diff --git a/Dockerfile b/Dockerfile
index 6001a68..68f75e2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,8 +8,8 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
 
 ARG GROUPER_CONTAINER_VERSION
 
-ENV GROUPER_VERSION=4.3.0 \
-    GROUPER_CONTAINER_VERSION=4.3.1 \
+ENV GROUPER_VERSION=4.3.2 \
+    GROUPER_CONTAINER_VERSION=4.3.2 \
     JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto \
     PATH=$PATH:$JAVA_HOME/bin \
     GROUPER_HOME=/opt/grouper/grouperWebapp/WEB-INF
diff --git a/container_files/tomcat/conf/createPatches.txt b/container_files/tomcat/conf/createPatches.txt
index c00b298..564d3d3 100644
--- a/container_files/tomcat/conf/createPatches.txt
+++ b/container_files/tomcat/conf/createPatches.txt
@@ -1,4 +1,2 @@
 # note: get the server.xml into the original, make sure it ends with newline if the file does
-diff -u server.xml.original server.xml.turnOnAjp > server.xml.turnOnAjp.patch     
-diff -u server.xml.turnOnAjp server.xml.loggingpipe > server.xml.loggingpipe.patch
-diff -u server.xml.turnOnAjp server.xml.nologging > server.xml.nologging.patch
+diff -u server.xml.original server.xml.grouper > server.xml.grouper.patch
diff --git a/container_files/tomcat/conf/server.xml.nologging b/container_files/tomcat/conf/server.xml.grouper
similarity index 95%
rename from container_files/tomcat/conf/server.xml.nologging
rename to container_files/tomcat/conf/server.xml.grouper
index f462a22..5cc1afe 100644
--- a/container_files/tomcat/conf/server.xml.nologging
+++ b/container_files/tomcat/conf/server.xml.grouper
@@ -120,8 +120,16 @@
     -->
 
     <!-- Define an AJP 1.3 Connector on port 8009 -->
-    <Connector address="0.0.0.0" secretRequired="false" secure="true"  scheme="https"  URIEncoding="UTF-8"  tomcatAuthentication="false"  port="8009" protocol="AJP/1.3" redirectPort="8443" maxParameterCount="10000" />
-
+    <!--
+    <Connector protocol="AJP/1.3"
+               address="::1"
+               port="8009"
+               redirectPort="8443"
+               maxParameterCount="1000"
+               />
+    -->
+    <!--GROUPER_AJP_CONNECTOR-->
+    
     <!-- An Engine represents the entry point (within Catalina) that processes
          every request.  The Engine implementation for Tomcat stand alone
          analyzes the HTTP headers included with the request, and passes them
@@ -159,13 +167,12 @@
         <!--
         <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
         -->
+        <!--GROUPER_REMOTE_CIDR_VALVE-->
 
         <!-- Access log processes all example.
              Documentation at: /docs/config/valve.html
              Note: The pattern used is equivalent to using pattern="common" -->
-
-
-
+        <!--GROUPER_LOGGING_VALVE-->
 
