diff --git a/config/alfresco/authentication-services-context.xml b/config/alfresco/authentication-services-context.xml
index c7c1df71dc..b9fc315b62 100644
--- a/config/alfresco/authentication-services-context.xml
+++ b/config/alfresco/authentication-services-context.xml
@@ -170,6 +170,15 @@
         <property name="allowGuestLogin">
             <value>true</value>
         </property>
+        <property name="nodeService">
+            <ref bean="nodeService" />
+        </property>
+        <property name="personService">
+            <ref bean="personService" />
+        </property>
+        <property name="transactionService">
+            <ref bean="transactionService" />
+        </property>
     </bean>
 
 
@@ -184,6 +193,16 @@
         <property name="accept">
             <value>true</value>
         </property>
+        </property>
+        <property name="nodeService">
+            <ref bean="nodeService" />
+        </property>
+        <property name="personService">
+            <ref bean="personService" />
+        </property>
+        <property name="transactionService">
+            <ref bean="transactionService" />
+        </property>    
     </bean>
     -->
 
@@ -374,7 +393,7 @@
         <!-- The period for which tickets are valid in XML duration format. -->
         <!-- The default is P1H for one hour.                               -->
         <property name="validDuration">
-            <value>P1H</value>
+            <value>PT1H</value>
         </property>
         <!-- Do tickets expire or live for ever?                            -->
         <property name="ticketsExpire">
diff --git a/config/alfresco/core-services-context.xml b/config/alfresco/core-services-context.xml
index e63699b04f..22a47ac462 100644
--- a/config/alfresco/core-services-context.xml
+++ b/config/alfresco/core-services-context.xml
@@ -130,40 +130,90 @@
 
     <!-- Log4J Hierarchy -->
     <bean id="log4jHierarchy" class="org.apache.log4j.jmx.HierarchyDynamicMBean"/>
-    
+
     <bean id="log4JHierarchyInit" class="org.alfresco.repo.admin.Log4JHierarchyInit" init-method="init">
     	<property name="log4jHierarchy" ref="log4jHierarchy"/>
 
-        <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
-        <!-- Incorporate supplementary log4j.properties files                     -->
-        <!--                                                                      -->
-        <!--   Properties in these files will augment/override                    -->
-        <!--   those within WEB-INF/classes/log4j.properties                      -->
-        <!--                                                                      -->
-        <!--   This mechanism allows modules to have their own local              -->
-        <!--   log4j.properties file within:                                      -->
-        <!--                                                                      -->
-        <!--      WEB-INF/classes/alfresco/module/{module.id}/log4j.properties    -->
-        <!--                                                                      -->
-        <!--   Where:  module.id is whatever value is set within the AMP's        -->
-        <!--           'module.properties' file.                                  -->
-        <!--                                                                      -->
-        <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  -->
-        <property name="overriding_log4j_properties">   
+        <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+        <!-- Supplementary log4j.properties files                                       -->
+        <!--                                                                            -->
+        <!--   Log4j settings specified here augment/override the webapp's main         -->
+        <!--   log4j configuration file:   WEB-INF/classes/log4j.properties             -->
+        <!--                                                                            -->
+        <!--   This allows modules to maintain their own log4j.properties file,         -->
+        <!--   which is typically deployed to:                                          -->
+        <!--      WEB-INF/classes/alfresco/module/{module.id}/log4j.properties          -->
+        <!--                                                                            -->
+        <!--   Where:  module.id is whatever value is set within the AMP's              -->
+        <!--           'module.properties' file.                                        -->
+        <!--                                                                            -->
+        <!--   Example:                                                                 -->
+        <!--      WEB-INF/classes/alfresco/module/com.example.x.Y/log4j.properties      -->
+        <!--                                                                            -->
+        <!--   Those who wish to configure log4j properties in Alfresco extensions      -->
+        <!--   that aren't packaged as AMP modules can create log4j.properties file     -->
+        <!--   of the form:  {name}-log4j.properties and place it within some           -->
+        <!--   alfresco/extension directory on the server's classpath.                  -->
+        <!--                                                                            -->
+        <!--   For example:                                                             -->
+        <!--      WEB-INF/classes/alfresco/extension/SIMPLE_EXAMPLE-log4j.properties    -->
+        <!--                                                                            -->
+        <!--   That said, you are strongly encouraged to use the modular form           -->
+        <!--   (i.e.: the first one), and use the AMP mechanism for packaging           -->
+        <!--   whenever possible.  This makes customizations easier to manage.          -->
+        <!--   Note:  {name}-log4j.properties files override/augment the                -->
+        <!--          log4j.properties files packaged within modules.                   -->
+        <!--                                                                            -->
+        <!--   Developers may also wish to maintain a dev-log4j.properties file         -->
+        <!--   outside of the webapp.  This allows for changing log4j settings          -->
+        <!--   without touching the "shipping product", or any of a customer's          -->
+        <!--   local settings.  Your optional dev-log4j.properties file should be       -->
+        <!--   in some alfresco/extension directory within the server's classpath,      -->
+        <!--   and outside the webapp itself (so you don't accidentally delete it).     -->
+        <!--   Note:  the dev-log4j.properties file augments/overrides all others.      -->
+        <!--                                                                            -->
+        <!--   Example:                                                                 -->
+        <!--      $TOMCAT_HOME/shared/classes/alfresco/extension/dev-log4j.properties   -->
+        <!--                                                                            -->
+        <!--                                                                            -->
+        <!-- Best practices:                                                            -->
+        <!--                                                                            -->
+        <!--   Local customizations/licences are kept outside of the webapp.            -->
+        <!--   Example:                                                                 -->
+        <!--      $TOMCAT_HOME/shared/classes/alfresco/extension/...-log4j.properties   -->
+        <!--                                                                            -->
+        <!--   Shipping config files should be kept/installed within webapp:            -->
+        <!--   Example:                                                                 -->
+        <!--      WEB-INF/classes/alfresco/extension/...-log4j.properties               -->
+        <!--                                                                            -->
+        <!--   A dev-log4j.properties file should never be used in an ongoing           -->
+        <!--   during production, nor packaged as a part of any product.                -->
+        <!--                                                                            -->
+        <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  -->
+        <property name="overriding_log4j_properties">
             <list>
+                <!-- NOTE: value entries are listed from lowest precedence to highest.  -->
+
+                <!--  Installed  AMP modules  -->
                 <value>classpath*:alfresco/module/*/log4j.properties</value>
+
+                <!--  Other installed extensions  -->
+                <value>classpath*:alfresco/extension/*-log4j.properties</value>
+
+                <!--  private developer overrides -->
+                <value>classpath*:alfresco/extension/dev-log4j.properties</value>
             </list>
         </property>
     </bean>
-    
-    
-    <bean id="RepoServerMgmt" class="org.alfresco.repo.admin.RepoServerMgmt">       
+
+
+    <bean id="RepoServerMgmt" class="org.alfresco.repo.admin.RepoServerMgmt">
         <property name="transactionService"><ref bean="transactionService"/></property>
         <property name="authenticationService"><ref bean="authenticationService"/></property>
         <property name="maxUsers"><value>${server.maxusers}</value></property>
         <property name="singleUserOnly"><value>${server.singleuseronly.name}</value></property>
     </bean>
-    
+
 
     <!-- Datasource bean -->
     <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
diff --git a/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/AlfrescoSchemaUpdate-2.2-ACL.sql b/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/AlfrescoSchemaUpdate-2.2-ACL.sql
index f6b6a6a586..e7cad53d75 100644
--- a/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/AlfrescoSchemaUpdate-2.2-ACL.sql
+++ b/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/AlfrescoSchemaUpdate-2.2-ACL.sql
@@ -7,12 +7,6 @@
 -- Please contact support@alfresco.com if you need assistance with the upgrade.
 --
 
