWN_DIRS "true"
+  assertEnvVar GROUPER_CONTAINER_VERSION "$containerVersion"
+  assertEnvVar GROUPER_DAEMON "false"
+  assertEnvVar GROUPER_GSH_CHECK_USER "true"
+  assertEnvVar GROUPER_GSH_USER "tomcat"
+  assertEnvVar GROUPER_HOME "/opt/grouper/grouperWebapp/WEB-INF"
+  assertEnvVar GROUPER_LOG_PREFIX "grouper-ws"
+  assertEnvVar GROUPER_MAX_MEMORY "1500m"
+  assertEnvVar GROUPER_PROXY_PASS "#"
+  assertEnvVar GROUPER_RUN_APACHE "true"
+  assertEnvVar GROUPER_RUN_PROCESSES_AS_USERS "true"
+  assertEnvVarNot GROUPER_RUN_SHIB_SP "true"
+  assertEnvVar GROUPER_RUN_TOMEE "true"
+  assertEnvVar GROUPER_SCIM "false"
+  assertEnvVar GROUPER_SCIM_GROUPER_AUTH "false"
+  assertEnvVar GROUPER_TOMCAT_CONTEXT "grouper-ws"
+  assertEnvVar GROUPER_UI "false"
+  assertEnvVar GROUPER_UI_CONFIGURATION_EDITOR_SOURCEIPADDRESSES "127.0.0.1/32"
+  assertEnvVar GROUPER_UI_GROUPER_AUTH "false"
+  assertEnvVarNot GROUPER_UI_ONLY "true"
+  assertEnvVar GROUPER_URL_CONTEXT "grouper"
+  assertEnvVar GROUPER_USE_SSL "true"
+  assertEnvVar GROUPER_WS "true"
+  assertEnvVar GROUPER_WS_GROUPER_AUTH "false"
+  assertEnvVar GROUPER_WS_ONLY "true"
+
+  assertNumberOfTomcatProcesses 1
+  assertNumberOfApacheProcesses 5
+  assertNumberOfShibProcesses 0
+
+  assertListeningOnPort 443
+  assertListeningOnPort 80
+  assertListeningOnPort 8009
+  assertNotListeningOnPort 9001
+
+}
+export -f testContainerWsAuthn
diff --git a/container_files/tier-support/test/rebuildTestContainer.sh b/container_files/tier-support/test/rebuildTestContainer.sh
index cc8ce32e..d5ee7892 100644
--- a/container_files/tier-support/test/rebuildTestContainer.sh
+++ b/container_files/tier-support/test/rebuildTestContainer.sh
@@ -1,14 +1,15 @@
 #/bin/bash
 
-if [ "$#" -ne 2 ]; then
-  echo "You must enter exactly 2 command line arguments: grouper base container version, grouper_container_git_base_dir"
-  echo "rebuildTestContainer.sh 2.5.33 /mnt/c/mchyzer/git/grouper_container"
+if [ "$#" -ne 3 ]; then
+  echo "You must enter exactly 3 command line arguments: grouper base image name, grouper base container version, grouper_container_git_base_dir"
+  echo "rebuildTestContainer.sh i2incommon/grouper:2.5.35 2.5.35 /mnt/c/git/grouper_container"
   exit 1
 fi
 
-export grouperBaseContainerVersion=$1
-export grouperContainerGitPath=$2
-export subimageName=my-grouper-$1
+export grouperBaseImageName=$1
+export grouperBaseContainerVersion=$2
+export grouperContainerGitPath=$3
+export subimageName=my-grouper-$2
 
 export reldir=`dirname $0`
 
@@ -18,8 +19,10 @@ rsync -avzpl $grouperContainerGitPath/container_files/usr-local-bin/* $reldir/sl
 
 rsync -avzpl $grouperContainerGitPath/container_files/tier-support/test/grouper*.sh $reldir
 
-mkdir -p $reldir/slashRoot/opt/tomee/conf
-rsync -avzpl $grouperContainerGitPath/container_files/tomee/conf/* $reldir/slashRoot/opt/tomee/conf/
+#mkdir -p $reldir/slashRoot/opt/tomee/conf
+#rsync -avzpl $grouperContainerGitPath/container_files/tomee/conf/* $reldir/slashRoot/opt/tomee/conf/
+
+sed -i "s|__BASE_CONTAINER__|$grouperBaseImageName|g" "$reldir/testContainer.Dockerfile"
 
 docker build -f $reldir/testContainer.Dockerfile -t $subimageName --build-arg GROUPER_VERSION=$grouperBaseContainerVersion $reldir
 
diff --git a/container_files/tier-support/test/testContainer.Dockerfile b/container_files/tier-support/test/testContainer.Dockerfile
index 5f391e07..b1fbfc1b 100644
--- a/container_files/tier-support/test/testContainer.Dockerfile
+++ b/container_files/tier-support/test/testContainer.Dockerfile
@@ -1,8 +1,8 @@
 # this matches the version you decided on from release notes
 ARG GROUPER_VERSION=2.5.XX
  