       </Host>
     </Engine>
diff --git a/container_files/tomcat/conf/server.xml.grouper.patch b/container_files/tomcat/conf/server.xml.grouper.patch
new file mode 100644
index 0000000..0196ac5
--- /dev/null
+++ b/container_files/tomcat/conf/server.xml.grouper.patch
@@ -0,0 +1,37 @@
+--- server.xml.original	2023-06-27 13:54:24.000000000 -0400
++++ server.xml.grouper	2023-07-03 02:37:07.000000000 -0400
+@@ -69,7 +69,7 @@
+     <Connector port="8080" protocol="HTTP/1.1"
+                connectionTimeout="20000"
+                redirectPort="8443"
+-               maxParameterCount="1000"
++               maxParameterCount="10000"
+                />
+     <!-- A "Connector" using the shared thread pool-->
+     <!--
+@@ -128,7 +128,8 @@
+                maxParameterCount="1000"
+                />
+     -->
+-
++    <!--GROUPER_AJP_CONNECTOR-->
++    
+     <!-- An Engine represents the entry point (within Catalina) that processes
+          every request.  The Engine implementation for Tomcat stand alone
+          analyzes the HTTP headers included with the request, and passes them
+@@ -166,13 +167,12 @@
+         <!--
+         <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+         -->
++        <!--GROUPER_REMOTE_CIDR_VALVE-->
+ 
+         <!-- Access log processes all example.
+              Documentation at: /docs/config/valve.html
+              Note: The pattern used is equivalent to using pattern="common" -->
+-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+-               prefix="localhost_access_log" suffix=".txt"
+-               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
++        <!--GROUPER_LOGGING_VALVE-->
+ 
+       </Host>
+     </Engine>
diff --git a/container_files/tomcat/conf/server.xml.loggingpipe b/container_files/tomcat/conf/server.xml.loggingpipe
deleted file mode 100644
index 721a15e..0000000
--- a/container_files/tomcat/conf/server.xml.loggingpipe
+++ /dev/null
@@ -1,173 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-<Server port="8005" shutdown="SHUTDOWN">
-  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
-  <!-- Security listener. Documentation at /docs/config/listeners.html
-  <Listener className="org.apache.catalina.security.SecurityListener" />
-  -->
-  <!-- APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
-  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
-
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container",
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-
-
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-    -->
-    <Connector port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443"
-               maxParameterCount="10000"
-               />
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443"
-               maxParameterCount="1000"
-               />
-    -->
-    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
-         This connector uses the NIO implementation. The default
-         SSLImplementation will depend on the presence of the APR/native
-         library and the useOpenSSL attribute of the AprLifecycleListener.
-         Either JSSE or OpenSSL style configuration may be used regardless of
-         the SSLImplementation selected. JSSE style configuration is used below.
-    -->
-    <!--
-    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
-               maxThreads="150" SSLEnabled="true"
-               maxParameterCount="1000"
-               >
-        <SSLHostConfig>
-            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
-                         type="RSA" />
-        </SSLHostConfig>
-    </Connector>
-    -->
-    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
-         This connector uses the APR/native implementation which always uses
-         OpenSSL for TLS.
-         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
-         configuration is used below.
-    -->
-    <!--
-    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
-               maxThreads="150" SSLEnabled="true"
-               maxParameterCount="1000"
-               >
-        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
-        <SSLHostConfig>
-            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
-                         certificateFile="conf/localhost-rsa-cert.pem"
-                         certificateChainFile="conf/localhost-rsa-chain.pem"
-                         type="RSA" />
-        </SSLHostConfig>
-    </Connector>
-    -->
-
-    <!-- Define an AJP 1.3 Connector on port 8009 -->
-    <Connector address="0.0.0.0" secretRequired="false" secure="true"  scheme="https"  URIEncoding="UTF-8"  tomcatAuthentication="false"  port="8009" protocol="AJP/1.3" redirectPort="8443" maxParameterCount="10000" />
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-    -->
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->
-
-      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
-           via a brute-force attack -->
-      <Realm className="org.apache.catalina.realm.LockOutRealm">
-        <!-- This Realm uses the UserDatabase configured in the global JNDI
-             resources under the key "UserDatabase".  Any edits
-             that are performed against this UserDatabase are immediately