--- Add index support for AVM
--- Ideally we would have the indirection in the index but it is too long for mysql which needs additional options
--- CREATE INDEX idx_avm_lyr_indn on avm_nodes (primary_indirection, indirection(128));
--- This matches the hibernate schema and should be good enough for the standard WCM use cases
-CREATE INDEX idx_avm_lyr_indn on avm_nodes (primary_indirection);
-
 CREATE TABLE alf_acl_change_set (
    id BIGINT NOT NULL AUTO_INCREMENT,
    version BIGINT NOT NULL,
@@ -32,8 +26,8 @@ ALTER TABLE alf_access_control_list
    ADD COLUMN acl_change_set BIGINT,
    ADD COLUMN inherits_from BIGINT;
 CREATE INDEX fk_alf_acl_acs ON alf_access_control_list (acl_change_set);
-CREATE INDEX idx_pm_acl_inh ON alf_access_control_list (inherits, inherits_from);
 ALTER TABLE alf_access_control_list ADD CONSTRAINT fk_alf_acl_acs FOREIGN KEY (acl_change_set) REFERENCES alf_acl_change_set (id);
+CREATE INDEX idx_alf_acl_inh ON alf_access_control_list (inherits, inherits_from);
 
 UPDATE alf_access_control_list acl
    set acl_id = (acl.id);
@@ -69,7 +63,7 @@ ALTER TABLE alf_access_control_entry
 DROP TABLE alf_auth_ext_keys;
 
 -- remove authority constraint
-ALTER TABLE alf_access_control_entry DROP INDEX FKFFF41F99B25A50BF, DROP FOREIGN KEY FKFFF41F99B25A50BF;
+ALTER TABLE alf_access_control_entry DROP INDEX FKFFF41F99B25A50BF, DROP FOREIGN KEY FKFFF41F99B25A50BF; -- (optional)
 
 -- restructure authority
 ALTER TABLE alf_authority
@@ -79,7 +73,7 @@ ALTER TABLE alf_authority
    CHANGE recipient authority VARCHAR(100),
    ADD primary key (id),
    ADD UNIQUE (authority, crc);
-CREATE INDEX idx_authority on alf_authority (authority);
+CREATE INDEX idx_alf_auth_aut on alf_authority (authority);
 
 -- migrate data - fix up FK refs to authority
 UPDATE alf_access_control_entry ace
diff --git a/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-1-drop-indexes-and-constraints.sql b/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-1-drop-indexes-and-constraints.sql
index 2cd7f72b48..e8c9afc284 100644
--- a/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-1-drop-indexes-and-constraints.sql
+++ b/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-1-drop-indexes-and-constraints.sql
@@ -15,6 +15,8 @@ ALTER TABLE alf_access_control_entry DROP INDEX fk_alf_ace_auth, DROP FOREIGN KE
 
 ALTER TABLE alf_access_control_list DROP INDEX fk_alf_acl_acs, DROP FOREIGN KEY fk_alf_acl_acs;
 
+ALTER TABLE alf_access_control_list DROP INDEX idx_alf_acl_inh;
+
 ALTER TABLE alf_acl_member DROP INDEX fk_alf_aclm_acl, DROP FOREIGN KEY fk_alf_aclm_acl;
 
 ALTER TABLE alf_acl_member DROP INDEX fk_alf_aclm_ace, DROP FOREIGN KEY fk_alf_aclm_ace;
@@ -57,6 +59,12 @@ ALTER TABLE alf_audit_source DROP INDEX app_source_ser_idx;  -- (optional)
 
 ALTER TABLE alf_audit_source DROP INDEX app_source_met_idx;  -- (optional)
 
+ALTER TABLE alf_authority DROP INDEX idx_alf_auth_aut;
+
+ALTER TABLE alf_authority_alias DROP INDEX fk_alf_autha_ali, DROP FOREIGN KEY fk_alf_autha_ali;
+
+ALTER TABLE alf_authority_alias DROP INDEX fk_alf_autha_aut, DROP FOREIGN KEY fk_alf_autha_aut;
+
 ALTER TABLE alf_child_assoc DROP INDEX FKFFC5468E8E50E582, DROP FOREIGN KEY FKFFC5468E8E50E582;
 
 ALTER TABLE alf_child_assoc DROP INDEX FKFFC5468E74173FF4, DROP FOREIGN KEY FKFFC5468E74173FF4;
@@ -108,6 +116,8 @@ ALTER TABLE avm_history_links DROP INDEX fk_avm_hl_desc, DROP FOREIGN KEY fk_avm
 
 ALTER TABLE avm_history_links DROP INDEX fk_avm_hl_ancestor, DROP FOREIGN KEY fk_avm_hl_ancestor; --(optional)
 
+ALTER TABLE avm_history_links DROP INDEX idx_avm_hl_revpk; --(optional)
+
 ALTER TABLE avm_merge_links DROP INDEX fk_avm_ml_to, DROP FOREIGN KEY fk_avm_ml_to; --(optional)
 
 ALTER TABLE avm_merge_links DROP INDEX fk_avm_ml_from, DROP FOREIGN KEY fk_avm_ml_from; --(optional)
@@ -122,6 +132,8 @@ ALTER TABLE avm_nodes DROP INDEX fk_avm_n_acl, DROP FOREIGN KEY fk_avm_n_acl; --
 
 ALTER TABLE avm_nodes DROP INDEX fk_avm_n_store, DROP FOREIGN KEY fk_avm_n_store; --(optional)
 
+ALTER TABLE avm_nodes DROP INDEX idx_avm_n_pi; --(optional)
+
 ALTER TABLE avm_store_properties DROP INDEX idx_avm_sp_name; --(optional)
 
 ALTER TABLE avm_store_properties DROP INDEX fk_avm_sp_store, DROP FOREIGN KEY fk_avm_sp_store; --(optional)
@@ -132,6 +144,8 @@ ALTER TABLE avm_version_layered_node_entry DROP INDEX FK182E672DEB9D70C, DROP FO
 
 ALTER TABLE avm_version_roots DROP INDEX idx_avm_vr_version; --(optional)
 
+ALTER TABLE avm_version_roots DROP INDEX idx_avm_vr_revuq; --(optional)
+
 ALTER TABLE avm_version_roots DROP INDEX fk_avm_vr_root, DROP FOREIGN KEY fk_avm_vr_root; --(optional)
 
 ALTER TABLE avm_version_roots DROP INDEX fk_avm_vr_store, DROP FOREIGN KEY fk_avm_vr_store; --(optional)
diff --git a/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-2-move-qnames.sql b/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-2-move-qnames.sql
index 4bfbb9a865..20244fb64b 100644
--- a/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-2-move-qnames.sql
+++ b/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-2-move-qnames.sql
@@ -109,6 +109,10 @@ INSERT INTO t_qnames (qname)
 (
    SELECT DISTINCT type_qname FROM alf_child_assoc
 );
+INSERT INTO t_qnames (qname)
+(
+   SELECT DISTINCT type_qname FROM alf_permission
+);
 -- Extract the namespace and localnames from the QNames
 UPDATE t_qnames SET namespace = SUBSTR(SUBSTRING_INDEX(qname, '}', 1), 2);
 UPDATE t_qnames SET localname = SUBSTRING_INDEX(qname, '}', -1);
@@ -316,6 +320,20 @@ UPDATE alf_node_assoc na set na.type_qname_id =
 ALTER TABLE alf_node_assoc DROP COLUMN type_qname;
 ALTER TABLE alf_node_assoc MODIFY COLUMN type_qname_id BIGINT NOT NULL AFTER target_node_id;
 