-#  --build-arg GROUPER_VERSION=${VARIABLE_NAME}
-FROM i2incommon/grouper:${GROUPER_VERSION}
+#  --build-arg GROUPER_VERSION=${VARIABLE_NAME} i2incommon/grouper:${GROUPER_VERSION}
+FROM __BASE_CONTAINER__
  
 # this will overlay all the files from /opt/grouperContainer/slashRoot on to /
 COPY slashRoot /
diff --git a/container_files/tier-support/web.wsTomcatAuthn.xml b/container_files/tier-support/web.wsTomcatAuthn.xml
new file mode 100644
index 00000000..0062ba9e
--- /dev/null
+++ b/container_files/tier-support/web.wsTomcatAuthn.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
+  version="2.4">
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Web services</web-resource-name>
+      <url-pattern>/services/*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>grouper_user</role-name>
+    </auth-constraint>
+  </security-constraint>
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>Web services</web-resource-name>
+      <url-pattern>/servicesRest/*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+      <!-- NOTE:  This role is not present in the default users file -->
+      <role-name>grouper_user</role-name>
+    </auth-constraint>
+  </security-constraint>
+
+  <!-- Define the Login Configuration for this Application -->
+  <login-config>
+    <auth-method>BASIC</auth-method>
+    <realm-name>Grouper Application</realm-name>
+  </login-config>
+
+  <!-- Security roles referenced by this web application -->
+  <security-role>
+    <description>
+      The role that is required to log in to web service
+    </description>
+    <role-name>grouper_user</role-name>
+  </security-role>
+  
+</web-app>
\ No newline at end of file
diff --git a/container_files/tomee/conf/server.xml.tomcatAuthn b/container_files/tomee/conf/server.xml.tomcatAuthn
deleted file mode 100644
index f1b23fce..00000000
--- a/container_files/tomee/conf/server.xml.tomcatAuthn
+++ /dev/null
@@ -1,169 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-<Server port="8005" shutdown="SHUTDOWN">
-  <!-- TomEE plugin for Tomcat -->
-  <Listener className="org.apache.tomee.catalina.ServerListener" />
-  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
-  <!-- Security listener. Documentation at /docs/config/listeners.html
-  <Listener className="org.apache.catalina.security.SecurityListener" />
-  -->
-  <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
-  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
-
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container",
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-
-
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-    -->
-    <Connector port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443" xpoweredBy="false" server="Apache TomEE" />
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443" />
-    -->
-    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
-         This connector uses the NIO implementation. The default
-         SSLImplementation will depend on the presence of the APR/native
-         library and the useOpenSSL attribute of the
-         AprLifecycleListener.
-         Either JSSE or OpenSSL style configuration may be used regardless of
-         the SSLImplementation selected. JSSE style configuration is used below.
-    -->
-    <!--
-    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
-               maxThreads="150" SSLEnabled="true">
-        <SSLHostConfig>
-            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
-                         type="RSA" xpoweredBy="false" server="Apache TomEE" />
-        </SSLHostConfig>
-    </Connector>
-    -->
-    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
-         This connector uses the APR/native implementation which always uses
-         OpenSSL for TLS.
-         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
-         configuration is used below.
-    -->
-    <!--
-    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
-               maxThreads="150" SSLEnabled="true" >
-        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" xpoweredBy="false" server="Apache TomEE" />
-        <SSLHostConfig>
-            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
-                         certificateFile="conf/localhost-rsa-cert.pem"
-                         certificateChainFile="conf/localhost-rsa-chain.pem"
-                         type="RSA" />
-        </SSLHostConfig>
-    </Connector>
-    -->
-
-    <!-- Define an AJP 1.3 Connector on port 8009 -->
-    <Connector secretRequired="false" secure="true"  scheme="https"  URIEncoding="UTF-8"  tomcatAuthentication="true"  port="8009" protocol="AJP/1.3" redirectPort="8443" />
-
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-    -->
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->
-
-      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
-           via a brute-force attack -->
-      <Realm className="org.apache.catalina.realm.LockOutRealm">
-        <!-- This Realm uses the UserDatabase configured in the global JNDI
-             resources under the key "UserDatabase".  Any edits
-             that are performed against this UserDatabase are immediately
-             available for use by the Realm.  -->
-        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-               resourceName="UserDatabase"/>
-      </Realm>
-
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="true">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html
-             Note: The pattern used is equivalent to using pattern="common" -->
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
-               prefix="localhost_access_log" suffix=".txt"
-               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
diff --git a/container_files/tomee/conf/server.xml.tomcatAuthn.patch b/container_files/tomee/conf/server.xml.tomcatAuthn.patch
deleted file mode 100644
index 9565be46..00000000
--- a/container_files/tomee/conf/server.xml.tomcatAuthn.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- server.xml.turnOnAjp	2020-07-21 22:01:04.000000000 -0400
-+++ server.xml.tomcatAuthn	2020-07-21 22:00:02.000000000 -0400
-@@ -115,7 +115,7 @@
-     -->
- 
-     <!-- Define an AJP 1.3 Connector on port 8009 -->
--    <Connector secretRequired="false" secure="true"  scheme="https"  URIEncoding="UTF-8"  tomcatAuthentication="false"  port="8009" protocol="AJP/1.3" redirectPort="8443" />
-+    <Connector secretRequired="false" secure="true"  scheme="https"  URIEncoding="UTF-8"  tomcatAuthentication="true"  port="8009" protocol="AJP/1.3" redirectPort="8443" />
- 
- 
-     <!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/container_files/usr-local-bin/entrypoint.sh b/container_files/usr-local-bin/entrypoint.sh
index dcb5344c..ba8842cb 100755
--- a/container_files/usr-local-bin/entrypoint.sh
+++ b/container_files/usr-local-bin/entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 . /usr/local/bin/library.sh
 prep_conf
diff --git a/container_files/usr-local-bin/grouperScriptHooks.sh b/container_files/usr-local-bin/grouperScriptHooks.sh
index 5707f0c4..3b0508b7 100644
--- a/container_files/usr-local-bin/grouperScriptHooks.sh
+++ b/container_files/usr-local-bin/grouperScriptHooks.sh
@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/bin/bash
 