-             available for use by the Realm.  -->
-        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-               resourceName="UserDatabase"/>
-      </Realm>
-
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="true">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html
-             Note: The pattern used is equivalent to using pattern="common" -->
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="/tmp"
-               prefix="tomcat_access_log"
-               rotatable="false" pattern="%h %l %u %t &quot;%r&quot; %s %b" />
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
diff --git a/container_files/tomcat/conf/server.xml.loggingpipe.patch b/container_files/tomcat/conf/server.xml.loggingpipe.patch
deleted file mode 100644
index 7322471..0000000
--- a/container_files/tomcat/conf/server.xml.loggingpipe.patch
+++ /dev/null
@@ -1,15 +0,0 @@
---- server.xml.turnOnAjp	2023-06-28 15:00:26.000000000 -0400
-+++ server.xml.loggingpipe	2023-06-28 15:00:26.000000000 -0400
-@@ -163,9 +163,9 @@
-         <!-- Access log processes all example.
-              Documentation at: /docs/config/valve.html
-              Note: The pattern used is equivalent to using pattern="common" -->
--        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
--               prefix="localhost_access_log" suffix=".txt"
--               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
-+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="/tmp"
-+               prefix="tomcat_access_log"
-+               rotatable="false" pattern="%h %l %u %t &quot;%r&quot; %s %b" />
- 
-       </Host>
-     </Engine>
diff --git a/container_files/tomcat/conf/server.xml.nologging.patch b/container_files/tomcat/conf/server.xml.nologging.patch
deleted file mode 100644
index 0239eca..0000000
--- a/container_files/tomcat/conf/server.xml.nologging.patch
+++ /dev/null
@@ -1,15 +0,0 @@
---- server.xml.turnOnAjp	2023-06-28 15:00:26.000000000 -0400
-+++ server.xml.nologging	2023-06-28 15:00:26.000000000 -0400
-@@ -163,9 +163,9 @@
-         <!-- Access log processes all example.
-              Documentation at: /docs/config/valve.html
-              Note: The pattern used is equivalent to using pattern="common" -->
--        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
--               prefix="localhost_access_log" suffix=".txt"
--               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
-+
-+
-+
- 
-       </Host>
-     </Engine>
diff --git a/container_files/tomcat/conf/server.xml.turnOnAjp b/container_files/tomcat/conf/server.xml.turnOnAjp
deleted file mode 100644
index b218269..0000000
--- a/container_files/tomcat/conf/server.xml.turnOnAjp
+++ /dev/null
@@ -1,173 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-<Server port="8005" shutdown="SHUTDOWN">
-  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
-  <!-- Security listener. Documentation at /docs/config/listeners.html
-  <Listener className="org.apache.catalina.security.SecurityListener" />
-  -->
-  <!-- APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
-  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
-
-  <!-- Global JNDI resources
-       Documentation at /docs/jndi-resources-howto.html
-  -->
-  <GlobalNamingResources>
-    <!-- Editable user database that can also be used by
-         UserDatabaseRealm to authenticate users
-    -->
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <!-- A "Service" is a collection of one or more "Connectors" that share
-       a single "Container" Note:  A "Service" is not itself a "Container",
-       so you may not define subcomponents such as "Valves" at this level.
-       Documentation at /docs/config/service.html
-   -->
-  <Service name="Catalina">
-
-    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
-    <!--
-    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
-        maxThreads="150" minSpareThreads="4"/>
-    -->
-
-
-    <!-- A "Connector" represents an endpoint by which requests are received
-         and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html
-         Java AJP  Connector: /docs/config/ajp.html
-         APR (HTTP/AJP) Connector: /docs/apr.html
-         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-    -->
-    <Connector port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443"
-               maxParameterCount="10000"
-               />
-    <!-- A "Connector" using the shared thread pool-->
-    <!--
-    <Connector executor="tomcatThreadPool"
-               port="8080" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443"
-               maxParameterCount="1000"
-               />
-    -->
-    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
-         This connector uses the NIO implementation. The default
-         SSLImplementation will depend on the presence of the APR/native
-         library and the useOpenSSL attribute of the AprLifecycleListener.
-         Either JSSE or OpenSSL style configuration may be used regardless of
-         the SSLImplementation selected. JSSE style configuration is used below.
-    -->
-    <!--
-    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
-               maxThreads="150" SSLEnabled="true"
-               maxParameterCount="1000"
-               >
-        <SSLHostConfig>