+--
+-- DATA REPLACEMENT: alf_permission.type_qname
+--
+ALTER TABLE alf_permission ADD COLUMN type_qname_id BIGINT NULL AFTER id;
+UPDATE alf_permission p set p.type_qname_id =
+(
+   SELECT q.id
+   FROM alf_qname q
+   JOIN alf_namespace ns ON (q.ns_id = ns.id)
+   WHERE CONCAT('{', ns.uri, '}', q.local_name) = p.type_qname
+);
+ALTER TABLE alf_permission DROP COLUMN type_qname;
+ALTER TABLE alf_permission MODIFY COLUMN type_qname_id BIGINT NOT NULL AFTER id;
+
 -- Drop the temporary indexes and constraints
 ALTER TABLE alf_qname DROP INDEX t_fk_alf_qn_ns;
 ALTER TABLE alf_qname DROP FOREIGN KEY t_fk_alf_qn_ns;
diff --git a/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-4-extra-indexes-and-constraints.sql b/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-4-extra-indexes-and-constraints.sql
index 143e5b0492..4ad1e7c5bf 100644
--- a/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-4-extra-indexes-and-constraints.sql
+++ b/config/alfresco/dbscripts/upgrade/2.2/org.hibernate.dialect.MySQLInnoDBDialect/upgrade-4-extra-indexes-and-constraints.sql
@@ -41,6 +41,9 @@ CREATE INDEX idx_alf_ca_qn_ln ON alf_child_assoc (qname_localname);
 
 CREATE INDEX idx_alf_txn_ctms ON alf_transaction (commit_time_ms);
 
+ -- The was 'idx_avm_lyr_indn'.  Rename it if you have the old name.
+CREATE INDEX idx_avm_n_pi on avm_nodes (primary_indirection);
+
 CREATE INDEX idx_avm_np_name ON avm_node_properties (qname);
 
 CREATE INDEX idx_avm_vr_version ON avm_version_roots (version_id);
@@ -49,6 +52,8 @@ CREATE INDEX idx_avm_vr_version ON avm_version_roots (version_id);
 -- Explicit indexes and constraints not declared in the mappings
 --
 
+CREATE INDEX idx_alf_acl_inh ON alf_access_control_list (inherits, inherits_from);
+
 CREATE INDEX fk_alf_na_qn ON alf_node_aspects (qname_id);
 ALTER TABLE alf_node_aspects ADD CONSTRAINT fk_alf_na_qn FOREIGN KEY (qname_id) REFERENCES alf_qname (id);
 
diff --git a/config/alfresco/extension/jaas-authentication-context.xml.sample b/config/alfresco/extension/jaas-authentication-context.xml.sample
index 7960f98a9a..b3199c5242 100644
--- a/config/alfresco/extension/jaas-authentication-context.xml.sample
+++ b/config/alfresco/extension/jaas-authentication-context.xml.sample
@@ -15,6 +15,15 @@
         <property name="jaasConfigEntryName">
             <value>Alfresco</value>
         </property>
+        <property name="nodeService">
+            <ref bean="nodeService" />
+        </property>
+        <property name="personService">
+            <ref bean="personService" />
+        </property>
+        <property name="transactionService">
+            <ref bean="transactionService" />
+        </property>    
     </bean>
 
     <!-- DAO that rejects changes - JAAS is read only at the moment.      -->
diff --git a/config/alfresco/extension/ldap-authentication-context.xml.sample b/config/alfresco/extension/ldap-authentication-context.xml.sample
index 24d5afc070..a346cc4ee9 100644
--- a/config/alfresco/extension/ldap-authentication-context.xml.sample
+++ b/config/alfresco/extension/ldap-authentication-context.xml.sample
@@ -53,6 +53,15 @@
             -->
             <value>${ldap.authentication.userNameFormat}</value>
         </property>
+        <property name="nodeService">
+            <ref bean="nodeService" />
+        </property>
+        <property name="personService">
+            <ref bean="personService" />
+        </property>
+        <property name="transactionService">
+            <ref bean="transactionService" />
+        </property>    
     </bean>
     
     <!--
diff --git a/config/alfresco/hibernate-context.xml b/config/alfresco/hibernate-context.xml
index 0a8c3b4b48..4c3065a953 100644
--- a/config/alfresco/hibernate-context.xml
+++ b/config/alfresco/hibernate-context.xml
@@ -259,6 +259,9 @@
    <bean id="aclDaoComponent" class="org.alfresco.repo.domain.hibernate.AclDaoComponentImpl">
       <property name="sessionFactory">
          <ref bean="sessionFactory" />
+      </property>
+      <property name="qnameDAO">
+         <ref bean="qnameDAO" />
       </property>
 	  <property name="aclCache">
          <ref bean="aclCache" />
diff --git a/config/alfresco/patch/patch-services-context.xml b/config/alfresco/patch/patch-services-context.xml
index e6e658e4e3..6ce02f6847 100644
--- a/config/alfresco/patch/patch-services-context.xml
+++ b/config/alfresco/patch/patch-services-context.xml
@@ -169,6 +169,9 @@
         <property name="sessionFactory">
             <ref bean="sessionFactory" />
         </property>
+        <property name="qnameDAO">
+            <ref bean="qnameDAO" />
+        </property>
     </bean>
     <bean id="patch.guestUser" class="org.alfresco.repo.admin.patch.impl.GuestUserPatch" parent="basePatch" >
         <property name="id"><value>patch.guestUser</value></property>
@@ -211,6 +214,9 @@
         <property name="sessionFactory">
             <ref bean="sessionFactory"/>
         </property>
+        <property name="qnameDAO">
+            <ref bean="qnameDAO" />
+        </property>
         <property name="dependsOn">
             <list>
                 <ref bean="patch.guestUser"/>
@@ -279,6 +285,9 @@
         <property name="sessionFactory">
             <ref bean="sessionFactory" />
         </property>
+        <property name="qnameDAO">
+            <ref bean="qnameDAO" />
+        </property>
         <property name="dependsOn">
             <list>
                 <ref bean="patch.updateGuestPermission" />
@@ -1240,6 +1249,9 @@
         <property name="sessionFactory">
             <ref bean="sessionFactory" />
         </property>
+        <property name="qnameDAO">
+            <ref bean="qnameDAO" />
+        </property>
         <property name="dependsOn" >
             <list>
                 <ref bean="patch.db-V2.2-ACL" />
diff --git a/source/java/org/alfresco/repo/admin/patch/impl/AbstractPermissionChangePatch.java b/source/java/org/alfresco/repo/admin/patch/impl/AbstractPermissionChangePatch.java
index a946485cb5..d78701e4e0 100644
--- a/source/java/org/alfresco/repo/admin/patch/impl/AbstractPermissionChangePatch.java
+++ b/source/java/org/alfresco/repo/admin/patch/impl/AbstractPermissionChangePatch.java
@@ -24,11 +24,10 @@
  */
 package org.alfresco.repo.admin.patch.impl;
 
-import java.util.List;
-
 import org.alfresco.repo.admin.patch.AbstractPatch;
-import org.alfresco.repo.domain.DbAccessControlEntry;
 import org.alfresco.repo.domain.DbPermission;
+import org.alfresco.repo.domain.QNameDAO;
+import org.alfresco.repo.domain.QNameEntity;
 import org.alfresco.repo.domain.hibernate.DbPermissionImpl;
 import org.alfresco.service.namespace.QName;
 import org.hibernate.Query;
@@ -56,6 +55,11 @@ public abstract class AbstractPermissionChangePatch extends AbstractPatch
         this.helper.setSessionFactory(sessionFactory);
     }
 
+    public void setQnameDAO(QNameDAO qnameDAO)
+    {
+        helper.setQnameDAO(qnameDAO);
+    }
+
     /**
      * Helper method to rename (move) a permission.  This involves checking for the existence of the
      * new permission and then moving all the entries to point to the new permission.
@@ -74,11 +78,11 @@ public abstract class AbstractPermissionChangePatch extends AbstractPatch
     /** Helper to get a permission entity */
     private static class GetPermissionCallback implements HibernateCallback
     {
-        private QName typeQName;
+        private QNameEntity typeQNameEntity;
         private String name;
-        public GetPermissionCallback(QName typeQName, String name)
+        public GetPermissionCallback(QNameEntity typeQNameEntity, String name)
         {
-            this.typeQName = typeQName;
+            this.typeQNameEntity = typeQNameEntity;
             this.name = name;
         }
         public Object doInHibernate(Session session)
@@ -87,7 +91,7 @@ public abstract class AbstractPermissionChangePatch extends AbstractPatch
             session.flush();
             