-# Overlay this file with implementations of functions from grouperCustomShellHooksBase.sh
+# Overlay this file with implementations of functions from grouperScriptHooksBase.sh
 # dont forget to export -f your functions after implementing them like in the base file
 
 
diff --git a/container_files/usr-local-bin/grouperScriptHooksBase.sh b/container_files/usr-local-bin/grouperScriptHooksBase.sh
index c6406837..1a088143 100644
--- a/container_files/usr-local-bin/grouperScriptHooksBase.sh
+++ b/container_files/usr-local-bin/grouperScriptHooksBase.sh
@@ -1,8 +1,8 @@
-#!/bin/sh
+#!/bin/bash
 
 ### DO NOT EDIT OR OVERLAY THIS FILE
 # These definitions are here to define the functions.
-# You can overlay the grouperCustomShellHooks.sh file with any definitions of these functions
+# You can overlay the grouperScriptHooks.sh file with any definitions of these functions
 
 # called at the beginning of the container startup
 # after logging is setup
@@ -38,7 +38,7 @@ grouperScriptHooks_unsetAll() {
   unset -f grouperScriptHooks_setupFilesPost
   unset -f grouperScriptHooks_setupFilesPostChown
   unset -f grouperScriptHooks_unsetAll
-
+  unset -f grouperScriptHooks_exportAll
 }
 
 grouperScriptHooks_exportAll() {
@@ -49,7 +49,7 @@ grouperScriptHooks_exportAll() {
   export -f grouperScriptHooks_setupFilesPost
   export -f grouperScriptHooks_setupFilesPostChown
   export -f grouperScriptHooks_unsetAll
-
+  export -f grouperScriptHooks_exportAll
 }
 
 # export everything
diff --git a/container_files/usr-local-bin/library.sh b/container_files/usr-local-bin/library.sh
index 2a97ef1d..c58317a0 100755
--- a/container_files/usr-local-bin/library.sh
+++ b/container_files/usr-local-bin/library.sh
@@ -1,6 +1,11 @@
-#!/bin/sh
+#!/bin/bash
 
 echo "grouperContainer; INFO: (library.sh) Start loading library.sh"
+dos2unix /usr/local/bin/library*.sh
+echo "grouperContainer; INFO: (library.sh) dos2unix /usr/local/bin/library*.sh , result=$?"
+dos2unix /usr/local/bin/grouper*.sh
+echo "grouperContainer; INFO: (library.sh) dos2unix /usr/local/bin/grouper*.sh , result=$?"
+
 . /usr/local/bin/libraryPrep.sh
 . /usr/local/bin/libraryPrepOnly.sh
 . /usr/local/bin/libraryRunCommand.sh
@@ -14,7 +19,13 @@ echo "grouperContainer; INFO: (library.sh) Start loading library.sh"
 # base definitions of hooks
 . /usr/local/bin/grouperScriptHooksBase.sh
 
+# need this before the copy happens
+if [ -f /opt/grouper/slashRoot/usr/local/bin/grouperScriptHooks.sh ] ; then
+  cp /opt/grouper/slashRoot/usr/local/bin/grouperScriptHooks.sh /usr/local/bin/grouperScriptHooks.sh
+  echo "grouperContainer; INFO: (library.sh) cp /opt/grouper/slashRoot/usr/local/bin/grouperScriptHooks.sh /usr/local/bin/grouperScriptHooks.sh, result=$?"
+fi
 # implementations of custom hooks
 . /usr/local/bin/grouperScriptHooks.sh
+
 echo "grouperContainer; INFO: (library.sh) End loading library.sh"
 
diff --git a/container_files/usr-local-bin/libraryPrep.sh b/container_files/usr-local-bin/libraryPrep.sh
index e4ec5600..6b090586 100644
--- a/container_files/usr-local-bin/libraryPrep.sh
+++ b/container_files/usr-local-bin/libraryPrep.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 prep_quickstart() {
     
