Basically, it's going to come down to running the Tomcat user as someone other than root, and making sure that /scratch/firefly is owned by that UID.
The quick-and-dirty way would be to just add a Tomcat user with a fixed UID by adding something like
RUN adduser -u 91 tomcat
in the Dockerfile (UID 91 used to be the Tomcat user in old Red Hat; I don't know if that's still the convention in modern times)
Before running the entrypoint.
There might also have to be a chown -R tomcat of whatever local (not NFS-mounted) directories Tomcat needs to write to.
The slightly better way to make this more generic is to pass in, say, TOMCAT_USER and TOMCAT_UID as environment variables. Do the useradd with those values, and then the filesystem chown, in a startup wrapper script that does a sudo to the tomcat user and execs the tomcat startup at the end.
That would let us choose a username and UID that NCSA likes, but keep it flexible enough to not tie ourselves to their LDAP. You could even make the defaults "root" and "0" (with appropriate conditionals in the startup wrapper), so the existing behavior was preserved if the variables are left unspecified.