             Query query = session.getNamedQuery(HibernateHelper.QUERY_GET_PERMISSION);
-            query.setParameter("permissionTypeQName", typeQName)
+            query.setParameter("permissionTypeQName", typeQNameEntity)
                  .setString("permissionName", name);
             return query.uniqueResult();
         }
@@ -97,6 +101,13 @@ public abstract class AbstractPermissionChangePatch extends AbstractPatch
     {
         private static final String QUERY_GET_PERMISSION = "permission.GetPermission";
         
+        private QNameDAO qnameDAO;
+        
+        public void setQnameDAO(QNameDAO qnameDAO)
+        {
+            this.qnameDAO = qnameDAO;
+        }
+
         public int createAndUpdatePermission(
                 final QName oldTypeQName,
                 final String oldName,
@@ -108,20 +119,24 @@ public abstract class AbstractPermissionChangePatch extends AbstractPatch
                 throw new IllegalArgumentException("Cannot move permission to itself: " + oldTypeQName + "-" + oldName);
             }
             
-            HibernateCallback getNewPermissionCallback = new GetPermissionCallback(oldTypeQName, oldName);
+            // Get the QName entities
+            QNameEntity oldTypeQNameEntity = qnameDAO.getOrCreateQNameEntity(oldTypeQName);
+            QNameEntity newTypeQNameEntity = qnameDAO.getOrCreateQNameEntity(newTypeQName);
+            
+            HibernateCallback getNewPermissionCallback = new GetPermissionCallback(oldTypeQNameEntity, oldName);
             DbPermission permission = (DbPermission) getHibernateTemplate().execute(getNewPermissionCallback);
             if (permission == null)
             {
                 // create the permission
                 permission = new DbPermissionImpl();
-                permission.setTypeQname(newTypeQName);
+                permission.setTypeQName(newTypeQNameEntity);
                 permission.setName(newName);
                 // save
                 getHibernateTemplate().save(permission);
             }
             else
             {
-                permission.setTypeQname(newTypeQName);
+                permission.setTypeQName(newTypeQNameEntity);
                 permission.setName(newName);
             }
             // done
diff --git a/source/java/org/alfresco/repo/avm/AVMNodeDAO.java b/source/java/org/alfresco/repo/avm/AVMNodeDAO.java
index f4e12a6cfd..30cb4ede6e 100644
--- a/source/java/org/alfresco/repo/avm/AVMNodeDAO.java
+++ b/source/java/org/alfresco/repo/avm/AVMNodeDAO.java
@@ -102,6 +102,19 @@ public interface AVMNodeDAO
      */
     public List<Long> getNewInStoreIDs(AVMStore store);
 
+    /**
+     * Clear newInStore field for a store. (Snapshot)
+     * @param store
+     */
+    public void clearNewInStore(AVMStore store);
+
+    /**
+     * Get any new layered entries in a store.
+     * @param store
+     * @return
+     */
+    public List<Long> getNewLayeredInStoreIDs(AVMStore store);
+
     /**
      * Inappropriate hack to get Hibernate to play nice.
      */
@@ -111,25 +124,40 @@ public interface AVMNodeDAO
      * Get a batch
      * @return An iterator over all nodes.
      */
-    List<AVMNode> getEmptyGUIDS(int count);
+    public List<AVMNode> getEmptyGUIDS(int count);
 
     /**
      * Get a batch of LayeredDirectories which have null indirectionVersions.
      * @param count
      * @return
      */
-    List<LayeredDirectoryNode> getNullVersionLayeredDirectories(int count);
+    public List<LayeredDirectoryNode> getNullVersionLayeredDirectories(int count);
 
     /**
      * Get a batch of LayeredFiles which have null indirectionVersions.
      * @param count
      * @return
      */
-    List<LayeredFileNode> getNullVersionLayeredFiles(int count);
+    public List<LayeredFileNode> getNullVersionLayeredFiles(int count);
 
     /**
      * Evict an AVMNode that is no longer going to be used.
      * @param node
      */
     public void evict(AVMNode node);
+
+    /**
+     * Clear the hibernate session cache.
+     */
+    public void clear();
+
+    /**
+     * Turn off 2nd level caching.
+     */
+    public void noCache();
+
+    /**
+     * Turn on 2nd level caching.
+     */
+    public void yesCache();
 }
diff --git a/source/java/org/alfresco/repo/avm/AVMRepository.java b/source/java/org/alfresco/repo/avm/AVMRepository.java
index 986d418dd1..06e3c8772a 100644
--- a/source/java/org/alfresco/repo/avm/AVMRepository.java
+++ b/source/java/org/alfresco/repo/avm/AVMRepository.java
@@ -920,19 +920,27 @@ public class AVMRepository
      */
     public Map<String, Integer> createSnapshot(String storeName, String tag, String description)
     {
-        AlfrescoTransactionSupport.bindListener(fCreateVersionTxnListener);
-        AVMStore store = getAVMStoreByName(storeName);
-        if (store == null)
+        try
         {
-            throw new AVMNotFoundException("Store not found.");
+            fAVMNodeDAO.noCache();
+            AlfrescoTransactionSupport.bindListener(fCreateVersionTxnListener);
+            AVMStore store = getAVMStoreByName(storeName);
+            if (store == null)
+            {
+                throw new AVMNotFoundException("Store not found.");
+            }
+            Map<String, Integer> result = store.createSnapshot(tag, description, new HashMap<String, Integer>());
+            for (Map.Entry<String, Integer> entry : result.entrySet())
+            {
+                fLookupCache.onSnapshot(entry.getKey());
+                fCreateVersionTxnListener.versionCreated(entry.getKey(), entry.getValue());
+            }
+            return result;
         }
-        Map<String, Integer> result = store.createSnapshot(tag, description, new HashMap<String, Integer>());
-        for (Map.Entry<String, Integer> entry : result.entrySet())
+        finally
         {
-            fLookupCache.onSnapshot(entry.getKey());
-            fCreateVersionTxnListener.versionCreated(entry.getKey(), entry.getValue());
+            fAVMNodeDAO.yesCache();
         }
-        return result;
     }
 
     /**
diff --git a/source/java/org/alfresco/repo/avm/AVMServicePermissionsTest.java b/source/java/org/alfresco/repo/avm/AVMServicePermissionsTest.java
index 4e77d515a1..b41bd9fa3d 100644
--- a/source/java/org/alfresco/repo/avm/AVMServicePermissionsTest.java
+++ b/source/java/org/alfresco/repo/avm/AVMServicePermissionsTest.java
@@ -520,13 +520,13 @@ public class AVMServicePermissionsTest extends TestCase
             node = avmNodeDAO.getByID(desc.getId());
             DbAccessControlList dirAcl = node.getAcl();
             assertNotNull(dirAcl);
-            assertTrue(acl.getId() == dirAcl.getId());
+            assertEquals(acl.getId(), dirAcl.getId());
 
             desc = avmService.lookup(-1, storeName + "-layer-base:/layer-to-base/update-dir/update-file");
             node = avmNodeDAO.getByID(desc.getId());
             DbAccessControlList fileAcl = node.getAcl();
             assertNotNull(fileAcl);
-            assertTrue(acl.getId() == fileAcl.getId());
+            assertEquals(acl.getId(), fileAcl.getId());
 