@@ -136,10 +136,13 @@ prep_initDeprecatedEnvVars() {
 
 }
 
+
 prep_finishBegin() {
     # default a lot of env variables
     # morph defaults to null
     # database password defaults to null
+    
+      
     if [ -z "$GROUPER_UI_GROUPER_AUTH" ] ; then export GROUPER_UI_GROUPER_AUTH=false; fi
     if [ -z "$GROUPER_WS_GROUPER_AUTH" ] ; then export GROUPER_WS_GROUPER_AUTH=false; fi
     if [ -z "$GROUPER_SCIM_GROUPER_AUTH" ] ; then export GROUPER_SCIM_GROUPER_AUTH=false; fi
@@ -176,6 +179,17 @@ prep_finishBegin() {
     
     if [ -z "$GROUPER_SHIB_LOG_USE_PIPE" ]; then export GROUPER_SHIB_LOG_USE_PIPE=true; fi
     
+    #Replace web.xml session timeout with env variable
+    if [[ -z "$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES" ]]; then
+      if [[ "$GROUPER_UI" != 'true' ]] && [[ "$GROUPER_WS" = 'true' ]]; then
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, setting to WS default of 1"
+        export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1
+      else
+        echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, setting to UI default of 600 (10 hours)"
+        export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600
+      
+      fi
+    fi
 }
 
 prep_finishEnd() {
diff --git a/container_files/usr-local-bin/libraryPrepOnly.sh b/container_files/usr-local-bin/libraryPrepOnly.sh
index feb9d6f6..2b0697d0 100644
--- a/container_files/usr-local-bin/libraryPrepOnly.sh
+++ b/container_files/usr-local-bin/libraryPrepOnly.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 prepOnly_component() {
     if [ "$GROUPER_WS" = "true" ] && [ "$GROUPER_UI" != "true" ] && [ "$GROUPER_SCIM" != "true" ] && [ "$GROUPER_DAEMON" != "true" ]
diff --git a/container_files/usr-local-bin/libraryRunCommand.sh b/container_files/usr-local-bin/libraryRunCommand.sh
index be815c9f..8c07149d 100644
--- a/container_files/usr-local-bin/libraryRunCommand.sh
+++ b/container_files/usr-local-bin/libraryRunCommand.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 runCommand() {
 
diff --git a/container_files/usr-local-bin/librarySetupFiles.sh b/container_files/usr-local-bin/librarySetupFiles.sh
index ae5586fe..1ab45231 100644
--- a/container_files/usr-local-bin/librarySetupFiles.sh
+++ b/container_files/usr-local-bin/librarySetupFiles.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 setupFiles_linkGrouperSecrets() {
     for filepath in /run/secrets/*; do
@@ -26,11 +26,15 @@ setupFiles_rsyncSlashRoot() {
 }
 
 setupFiles_localLogging() {
-    if [ "$GROUPER_LOG_TO_HOST" = "true" ]
-      then
+  if [ "$GROUPER_LOG_TO_HOST" = "true" ]
+    then
+      if [ "$GROUPER_ORIGFILE_LOG4J_PROPERTIES" = "true" ]; then
         cp /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.grouperContainerHost.properties /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties
         echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_localLogging) cp /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.grouperContainerHost.properties /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties, result: $?"
-    fi
+      else
+        echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_localLogging) /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties is not the original file so will not be edited"
+      fi
+  fi
 
 }
 
@@ -58,7 +62,10 @@ setupFiles_storeEnvVars() {
   echo "" >> /opt/grouper/grouperEnv.sh
 
   # go through env vars, should start with GROUPER and have an equals sign in there
-  env | grep "^GROUPER" | grep "=" >> /opt/grouper/grouperEnv.sh
+  env | grep "^GROUPER" | grep "=" | sort >> /opt/grouper/grouperEnv.sh
+
+  # print these out
+  env | grep "^GROUPER" | grep "=" | sort
 
   sed -i "s|^GROUPER|export GROUPER|g" /opt/grouper/grouperEnv.sh
 
@@ -95,20 +102,104 @@ setupFiles_storeEnvVars() {
   echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_storeEnvVars) End store env vars in /opt/grouper/grouperEnv.sh"
 }
 