-            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
-                         type="RSA" />
-        </SSLHostConfig>
-    </Connector>
-    -->
-    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
-         This connector uses the APR/native implementation which always uses
-         OpenSSL for TLS.
-         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
-         configuration is used below.
-    -->
-    <!--
-    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
-               maxThreads="150" SSLEnabled="true"
-               maxParameterCount="1000"
-               >
-        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
-        <SSLHostConfig>
-            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
-                         certificateFile="conf/localhost-rsa-cert.pem"
-                         certificateChainFile="conf/localhost-rsa-chain.pem"
-                         type="RSA" />
-        </SSLHostConfig>
-    </Connector>
-    -->
-
-    <!-- Define an AJP 1.3 Connector on port 8009 -->
-    <Connector address="0.0.0.0" secretRequired="false" secure="true"  scheme="https"  URIEncoding="UTF-8"  tomcatAuthentication="false"  port="8009" protocol="AJP/1.3" redirectPort="8443" maxParameterCount="10000" />
-
-    <!-- An Engine represents the entry point (within Catalina) that processes
-         every request.  The Engine implementation for Tomcat stand alone
-         analyzes the HTTP headers included with the request, and passes them
-         on to the appropriate Host (virtual host).
-         Documentation at /docs/config/engine.html -->
-
-    <!-- You should set jvmRoute to support load-balancing via AJP ie :
-    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-    -->
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <!--For clustering, please take a look at documentation at:
-          /docs/cluster-howto.html  (simple how to)
-          /docs/config/cluster.html (reference documentation) -->
-      <!--
-      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-      -->
-
-      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
-           via a brute-force attack -->
-      <Realm className="org.apache.catalina.realm.LockOutRealm">
-        <!-- This Realm uses the UserDatabase configured in the global JNDI
-             resources under the key "UserDatabase".  Any edits
-             that are performed against this UserDatabase are immediately
-             available for use by the Realm.  -->
-        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-               resourceName="UserDatabase"/>
-      </Realm>
-
-      <Host name="localhost"  appBase="webapps"
-            unpackWARs="true" autoDeploy="true">
-
-        <!-- SingleSignOn valve, share authentication between web applications
-             Documentation at: /docs/config/valve.html -->
-        <!--
-        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-        -->
-
-        <!-- Access log processes all example.
-             Documentation at: /docs/config/valve.html
-             Note: The pattern used is equivalent to using pattern="common" -->
-        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
-               prefix="localhost_access_log" suffix=".txt"
-               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
diff --git a/container_files/tomcat/conf/server.xml.turnOnAjp.patch b/container_files/tomcat/conf/server.xml.turnOnAjp.patch
deleted file mode 100644
index 70115aa..0000000
--- a/container_files/tomcat/conf/server.xml.turnOnAjp.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- server.xml.original	2023-06-27 13:54:24.000000000 -0400
-+++ server.xml.turnOnAjp	2023-06-28 15:00:26.000000000 -0400
-@@ -69,7 +69,7 @@
-     <Connector port="8080" protocol="HTTP/1.1"
-                connectionTimeout="20000"
-                redirectPort="8443"
--               maxParameterCount="1000"
-+               maxParameterCount="10000"
-                />
-     <!-- A "Connector" using the shared thread pool-->
-     <!--
-@@ -120,14 +120,7 @@
-     -->
- 
-     <!-- Define an AJP 1.3 Connector on port 8009 -->
--    <!--
--    <Connector protocol="AJP/1.3"
--               address="::1"
--               port="8009"
--               redirectPort="8443"
--               maxParameterCount="1000"
--               />
--    -->
-+    <Connector address="0.0.0.0" secretRequired="false" secure="true"  scheme="https"  URIEncoding="UTF-8"  tomcatAuthentication="false"  port="8009" protocol="AJP/1.3" redirectPort="8443" maxParameterCount="10000" />
- 
-     <!-- An Engine represents the entry point (within Catalina) that processes
-          every request.  The Engine implementation for Tomcat stand alone
diff --git a/container_files/usr-local-bin/librarySetupFilesTomcat.sh b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
index c0b6dab..382c986 100644
--- a/container_files/usr-local-bin/librarySetupFilesTomcat.sh
+++ b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 
 setupFilesTomcat() {
+  setupFilesTomcat_serverXml
+  setupFilesTomcat_remoteCidrValve
   setupFilesTomcat_turnOnAjp
   setupFilesTomcat_supervisor
   setupFilesTomcat_authn
@@ -13,46 +15,76 @@ setupFilesTomcat() {
   setupFilesTomcat_sslCertsClient
 }
 