             avmService.createSnapshot(storeName, "store", "store");
             avmService.createSnapshot(storeName + "-layer-base", "store", "store");
@@ -549,7 +549,7 @@ public class AVMServicePermissionsTest extends TestCase
             node = avmNodeDAO.getByID(desc.getId());
             dirAcl = node.getAcl();
             assertNotNull(dirAcl);
-            assertTrue(acl.getId() == dirAcl.getId());
+            assertEquals(acl.getId(), dirAcl.getId());
 
             desc = avmService.lookup(-1, storeName + "-layer-base:/layer-to-base/update-dir/update-file");
             node = avmNodeDAO.getByID(desc.getId());
@@ -597,13 +597,13 @@ public class AVMServicePermissionsTest extends TestCase
             node = avmNodeDAO.getByID(desc.getId());
             DbAccessControlList dirAcl = node.getAcl();
             assertNotNull(dirAcl);
-            assertTrue(acl.getId() == dirAcl.getId());
+            assertEquals(acl.getId(), dirAcl.getId());
 
             desc = avmService.lookup(-1, storeName + "-layer-base:/layer-to-base/update-dir/update-file");
             node = avmNodeDAO.getByID(desc.getId());
             DbAccessControlList fileAcl = node.getAcl();
             assertNotNull(fileAcl);
-            assertTrue(acl.getId() == fileAcl.getId());
+            assertEquals(acl.getId(), fileAcl.getId());
 
             avmService.createSnapshot(storeName, "store", "store");
             avmService.createSnapshot(storeName + "-layer-base", "store", "store");
@@ -628,7 +628,7 @@ public class AVMServicePermissionsTest extends TestCase
             node = avmNodeDAO.getByID(desc.getId());
             dirAcl = node.getAcl();
             assertNotNull(dirAcl);
-            assertTrue(acl.getId() == dirAcl.getId());
+            assertEquals(acl.getId(), dirAcl.getId());
 
             desc = avmService.lookup(-1, storeName + "-layer-base:/layer-to-base/update-dir/update-file");
             node = avmNodeDAO.getByID(desc.getId());
diff --git a/source/java/org/alfresco/repo/avm/AVMServiceTest.java b/source/java/org/alfresco/repo/avm/AVMServiceTest.java
index 5aa8365b3c..43400c9fdd 100644
--- a/source/java/org/alfresco/repo/avm/AVMServiceTest.java
+++ b/source/java/org/alfresco/repo/avm/AVMServiceTest.java
@@ -569,6 +569,7 @@ public class AVMServiceTest extends AVMServiceTestBase
     /**
      * Test Deployment.
      */
+/*
     public void testDeployment() throws Exception
     {
         try
@@ -673,7 +674,7 @@ public class AVMServiceTest extends AVMServiceTestBase
             throw e;
         }
     }
-
+*/
     protected void runQueriesForCreateAndDeploy(String store) throws Exception
     {
         StoreRef storeRef = AVMNodeConverter.ToStoreRef(store);
diff --git a/source/java/org/alfresco/repo/avm/AVMStoreImpl.java b/source/java/org/alfresco/repo/avm/AVMStoreImpl.java
index 5879e25d07..9610231256 100644
--- a/source/java/org/alfresco/repo/avm/AVMStoreImpl.java
+++ b/source/java/org/alfresco/repo/avm/AVMStoreImpl.java
@@ -190,11 +190,14 @@ public class AVMStoreImpl implements AVMStore, Serializable
     @SuppressWarnings("unchecked")
     public Map<String, Integer> createSnapshot(String tag, String description, Map<String, Integer> snapShotMap)
     {
-        VersionRoot lastVersion = AVMDAOs.Instance().fVersionRootDAO.getMaxVersion(this);
+        long rootID = fRoot.getId();
+        AVMStoreImpl me = (AVMStoreImpl)AVMDAOs.Instance().fAVMStoreDAO.getByID(fID);
+        VersionRoot lastVersion = AVMDAOs.Instance().fVersionRootDAO.getMaxVersion(me);
         List<VersionLayeredNodeEntry> layeredEntries =
             AVMDAOs.Instance().fVersionLayeredNodeEntryDAO.get(lastVersion);
         // Is there no need for a snapshot?
-        if (!fRoot.getIsNew() && layeredEntries.size() == 0)
+        DirectoryNode root = (DirectoryNode)AVMDAOs.Instance().fAVMNodeDAO.getByID(rootID);
+        if (!root.getIsNew() && layeredEntries.size() == 0)
         {
             // So, we set the tag and description fields of the latest version.
             if (tag != null || description != null)
@@ -205,13 +208,13 @@ public class AVMStoreImpl implements AVMStore, Serializable
             snapShotMap.put(fName, lastVersion.getVersionID());
             return snapShotMap;
         }
-        snapShotMap.put(fName, fNextVersionID);
+        snapShotMap.put(fName, me.fNextVersionID);
         // Force copies on all the layered nodes from last snapshot.
         for (VersionLayeredNodeEntry entry : layeredEntries)
         {
             String path = entry.getPath();
             path = path.substring(path.indexOf(':') + 1);
-            Lookup lookup = lookup(-1, path, false, false);
+            Lookup lookup = me.lookup(-1, path, false, false);
             if (lookup == null)
             {
                 continue;
@@ -255,59 +258,50 @@ public class AVMStoreImpl implements AVMStore, Serializable
             */
         }
         // Clear out the new nodes.
-        List<Long> newInRep = AVMDAOs.Instance().fAVMNodeDAO.getNewInStoreIDs(this);
-        List<AVMNode> layeredNodes = new ArrayList<AVMNode>();
-        for (Long newGuyID : newInRep)
+        List<Long> allLayeredNodeIDs = AVMDAOs.Instance().fAVMNodeDAO.getNewLayeredInStoreIDs(me);
+        AVMDAOs.Instance().fAVMNodeDAO.clearNewInStore(me);
+        AVMDAOs.Instance().fAVMNodeDAO.clear();
+        List<Long> layeredNodeIDs = new ArrayList<Long>();
+        for (Long layeredID : allLayeredNodeIDs)
         {
-            AVMNode newGuy = AVMDAOs.Instance().fAVMNodeDAO.getByID(newGuyID);
-            newGuy.setStoreNew(null);
-            Layered layered = null;
-            if (newGuy.getType() == AVMNodeType.LAYERED_DIRECTORY &&
-                ((LayeredDirectoryNode)newGuy).getPrimaryIndirection())
+            Layered layered = (Layered)AVMDAOs.Instance().fAVMNodeDAO.getByID(layeredID);
+            String indirection = layered.getIndirection();
+            if (indirection == null)
             {
-                layered = (Layered)AVMNodeUnwrapper.Unwrap(newGuy);
+                continue;
             }
-            if (newGuy.getType() == AVMNodeType.LAYERED_FILE)
+            layeredNodeIDs.add(layeredID);
+            String storeName = indirection.substring(0, indirection.indexOf(':'));
+            if (!snapShotMap.containsKey(storeName))
             {
-                layered = (Layered)AVMNodeUnwrapper.Unwrap(newGuy);
-            }
-            if (layered != null)
-            {
-                layeredNodes.add(newGuy);
-                String indirection = layered.getIndirection();
-                String storeName = indirection.substring(0, indirection.indexOf(':'));
-                if (!snapShotMap.containsKey(storeName))
+                AVMStore store = AVMDAOs.Instance().fAVMStoreDAO.getByName(storeName);
+                if (store == null)
                 {
-                    AVMStore store = AVMDAOs.Instance().fAVMStoreDAO.getByName(storeName);
-                    if (store == null)
-                    {
-                        layered.setIndirectionVersion(-1);
-                    }
-                    else
-                    {
-                        store.createSnapshot(null, null, snapShotMap);
-                        layered.setIndirectionVersion(snapShotMap.get(storeName));
-                    }
+                    layered.setIndirectionVersion(-1);
                 }
                 else
                 {
+                    store.createSnapshot(null, null, snapShotMap);
+                    layered = (Layered)AVMDAOs.Instance().fAVMNodeDAO.getByID(layeredID);
                     layered.setIndirectionVersion(snapShotMap.get(storeName));
                 }
             }
             else
             {
-                AVMDAOs.Instance().fAVMNodeDAO.evict(newGuy);
+                layered.setIndirectionVersion(snapShotMap.get(storeName));
             }
         }
+        AVMDAOs.Instance().fAVMNodeDAO.flush();
         // Make up a new version record.
         String user = RawServices.Instance().getAuthenticationComponent().getCurrentUserName();
         if (user == null)
         {
             user = RawServices.Instance().getAuthenticationComponent().getSystemUserName();
         }
-        VersionRoot versionRoot = new VersionRootImpl(this,
-                                                      fRoot,
-                                                      fNextVersionID++,
+        me = (AVMStoreImpl)AVMDAOs.Instance().fAVMStoreDAO.getByID(fID);
+        VersionRoot versionRoot = new VersionRootImpl(me,
+                                                      me.fRoot,
+                                                      me.fNextVersionID++,
                                                       System.currentTimeMillis(),
                                                       user,
                                                       tag,
@@ -315,8 +309,9 @@ public class AVMStoreImpl implements AVMStore, Serializable
         // Another embarassing flush needed.
         AVMDAOs.Instance().fAVMNodeDAO.flush();
         AVMDAOs.Instance().fVersionRootDAO.save(versionRoot);
-        for (AVMNode node : layeredNodes)
+        for (Long nodeID : layeredNodeIDs)
         {
+            AVMNode node = AVMDAOs.Instance().fAVMNodeDAO.getByID(nodeID);
             List<String> paths = fAVMRepository.getVersionPaths(versionRoot, node);
             for (String path : paths)
             {
@@ -325,7 +320,6 @@ public class AVMStoreImpl implements AVMStore, Serializable
                 AVMDAOs.Instance().fVersionLayeredNodeEntryDAO.save(entry);
             }
         }
-        // Increment the version id.
         return snapShotMap;
     }
 