+setupFiles_originalFile() {
+  fullPath=$1
+  fileName="$(basename $fullPath)"
+  originalFilePath="/opt/tier-support/originalFiles/$fileName"
+  if [ -f "$fullPath" ]; then
+    if [ -f "$originalFilePath" ]; then
+      if cmp "$fullPath" "$originalFilePath" >/dev/null 2>&1
+      then
+        # true, same
+        return 0
+      else
+        # false, different
+        return 1
+      fi
+    else
+      # false, different
+      return 1
+    fi
+  fi
+  # didnt exist and still doesnt... same?
+  return 0
+}
+
+
+setupFiles_analyzeOriginalFiles() {
+
+    setupFiles_originalFile /opt/tomee/conf/Catalina/localhost/grouper.xml
+    original_file=$?
+    if [ -z "$GROUPER_ORIGFILE_GROUPER_XML" ] && [[ $original_file -eq 0 ]]
+      then export GROUPER_ORIGFILE_GROUPER_XML=true; fi
+    if [ -z "$GROUPER_ORIGFILE_GROUPER_XML" ] ; then export GROUPER_ORIGFILE_GROUPER_XML=false; fi
+      
+    setupFiles_originalFile /opt/tomee/conf/server.xml
+    original_file=$?
+    if [ -z "$GROUPER_ORIGFILE_SERVER_XML" ] && [[ $original_file -eq 0 ]]
+      then export GROUPER_ORIGFILE_SERVER_XML=true; fi
+    if [ -z "$GROUPER_ORIGFILE_SERVER_XML" ] ; then export GROUPER_ORIGFILE_SERVER_XML=false; fi
+
+    setupFiles_originalFile /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties
+    original_file=$?
+    if [ -z "$GROUPER_ORIGFILE_LOG4J_PROPERTIES" ] && [[ $original_file -eq 0 ]]
+      then export GROUPER_ORIGFILE_LOG4J_PROPERTIES=true; fi
+    if [ -z "$GROUPER_ORIGFILE_LOG4J_PROPERTIES" ] ; then export GROUPER_ORIGFILE_LOG4J_PROPERTIES=false; fi
+
+    setupFiles_originalFile /etc/httpd/conf/httpd.conf
+    original_file=$?
+    if [ -z "$GROUPER_ORIGFILE_HTTPD_CONF" ] && [[ $original_file -eq 0 ]]
+      then export GROUPER_ORIGFILE_HTTPD_CONF=true; fi
+    if [ -z "$GROUPER_ORIGFILE_HTTPD_CONF" ] ; then export GROUPER_ORIGFILE_HTTPD_CONF=false; fi
+
+    setupFiles_originalFile /etc/httpd/conf.d/ssl-enabled.conf
+    original_file=$?
+    if [ -z "$GROUPER_ORIGFILE_SSL_ENABLED_CONF" ] && [[ $original_file -eq 0 ]]
+      then export GROUPER_ORIGFILE_SSL_ENABLED_CONF=true; fi
+    if [ -z "$GROUPER_ORIGFILE_SSL_ENABLED_CONF" ] ; then export GROUPER_ORIGFILE_SSL_ENABLED_CONF=false; fi
+
+    setupFiles_originalFile /etc/httpd/conf.d/httpd-shib.conf
+    original_file=$?
+    if [ -z "$GROUPER_ORIGFILE_HTTPD_SHIB_CONF" ] && [[ $original_file -eq 0 ]]
+      then export GROUPER_ORIGFILE_HTTPD_SHIB_CONF=true; fi
+    if [ -z "$GROUPER_ORIGFILE_HTTPD_SHIB_CONF" ] ; then export GROUPER_ORIGFILE_HTTPD_SHIB_CONF=false; fi
+
+    setupFiles_originalFile /etc/httpd/conf.d/shib.conf
+    original_file=$?
+    if [ -z "$GROUPER_ORIGFILE_SHIB_CONF" ] && [[ $original_file -eq 0 ]]
+      then export GROUPER_ORIGFILE_SHIB_CONF=true; fi
+    if [ -z "$GROUPER_ORIGFILE_SHIB_CONF" ] ; then export GROUPER_ORIGFILE_SHIB_CONF=false; fi
+
+    setupFiles_originalFile /opt/tomee/conf/Catalina/localhost/grouper.xml
+    original_file=$?
+    if [ -z "$GROUPER_ORIGFILE_GROUPER_XML" ] && [[ $original_file -eq 0 ]]
+      then export GROUPER_ORIGFILE_GROUPER_XML=true; fi
+    if [ -z "$GROUPER_ORIGFILE_GROUPER_XML" ] ; then export GROUPER_ORIGFILE_GROUPER_XML=false; fi
+
+    setupFiles_originalFile /opt/grouper/grouperWebapp/WEB-INF/web.xml
+    original_file=$?
+    if [ -z "$GROUPER_ORIGFILE_WEBAPP_WEB_XML" ] && [[ $original_file -eq 0 ]]
+      then export GROUPER_ORIGFILE_WEBAPP_WEB_XML=true; fi
+    if [ -z "$GROUPER_ORIGFILE_WEBAPP_WEB_XML" ] ; then export GROUPER_ORIGFILE_WEBAPP_WEB_XML=false; fi
+
+}
+
 setupFiles() {
 
   if [ "$GROUPER_SETUP_FILES_COMPLETE" = "true" ]
     then
-      echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles) GROUPER_SETUP_FILES_COMPLETE=true, skipping setting up files"
+      echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles) GROUPER_SETUP_FILES_COMPLETE=true, skipping setting up files (including not syncing slashRoot again)"
       setupFiles_unsetAllAndFromFiles
       return
   fi
 
+  setupFiles_rsyncSlashRoot
+  
+  setupFiles_analyzeOriginalFiles
+
   # do this first
   setupFiles_storeEnvVars
   