+setupFilesTomcat_remoteCidrValve() {
 
-setupFilesTomcat_turnOnAjp() {
+  if [ -z "$GROUPER_TOMCAT_REMOTE_CIDR_VALVE_ALLOW" ]; then 
+  else
+    if [ $(grep -c '<!--GROUPER_REMOTE_CIDR_VALVE-->' /opt/tomcat/conf/server.xml) -ge 1 ]; then
+    
+      sed -i 's|<!--GROUPER_REMOTE_CIDR_VALVE-->|<Valve className="org.apache.catalina.valves.RemoteCIDRValve" allow="__GROUPER_TOMCAT_REMOTE_CIDR_VALVE_ALLOW__"/>|g' /opt/tomcat/conf/server.xml 
+      returnCode=$?
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_remoteCidrValve) Apply remote CIDR valve: sed -i 's|<!--GROUPER_REMOTE_CIDR_VALVE-->|<Valve className=\"org.apache.catalina.valves.RemoteCIDRValve\" allow=\"__GROUPER_TOMCAT_REMOTE_CIDR_VALVE_ALLOW__\"/>|g' /opt/tomcat/conf/server.xml, result: $returnCode"
+      if [ $returnCode != 0 ]; then exit $returnCode; fi
+      
+      sed -i "s|__GROUPER_TOMCAT_REMOTE_CIDR_VALVE_ALLOW__|$GROUPER_TOMCAT_REMOTE_CIDR_VALVE_ALLOW|g" /opt/tomcat/conf/server.xml
+      returnCode=$?
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_remoteCidrValve) Apply remote CIDR valve value: sed -i \"s|__GROUPER_TOMCAT_REMOTE_CIDR_VALVE_ALLOW__|$GROUPER_TOMCAT_REMOTE_CIDR_VALVE_ALLOW|g\" /opt/tomcat/conf/server.xml, result: $returnCode"
+      if [ $returnCode != 0 ]; then exit $returnCode; fi
+      
+      
+    else
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_remoteCidrValve) /opt/tomcat/conf/server.xml does not contain <!--GROUPER_REMOTE_CIDR_VALVE--> so will not have remote CIDR valve applied"
+    fi
+    
+  fi
+
+}
+
+setupFilesTomcat_serverXml() {
 
   if [ "$GROUPER_ORIGFILE_SERVER_XML" = "true" ]; then
     cp /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.currentOriginalInContainer
     returnCode=$?
-    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) cp /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.currentOriginalInContainer , result: $returnCode"
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_serverXml) cp /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.currentOriginalInContainer , result: $returnCode"
+    if [ $returnCode != 0 ]; then exit $returnCode; fi
+
+    patch /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.grouper.patch
+    returnCode=$?
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_serverXml) Patch server.xml to apply grouper settings: patch /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.grouper.patch, result: $returnCode"
     if [ $returnCode != 0 ]; then exit $returnCode; fi
+  else
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_serverXml) /opt/tomcat/conf/server.xml is not the original file so will not be edited"
+  fi
+  
+}
+
+
+setupFilesTomcat_turnOnAjp() {
 