diff --git a/source/java/org/alfresco/repo/avm/hibernate/AVM.hbm.xml b/source/java/org/alfresco/repo/avm/hibernate/AVM.hbm.xml
index 6e8540eff6..3028976710 100644
--- a/source/java/org/alfresco/repo/avm/hibernate/AVM.hbm.xml
+++ b/source/java/org/alfresco/repo/avm/hibernate/AVM.hbm.xml
@@ -92,9 +92,11 @@
                 <property name="indirectionVersion" type="int" column="indirection_version"/>
                 <!-- This marks a layered directory as either knowing itself what
                     it points at (true) or inheriting what it points at from its
-                    container (false). -->
+                    container (false).
+                    Ideally we would have the column 'indirection' in the index but it is too long.
+                -->
                 <property name="primaryIndirection"
-                    column="primary_indirection" type="boolean" index="idx_avm_lyr_indn" />
+                    column="primary_indirection" type="boolean" index="idx_avm_n_pi" />
                 <property name="opacity" column="opacity" type="boolean"/>
                 <!-- Map of names to DirectoryEntries. -->
             </subclass>
@@ -281,6 +283,27 @@
         where an.storeNew = :store
     ]]>
     </query>
+    <query name="AVMNode.ClearNewInStore">
+    <![CDATA[
+        update versioned AVMNodeImpl an
+        set an.storeNew = null
+        where an.storeNew = :store
+    ]]>
+    </query>
+    <query name="AVMNode.GetNewLayeredDirectory">
+    <![CDATA[
+        select an.id
+        from LayeredDirectoryNodeImpl an
+        where an.storeNew = :store
+    ]]>
+    </query>
+    <query name="AVMNode.GetNewLayeredFile">
+    <![CDATA[
+        select an.id
+        from LayeredFileNodeImpl an
+        where an.storeNew = :store
+    ]]>
+    </query>
     <query name="AVMNode.GetDescendents">
     <![CDATA[
         select hl.descendent
diff --git a/source/java/org/alfresco/repo/avm/hibernate/AVMNodeDAOHibernate.java b/source/java/org/alfresco/repo/avm/hibernate/AVMNodeDAOHibernate.java
index 1e6ad46524..ddb926cba7 100644
--- a/source/java/org/alfresco/repo/avm/hibernate/AVMNodeDAOHibernate.java
+++ b/source/java/org/alfresco/repo/avm/hibernate/AVMNodeDAOHibernate.java
@@ -33,7 +33,12 @@ import org.alfresco.repo.avm.AVMStore;
 import org.alfresco.repo.avm.DirectoryNode;
 import org.alfresco.repo.avm.LayeredDirectoryNode;
 import org.alfresco.repo.avm.LayeredFileNode;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.hibernate.CacheMode;
 import org.hibernate.Query;
+import org.hibernate.impl.SessionImpl;
+import org.hibernate.stat.SessionStatistics;
 import org.springframework.orm.hibernate3.support.HibernateDaoSupport;
 
 /**
@@ -43,6 +48,8 @@ import org.springframework.orm.hibernate3.support.HibernateDaoSupport;
 class AVMNodeDAOHibernate extends HibernateDaoSupport implements
         AVMNodeDAO
 {
+    private static Log fgLogger = LogFactory.getLog(AVMNodeDAOHibernate.class);
+
     /**
      * Do nothing constructor.
      */
@@ -232,4 +239,57 @@ class AVMNodeDAOHibernate extends HibernateDaoSupport implements
         getSession().flush();
         getSession().evict(node);
     }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.avm.AVMNodeDAO#clear()
+     */
+    public void clear()
+    {
+        fgLogger.error(getSession().getStatistics());
+        getSession().flush();
+        getSession().clear();
+        fgLogger.error(getSession().getStatistics());
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.avm.AVMNodeDAO#noCache()
+     */
+    public void noCache()
+    {
+        getSession().getSessionFactory().evict(AVMNodeImpl.class);
+        getSession().setCacheMode(CacheMode.IGNORE);
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.avm.AVMNodeDAO#yesCache()
+     */
+    public void yesCache()
+    {
+        getSession().setCacheMode(CacheMode.NORMAL);
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.avm.AVMNodeDAO#clearNewInStore(org.alfresco.repo.avm.AVMStore)
+     */
+    public void clearNewInStore(AVMStore store)
+    {
+        Query query = getSession().getNamedQuery("AVMNode.ClearNewInStore");
+        query.setEntity("store", store);
+        query.executeUpdate();
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.avm.AVMNodeDAO#getNewLayeredInStoreIDs(org.alfresco.repo.avm.AVMStore)
+     */
+    @SuppressWarnings("unchecked")
+    public List<Long> getNewLayeredInStoreIDs(AVMStore store)
+    {
+        Query query = getSession().getNamedQuery("AVMNode.GetNewLayeredDirectory");
+        query.setEntity("store", store);
+        List<Long> ids = (List<Long>)query.list();
+        query = getSession().getNamedQuery("AVMNode.GetNewLayeredFile");
+        query.setEntity("store", store);
+        ids.addAll((List<Long>)query.list());
+        return ids;
+    }
 }
diff --git a/source/java/org/alfresco/repo/domain/DbPermission.java b/source/java/org/alfresco/repo/domain/DbPermission.java
index 374857541d..d05e1ba19f 100644
--- a/source/java/org/alfresco/repo/domain/DbPermission.java
+++ b/source/java/org/alfresco/repo/domain/DbPermission.java
@@ -26,8 +26,6 @@ package org.alfresco.repo.domain;
 
 import java.io.Serializable;
 