-  setupFiles_rsyncSlashRoot
-
   setupFiles_linkGrouperSecrets
 
   # this needs to be first
@@ -149,16 +240,17 @@ setupFiles_unsetAllAndFromFiles() {
   setupFilesForProcess_unsetAll
   setupFilesTomcat_unsetAll
   grouperScriptHooks_unsetAll
-
 }
 
 
 setupFiles_unsetAll() {
   unset -f setupFiles
+  unset -f setupFiles_analyzeOriginalFiles
   unset -f setupFiles_chownDirs
   unset -f setupFiles_linkGrouperSecrets
   unset -f setupFiles_localLogging
   unset -f setupFiles_loggingPrefix
+  unset -f setupFiles_originalFile
   unset -f setupFiles_rsyncSlashRoot
   unset -f setupFiles_storeEnvVars
   unset -f setupFiles_unsetAll
@@ -167,10 +259,12 @@ setupFiles_unsetAll() {
 
 setupFiles_exportAll() {
   export -f setupFiles
+  export -f setupFiles_analyzeOriginalFiles
   export -f setupFiles_chownDirs
   export -f setupFiles_linkGrouperSecrets
   export -f setupFiles_localLogging
   export -f setupFiles_loggingPrefix
+  export -f setupFiles_originalFile
   export -f setupFiles_rsyncSlashRoot
   export -f setupFiles_storeEnvVars
   export -f setupFiles_unsetAll
diff --git a/container_files/usr-local-bin/librarySetupFilesApache.sh b/container_files/usr-local-bin/librarySetupFilesApache.sh
index e434856f..0ee41c44 100644
--- a/container_files/usr-local-bin/librarySetupFilesApache.sh
+++ b/container_files/usr-local-bin/librarySetupFilesApache.sh
@@ -1,22 +1,31 @@
 #!/bin/bash
 
 setupFilesApache_indexes() {
-    if [ "$GROUPER_APACHE_DIRECTORY_INDEXES" = "false" ]
-      then
+  if [ "$GROUPER_APACHE_DIRECTORY_INDEXES" = "false" ]
+    then
+      if [ "$GROUPER_ORIGFILE_HTTPD_CONF" = "true" ]; then
         # take out the directory indexes from the docroot
         cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.pre_noindexes
         echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_indexes) cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.pre_noindexes , result=$?"
         patch /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/httpd.conf.noindexes.patch
         echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_indexes) Patch httpd.conf to turn off indexes 'patch /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/httpd.conf.noindexes.patch' result=$?"
-    fi
+      else
+        echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_indexes) /etc/httpd/conf/httpd.conf is not the original file so will not be changed"
+      fi
+  fi
+
 }
 
 setupFilesApache_selfSignedCert() {
-    if [ "$GROUPER_RUN_APACHE" = "true" ] && [ "$GROUPER_SELF_SIGNED_CERT" = "true" ] && [ "$GROUPER_USE_SSL" = "true" ]
-       then
+  if [ "$GROUPER_RUN_APACHE" = "true" ] && [ "$GROUPER_SELF_SIGNED_CERT" = "true" ] && [ "$GROUPER_USE_SSL" = "true" ]
+     then
+       if [ "$GROUPER_ORIGFILE_SSL_ENABLED_CONF" = "true" ]; then
          cp /opt/tier-support/ssl-enabled.conf /etc/httpd/conf.d/
          echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_selfSignedCert) cp /opt/tier-support/ssl-enabled.conf /etc/httpd/conf.d/ , result: $?"
-    fi
+       else
+         echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_selfSignedCert) /opt/tier-support/ssl-enabled.conf is not the original file so will not be edited"
+       fi
+  fi
 }
 
 setupFilesApache_ssl() {
@@ -77,6 +86,7 @@ setupFilesApache_ports() {
 
 }
 
+
 setupFilesApache() {
   setupFilesApache_supervisor
   setupFilesApache_selfSignedCert
diff --git a/container_files/usr-local-bin/librarySetupFilesForProcess.sh b/container_files/usr-local-bin/librarySetupFilesForProcess.sh
index b1f26669..2f394525 100644
--- a/container_files/usr-local-bin/librarySetupFilesForProcess.sh
+++ b/container_files/usr-local-bin/librarySetupFilesForProcess.sh
@@ -71,10 +71,18 @@ setupFilesForProcess_shib() {
         export LD_LIBRARY_PATH=/opt/shibboleth/lib64:$LD_LIBRARY_PATH
         echo "grouperContainer; INFO: (librarySetupFilesForProcess.sh-setupFilesForProcess_shib) Appending supervisord-shibsp.conf to supervisord.conf"
         cat /opt/tier-support/supervisord-shibsp.conf >> /opt/tier-support/supervisord.conf
-        cp /opt/tier-support/httpd-shib.conf /etc/httpd/conf.d/
-        echo "grouperContainer; INFO: (librarySetupFilesForProcess.sh-setupFilesForProcess_shib) cp /opt/tier-support/httpd-shib.conf /etc/httpd/conf.d/ , result: $?"
-        mv /etc/httpd/conf.d/shib.conf.dontuse /etc/httpd/conf.d/shib.conf
-        echo "grouperContainer; INFO: (librarySetupFilesForProcess.sh-setupFilesForProcess_shib) mv /etc/httpd/conf.d/shib.conf.dontuse /etc/httpd/conf.d/shib.conf , result: $?"
+        if [ "$GROUPER_ORIGFILE_HTTPD_SHIB_CONF" = "true" ]; then
+          cp /opt/tier-support/httpd-shib.conf /etc/httpd/conf.d/
+          echo "grouperContainer; INFO: (librarySetupFilesForProcess.sh-setupFilesForProcess_shib) cp /opt/tier-support/httpd-shib.conf /etc/httpd/conf.d/ , result: $?"
+        else
+          echo "grouperContainer; INFO: (librarySetupFilesForProcess.sh-setupFilesForProcess_shib) /etc/httpd/conf.d/httpd-shib.conf is not the original file so will not be edited"
+        fi
+        if [ "$GROUPER_ORIGFILE_SHIB_CONF" = "true" ]; then
+          mv /etc/httpd/conf.d/shib.conf.dontuse /etc/httpd/conf.d/shib.conf
+          echo "grouperContainer; INFO: (librarySetupFilesForProcess.sh-setupFilesForProcess_shib) mv /etc/httpd/conf.d/shib.conf.dontuse /etc/httpd/conf.d/shib.conf , result: $?"
+        else
+          echo "grouperContainer; INFO: (librarySetupFilesForProcess.sh-setupFilesForProcess_shib) /etc/httpd/conf.d/shib.conf is not the original file so will not be edited"
+        fi
     fi
   fi
 