-    patch /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.turnOnAjp.patch
+  if [ $(grep -c '<!--GROUPER_AJP_CONNECTOR-->' /opt/tomcat/conf/server.xml) -ge 1 ]; then
+  
+    sed -i 's|<!--GROUPER_AJP_CONNECTOR-->|<Connector address="0.0.0.0" secretRequired="false" secure="true"  scheme="https"  URIEncoding="UTF-8"  tomcatAuthentication="false"  port="8009" protocol="AJP/1.3" redirectPort="8443" maxParameterCount="10000" />|g' /opt/tomcat/conf/server.xml 
     returnCode=$?
-    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) Patch server.xml to turn on ajp: patch /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.turnOnAjp.patch, result: $returnCode"
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) Apply AJP: sed -i 's|<!--GROUPER_AJP_CONNECTOR-->|<Connector address=\"0.0.0.0\" secretRequired=\"false\" secure=\"true\"  scheme=\"https\"  URIEncoding=\"UTF-8\"  tomcatAuthentication=\"false\"  port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\" maxParameterCount=\"10000\" />|g' /opt/tomcat/conf/server.xml, result: $returnCode"
     if [ $returnCode != 0 ]; then exit $returnCode; fi
   else
-    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) /opt/tomcat/conf/server.xml is not the original file so will not be edited"
+    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_turnOnAjp) /opt/tomcat/conf/server.xml does not contain <!--GROUPER_AJP_CONNECTOR--> so will not have AJP connector applied"
   fi
   
 }
 
 setupFilesTomcat_accessLogs() {
   
-  if [ "$GROUPER_ORIGFILE_SERVER_XML" = "true" ]; then
-    if [ "$GROUPER_TOMCAT_LOG_ACCESS" = "true" ]; then
+  if [ "$GROUPER_TOMCAT_LOG_ACCESS" = "true" ]; then
+    if [ $(grep -c '<!--GROUPER_LOGGING_VALVE-->' /opt/tomcat/conf/server.xml) -ge 1 ]; then
     
-      # this patch happens after the last patch
-      patch /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.loggingpipe.patch
+      sed -i 's|<!--GROUPER_LOGGING_VALVE-->|<Valve className="org.apache.catalina.valves.AccessLogValve" directory="/tmp" prefix="tomcat_access_log" rotatable="false" pattern="%h %l %u %t &quot;%r&quot; %s %b" />|g' /opt/tomcat/conf/server.xml 
       returnCode=$?
-      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) Patch server.xml to log access: patch /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.loggingpipe.patch , result: $returnCode"
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) Apply access logs: sed -i 's|<!--GROUPER_LOGGING_VALVE-->|<Valve className=\"org.apache.catalina.valves.AccessLogValve\" directory=\"/tmp\" prefix=\"tomcat_access_log\" rotatable=\"false\" pattern=\"%h %l %u %t &quot;%r&quot; %s %b\" />|g' /opt/tomcat/conf/server.xml, result: $returnCode"
       if [ $returnCode != 0 ]; then exit $returnCode; fi
-      
-    else  
-  
-      patch /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.nologging.patch
-      returnCode=$?
-      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) Patch server.xml to not log access: patch /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.nologging.patch , result: $returnCode"
-      if [ $returnCode != 0 ]; then exit $returnCode; fi
-      
+    else
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) /opt/tomcat/conf/server.xml does not contain <!--GROUPER_LOGGING_VALVE--> so will not have access logs applied"
     fi
-  else
-    echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_accessLogs) /opt/tomcat/conf/server.xml is not the original file so will not be edited"
   fi
   
 }
@@ -321,6 +353,8 @@ setupFilesTomcat_unsetAll() {
   unset -f setupFilesTomcat_authn
   unset -f setupFilesTomcat_context
   unset -f setupFilesTomcat_ports
+  unset -f setupFilesTomcat_remoteCidrValve
+  unset -f setupFilesTomcat_serverXml
   unset -f setupFilesTomcat_ssl
   unset -f setupFilesTomcat_sslCertsAnchors
   unset -f setupFilesTomcat_sslCertsClient
@@ -338,6 +372,8 @@ setupFilesTomcat_exportAll() {
   export -f setupFilesTomcat_authn
   export -f setupFilesTomcat_context
   export -f setupFilesTomcat_ports
+  export -f setupFilesTomcat_remoteCidrValve
+  export -f setupFilesTomcat_serverXml
   export -f setupFilesTomcat_ssl
   export -f setupFilesTomcat_sslCertsAnchors
   export -f setupFilesTomcat_sslCertsClient