-import org.alfresco.service.namespace.QName;
-
 /**
  * The interface against which permission references are persisted in hibernate.
  * 
@@ -48,12 +46,12 @@ public interface DbPermission extends Serializable
     /**
      * @return Returns the qualified name of this permission
      */
-    public QName getTypeQname();
+    public QNameEntity getTypeQName();
     
     /**
      * @param qname the entity representing the qname for this instance
      */
-    public void setTypeQname(QName qname);
+    public void setTypeQName(QNameEntity typeQNameEntity);
 
     /**
      * @return Returns the permission name
diff --git a/source/java/org/alfresco/repo/domain/hibernate/AclDaoComponentImpl.java b/source/java/org/alfresco/repo/domain/hibernate/AclDaoComponentImpl.java
index 4dcbedd766..828b4f9cb8 100644
--- a/source/java/org/alfresco/repo/domain/hibernate/AclDaoComponentImpl.java
+++ b/source/java/org/alfresco/repo/domain/hibernate/AclDaoComponentImpl.java
@@ -39,6 +39,8 @@ import org.alfresco.repo.domain.DbAccessControlListChangeSet;
 import org.alfresco.repo.domain.DbAccessControlListMember;
 import org.alfresco.repo.domain.DbAuthority;
 import org.alfresco.repo.domain.DbPermission;
+import org.alfresco.repo.domain.QNameDAO;
+import org.alfresco.repo.domain.QNameEntity;
 import org.alfresco.repo.node.db.hibernate.HibernateNodeDaoServiceImpl;
 import org.alfresco.repo.security.permissions.ACLCopyMode;
 import org.alfresco.repo.security.permissions.ACLType;
@@ -54,6 +56,7 @@ import org.alfresco.repo.security.permissions.impl.AclDaoComponent;
 import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
 import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.namespace.QName;
 import org.alfresco.util.GUID;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -93,6 +96,8 @@ public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoCo
 
     static String QUERY_GET_LATEST_ACL_BY_ACLID = "permission.FindLatestAclByGuid";
 
+    /** Access to QName entities */
+    private QNameDAO qnameDAO;
     /** a transactionally-safe cache to be injected */
     private SimpleCache<Long, AccessControlList> aclCache;
 
@@ -107,6 +112,14 @@ public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoCo
         DbAccessControlListImpl.setAclDaoComponent(this);
     }
 
+    /**
+     * Set the DAO for accessing QName entities
+     */
+    public void setQnameDAO(QNameDAO qnameDAO)
+    {
+        this.qnameDAO = qnameDAO;
+    }
+
     public void setAclCache(SimpleCache<Long, AccessControlList> aclCache)
     {
         this.aclCache = aclCache;
@@ -1002,8 +1015,8 @@ public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoCo
                 context.setPropertyContext(member.getAccessControlEntry().getContext().getPropertyContext());
                 entry.setContext(context);
             }
-            SimplePermissionReference permissionRefernce = new SimplePermissionReference(member.getAccessControlEntry().getPermission().getTypeQname(), member
-                    .getAccessControlEntry().getPermission().getName());
+            DbPermission perm = member.getAccessControlEntry().getPermission();
+            SimplePermissionReference permissionRefernce = new SimplePermissionReference(perm.getTypeQName().getQName(), perm.getName());
             entry.setPermission(permissionRefernce);
             entry.setPosition(member.getPosition());
 
@@ -1176,6 +1189,7 @@ public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoCo
 
     }
 
+    @SuppressWarnings("unchecked")
     public List<AclChange> setAccessControlEntry(Long id, final AccessControlEntry ace)
     {
         DbAccessControlList target = (DbAccessControlList) getHibernateTemplate().get(DbAccessControlListImpl.class, id);
@@ -1222,13 +1236,17 @@ public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoCo
 
         // Find permission
 
+        final QName permissionQName = ace.getPermission().getQName();
+        final String permissionName = ace.getPermission().getName();
+        final QNameEntity permissionQNameEntity = qnameDAO.getOrCreateQNameEntity(permissionQName);
+        
         callback = new HibernateCallback()
         {
             public Object doInHibernate(Session session)
             {
                 Query query = session.getNamedQuery(QUERY_GET_PERMISSION);
-                query.setParameter("permissionTypeQName", ace.getPermission().getQName());
-                query.setParameter("permissionName", ace.getPermission().getName());
+                query.setParameter("permissionTypeQName", permissionQNameEntity);
+                query.setParameter("permissionName", permissionName);
                 return query.uniqueResult();
             }
         };
@@ -1236,8 +1254,8 @@ public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoCo
         if (permission == null)
         {
             DbPermissionImpl newPermission = new DbPermissionImpl();
-            newPermission.setTypeQname(ace.getPermission().getQName());
-            newPermission.setName(ace.getPermission().getName());
+            newPermission.setTypeQName(permissionQNameEntity);
+            newPermission.setName(permissionName);
             permission = newPermission;
             getHibernateTemplate().save(newPermission);
         }
@@ -1536,6 +1554,7 @@ public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoCo
         return avmNodeIds;
     }
 
+    @SuppressWarnings("unchecked")
     private List<AclChange> disableInheritanceImpl(Long id, boolean setInheritedOnAcl, DbAccessControlList acl)
     {
         List<AclChange> changes = new ArrayList<AclChange>();
@@ -1583,8 +1602,8 @@ public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoCo
                     context.setPropertyContext(member.getAccessControlEntry().getContext().getPropertyContext());
                     entry.setContext(context);
                 }
-                SimplePermissionReference permissionRefernce = new SimplePermissionReference(member.getAccessControlEntry().getPermission().getTypeQname(), member
-                        .getAccessControlEntry().getPermission().getName());
+                DbPermission perm = member.getAccessControlEntry().getPermission();
+                SimplePermissionReference permissionRefernce = new SimplePermissionReference(perm.getTypeQName().getQName(), perm.getName());
                 entry.setPermission(permissionRefernce);
                 entry.setPosition(Integer.valueOf(0));
 
@@ -1676,11 +1695,13 @@ public class AclDaoComponentImpl extends HibernateDaoSupport implements AclDaoCo
 
             if (pattern.getPermission() != null)
             {
-                if ((pattern.getPermission().getQName() != null) && (!pattern.getPermission().getQName().equals(entry.getPermission().getTypeQname())))
+                final QName patternQName = pattern.getPermission().getQName();
+                if ((patternQName != null) && (!patternQName.equals(entry.getPermission().getTypeQName().getQName())))
                 {
                     return false;
                 }
-                if ((pattern.getPermission().getName() != null) && (!pattern.getPermission().getName().equals(entry.getPermission().getName())))
+                final String patternName = pattern.getPermission().getName();
+                if ((patternName != null) && (!patternName.equals(entry.getPermission().getName())))
                 {
                     return false;
                 }
diff --git a/source/java/org/alfresco/repo/domain/hibernate/DbAccessControlEntryImpl.java b/source/java/org/alfresco/repo/domain/hibernate/DbAccessControlEntryImpl.java
index 57aee8b0bf..6029f5d4e9 100644
--- a/source/java/org/alfresco/repo/domain/hibernate/DbAccessControlEntryImpl.java
+++ b/source/java/org/alfresco/repo/domain/hibernate/DbAccessControlEntryImpl.java
@@ -32,8 +32,6 @@ import org.alfresco.repo.domain.DbAuthority;
 import org.alfresco.repo.domain.DbPermission;
 import org.alfresco.repo.domain.DbPermissionKey;
 import org.alfresco.repo.security.permissions.ACEType;
-import org.alfresco.service.namespace.QName;
-import org.hibernate.CallbackException;
 import org.hibernate.Session;
 