diff --git a/container_files/usr-local-bin/librarySetupFilesTomcat.sh b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
index 73a2b921..31579b4f 100644
--- a/container_files/usr-local-bin/librarySetupFilesTomcat.sh
+++ b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
@@ -8,33 +8,43 @@ setupFilesTomcat() {
   setupFilesTomcat_context
   setupFilesTomcat_ports
   setupFilesTomcat_accessLogs
+  setupFilesTomcat_sessionTimeout
 }
 
 
 
 setupFilesTomcat_turnOnAjp() {
 
-  cp /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.currentOriginalInContainer
-  echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) cp /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.currentOriginalInContainer , result: $?"
-  patch /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.turnOnAjp.patch
-  echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) Patch server.xml to turn on ajp, result: $?"
+  if [ "$GROUPER_ORIGFILE_SERVER_XML" = "true" ]; then
+    cp /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.currentOriginalInContainer
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) cp /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.currentOriginalInContainer , result: $?"
+    patch /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.turnOnAjp.patch
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) Patch server.xml to turn on ajp, result: $?"
+  else
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) /opt/tomee/conf/server.xml is not the original file so will not be edited"
+  fi
   
 }
 
 setupFilesTomcat_accessLogs() {
   
-  if [ "$GROUPER_TOMCAT_LOG_ACCESS" = "true" ]; then
-  
-    # this patch happens after the last patch
-    patch /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.loggingpipe.patch
-    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) Patch server.xml to log access, result: $?"
-    
-  else  
-
-    patch /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.nologging.patch
-    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) Patch server.xml to not log access, result: $?"
+  if [ "$GROUPER_ORIGFILE_SERVER_XML" = "true" ]; then
+    if [ "$GROUPER_TOMCAT_LOG_ACCESS" = "true" ]; then
     
+        # this patch happens after the last patch
+        patch /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.loggingpipe.patch
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) Patch server.xml to log access, result: $?"
+      
+    else  
+  
+      patch /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.nologging.patch
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) Patch server.xml to not log access, result: $?"
+      
+    fi
+  else
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) /opt/tomee/conf/server.xml is not the original file so will not be edited"
   fi
+  
 }
 
 setupFilesTomcat_ports() {
@@ -59,21 +69,24 @@ setupFilesTomcat_context() {
 
   if [ -f /opt/tomee/conf/Catalina/localhost/grouper.xml ]
     then
-      # ws only and scim only dont have cookies
-      sed -i "s|__GROUPER_CONTEXT_COOKIES__|$GROUPER_CONTEXT_COOKIES|g" /opt/tomee/conf/Catalina/localhost/grouper.xml
-      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_context) Replace context cookies in grouper.xml, result: $?"
-      
-      # setup context
-      sed -i "s|__GROUPER_TOMCAT_CONTEXT__|$GROUPER_TOMCAT_CONTEXT|g" /opt/tomee/conf/Catalina/localhost/grouper.xml
-      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_context) Replace tomcat context in grouper.xml, result: $?"
-      
-      # rename file if needed since that can matter with tomcat
-      if [ "$GROUPER_TOMCAT_CONTEXT" != "grouper" ]
-        then  
-          mv -v /opt/tomee/conf/Catalina/localhost/grouper.xml "/opt/tomee/conf/Catalina/localhost/$GROUPER_TOMCAT_CONTEXT.xml"
-          echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_context) mv -v /opt/tomee/conf/Catalina/localhost/grouper.xml /opt/tomee/conf/Catalina/localhost/$GROUPER_TOMCAT_CONTEXT.xml , result: $?"
-      fi
-    
+      if [ "$GROUPER_ORIGFILE_GROUPER_XML" = "true" ]; then
+        # ws only and scim only dont have cookies
+        sed -i "s|__GROUPER_CONTEXT_COOKIES__|$GROUPER_CONTEXT_COOKIES|g" /opt/tomee/conf/Catalina/localhost/grouper.xml
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_context) Replace context cookies in grouper.xml, result: $?"
+        
+        # setup context
+        sed -i "s|__GROUPER_TOMCAT_CONTEXT__|$GROUPER_TOMCAT_CONTEXT|g" /opt/tomee/conf/Catalina/localhost/grouper.xml
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_context) Replace tomcat context in grouper.xml, result: $?"
+        
+        # rename file if needed since that can matter with tomcat
+        if [ "$GROUPER_TOMCAT_CONTEXT" != "grouper" ]
+          then  
+            mv -v /opt/tomee/conf/Catalina/localhost/grouper.xml "/opt/tomee/conf/Catalina/localhost/$GROUPER_TOMCAT_CONTEXT.xml"
+            echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_context) mv -v /opt/tomee/conf/Catalina/localhost/grouper.xml /opt/tomee/conf/Catalina/localhost/$GROUPER_TOMCAT_CONTEXT.xml , result: $?"
+        fi
+      else
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_context) /opt/tomee/conf/Catalina/localhost/grouper.xml is not the original file so will not be edited"
+      fi    
   fi
 
   # setup the apache linkage to tomcat  
@@ -110,12 +123,19 @@ setupFilesTomcat_context() {
 
 setupFilesTomcat_authn() {
 
-    if [ "$GROUPER_WS_TOMCAT_AUTHN" = "true" ]
+    if [ "$GROUPER_WS_TOMCAT_AUTHN" = "true" ] 
       then
-        cp /opt/grouper/grouperWebapp/WEB-INF/web.wsTomcatAuthn.xml /opt/grouper/grouperWebapp/WEB-INF/web.xml
-        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_authn) /opt/grouper/grouperWebapp/WEB-INF/web.wsTomcatAuthn.xml /opt/grouper/grouperWebapp/WEB-INF/web.xml , result: $?"
-        patch /opt/tomee/conf/server.xml /opt/tomee/conf/server.xml.tomcatAuthn.patch
-        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_authn) Patch server.xml for tomcat authn, result: $?"
+      
+        if [ "$GROUPER_ORIGFILE_WEBAPP_WEB_XML" = "true" ]; then
+          cp /opt/tier-support/web.wsTomcatAuthn.xml /opt/grouper/grouperWebapp/WEB-INF/web.xml
+          echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_authn) cp /opt/tier-support/web.wsTomcatAuthn.xml /opt/grouper/grouperWebapp/WEB-INF/web.xml , result: $?"
+        else
+          echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_authn) /opt/grouper/grouperWebapp/WEB-INF/web.xml is not the original file so will not be edited"
+        fi
+
+        sed -i 's|tomcatAuthentication="false"|tomcatAuthentication="true"|g' /opt/tomee/conf/server.xml
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_authn) sed -i 's|tomcatAuthentication=''false''|tomcatAuthentication=''true''|g' /opt/tomee/conf/server.xml, result: $?"
+
     fi
 
 }
@@ -147,6 +167,14 @@ setupFilesTomcat_supervisor() {
 
 }
 
+setupFilesTomcat_sessionTimeout() {
+
+  if [ "$GROUPER_RUN_TOMEE" = "true" ] && [ "$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES" != "-2" ]
+    then
+    sed -i "s|<session-timeout>30</session-timeout>|<session-timeout>$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES</session-timeout>|g" /opt/tomee/conf/web.xml
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sessionTimeout) based on GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES, sed -i ''s|<session-timeout>30</session-timeout>|<session-timeout>$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES</session-timeout>|g'' /opt/tomee/conf/web.xml , result=$?"
+  fi
+}
 
 setupFilesTomcat_unsetAll() {
 
@@ -158,6 +186,7 @@ setupFilesTomcat_unsetAll() {
   unset -f setupFilesTomcat_unsetAll
   unset -f setupFilesTomcat_accessLogs
   unset -f setupFilesTomcat_loggingSlf4j
+  unset -f setupFilesTomcat_sessionTimeout
   unset -f setupFilesTomcat_turnOnAjp
 
 }
@@ -172,6 +201,7 @@ setupFilesTomcat_exportAll() {
   export -f setupFilesTomcat_unsetAll
   export -f setupFilesTomcat_accessLogs
   export -f setupFilesTomcat_loggingSlf4j
+  export -f setupFilesTomcat_sessionTimeout
   export -f setupFilesTomcat_turnOnAjp
 }
 
diff --git a/container_files/usr-local-bin/librarySetupPipe.sh b/container_files/usr-local-bin/librarySetupPipe.sh
index 80aff77b..b0e2f756 100644
--- a/container_files/usr-local-bin/librarySetupPipe.sh
+++ b/container_files/usr-local-bin/librarySetupPipe.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 setupPipe() {
     echo "grouperContainer; INFO: (librarySetupPipe.sh-setupPipe) Setup pipe: $1"