 /**
@@ -71,9 +69,15 @@ public class DbAccessControlEntryImpl implements DbAccessControlEntry, Serializa
     public String toString()
     {
         StringBuilder sb = new StringBuilder(128);
-        sb.append("DbAccessControlEntryImpl").append("[ id=").append(id).append(", version=").append(version).append(", permission=").append(permission.getKey()).append(
-                ", authority=").append(authority.getAuthority()).append(", allowed=").append(allowed).append(", authorityDeleted=").append(", aceType=")
-                .append(ACEType.getACETypeFromId(aceType)).append(", context=").append(context).append("]");
+        sb.append("DbAccessControlEntryImpl")
+          .append("[ id=").append(id)
+          .append(", version=").append(version)
+          .append(", permission=").append(permission.getKey())
+          .append(", authority=").append(authority.getAuthority())
+          .append(", allowed=").append(allowed)
+          .append(", aceType=").append(ACEType.getACETypeFromId(aceType))
+          .append(", context=").append(context)
+          .append("]");
         return sb.toString();
     }
 
diff --git a/source/java/org/alfresco/repo/domain/hibernate/DbPermissionImpl.java b/source/java/org/alfresco/repo/domain/hibernate/DbPermissionImpl.java
index 02cfa74367..d5bd81f381 100644
--- a/source/java/org/alfresco/repo/domain/hibernate/DbPermissionImpl.java
+++ b/source/java/org/alfresco/repo/domain/hibernate/DbPermissionImpl.java
@@ -28,12 +28,9 @@ import java.io.Serializable;
 
 import org.alfresco.repo.domain.DbPermission;
 import org.alfresco.repo.domain.DbPermissionKey;
+import org.alfresco.repo.domain.QNameEntity;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.EqualsHelper;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.hibernate.CallbackException;
-import org.hibernate.Query;
 import org.hibernate.Session;
 
 /**
@@ -45,14 +42,9 @@ public class DbPermissionImpl implements DbPermission, Serializable
 {
     private static final long serialVersionUID = -6352566900815035461L;
 
-    private static Log logger = LogFactory.getLog(DbPermissionImpl.class);
-
     private Long id;
-
     private Long version;
-
-    private QName typeQname;
-
+    private QNameEntity typeQName;
     private String name;
 
     public DbPermissionImpl()
@@ -64,8 +56,12 @@ public class DbPermissionImpl implements DbPermission, Serializable
     public String toString()
     {
         StringBuilder sb = new StringBuilder(128);
-        sb.append("DbPermissionImpl").append("[ id=").append(id).append(", version=").append(version).append(", typeQname=").append(typeQname).append(", name=").append(getName())
-                .append("]");
+        sb.append("DbPermissionImpl")
+          .append("[ id=").append(id)
+          .append(", version=").append(version)
+          .append(", typeQName=").append(typeQName.getQName())
+          .append(", name=").append(getName())
+          .append("]");
         return sb.toString();
     }
 
@@ -81,13 +77,13 @@ public class DbPermissionImpl implements DbPermission, Serializable
             return false;
         }
         DbPermission other = (DbPermission) o;
-        return (EqualsHelper.nullSafeEquals(typeQname, other.getTypeQname())) && (EqualsHelper.nullSafeEquals(name, other.getName()));
+        return (EqualsHelper.nullSafeEquals(typeQName, other.getTypeQName())) && (EqualsHelper.nullSafeEquals(name, other.getName()));
     }
 
     @Override
     public int hashCode()
     {
-        return typeQname.hashCode() + (37 * name.hashCode());
+        return typeQName.hashCode() + (37 * name.hashCode());
     }
 
     public Long getId()
@@ -118,14 +114,14 @@ public class DbPermissionImpl implements DbPermission, Serializable
         this.version = version;
     }
 
-    public QName getTypeQname()
+    public QNameEntity getTypeQName()
     {
-        return typeQname;
+        return typeQName;
     }
 
-    public void setTypeQname(QName typeQname)
+    public void setTypeQName(QNameEntity typeQName)
     {
-        this.typeQname = typeQname;
+        this.typeQName = typeQName;
     }
 
     public String getName()
@@ -140,7 +136,7 @@ public class DbPermissionImpl implements DbPermission, Serializable
 
     public DbPermissionKey getKey()
     {
-        return new DbPermissionKey(typeQname, name);
+        return new DbPermissionKey(typeQName.getQName(), name);
     }
 
     /**
diff --git a/source/java/org/alfresco/repo/domain/hibernate/Permission.hbm.xml b/source/java/org/alfresco/repo/domain/hibernate/Permission.hbm.xml
index 3fbe11567f..78b9c7eb81 100644
--- a/source/java/org/alfresco/repo/domain/hibernate/Permission.hbm.xml
+++ b/source/java/org/alfresco/repo/domain/hibernate/Permission.hbm.xml
@@ -6,8 +6,6 @@
 
 <hibernate-mapping>
 
-    <typedef class="org.alfresco.repo.domain.hibernate.QNameUserType" name="QName" />
-
     <class
          name="org.alfresco.repo.domain.hibernate.DbAccessControlListChangeSetImpl"
          proxy="org.alfresco.repo.domain.DbAccessControlListChangeSet"
@@ -54,9 +52,9 @@
         
         <version column="version" name="version" type="long" />
 
-        <property name="inherits" column="inherits" type="boolean" not-null="true" index="idx_pm_acl_inh" />
+        <property name="inherits" column="inherits" type="boolean" not-null="true" index="idx_alf_acl_inh" />
         
-        <property name="inheritsFrom" column="inherits_from" type="long" not-null="false" index="idx_pm_acl_inh" />
+        <property name="inheritsFrom" column="inherits_from" type="long" not-null="false" index="idx_alf_acl_inh" />
         
         <property name="type" column="type" type="int" not-null="true" />    
              
@@ -174,8 +172,17 @@
             <generator class="native" />
         </id>
 
-        <natural-id mutable="true">
-           <property name="typeQname" column="type_qname" type="QName" length="200" />
+        <natural-id mutable="true" >
+            <many-to-one
+                name="typeQName"
+                class="org.alfresco.repo.domain.hibernate.QNameEntityImpl"
+                column="type_qname_id"
+                foreign-key="fk_alf_perm_tqn"
+                lazy="proxy"
+                fetch="select"
+                unique="false"
+                not-null="true"
+                cascade="none" />
            <property name="name" type="string" length="100" column="name" />
         </natural-id>
 
@@ -199,9 +206,9 @@
         
         <version column="version" name="version" type="long" />
         
-        <property name="authority" column="authority" type="string" length="100" unique-key="uidx_auth_name" index="idx_authority" />
-		
-		<property name="crc" column="crc" type="long" unique-key="uidx_auth_name" /> 
+        <property name="authority" column="authority" type="string" length="100" unique-key="uidx_auth_name" index="idx_alf_auth_aut" />
+
+        <property name="crc" column="crc" type="long" unique-key="uidx_auth_name" /> 
 
     </class>
     
@@ -268,7 +275,7 @@
       from
          org.alfresco.repo.domain.hibernate.DbPermissionImpl as permission
       where
-         permission.typeQname = :permissionTypeQName and
+         permission.typeQName = :permissionTypeQName and
          permission.name = :permissionName
    </query>
     
@@ -402,7 +409,7 @@
          ace.authority.recipient = :authorityRecipient and
          ace.allowed = :allow and
          ace.permission.name = :permissionName and
-         ace.permission.typeQname = :permissionTypeQname
+         ace.permission.typeQName = :permissionTypeQname
    </query>
 -->    
 </hibernate-mapping>
\ No newline at end of file
diff --git a/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java b/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java
index e9a6df7a2e..f96954e0a8 100644
--- a/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java
+++ b/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java
@@ -32,8 +32,14 @@ import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import net.sf.acegisecurity.providers.dao.User;
 
 import org.alfresco.error.AlfrescoRuntimeException;
+import org.alfresco.model.ContentModel;
 import org.alfresco.repo.tenant.TenantService;
+import org.alfresco.repo.transaction.RetryingTransactionHelper;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.cmr.security.PersonService;
+import org.alfresco.service.transaction.TransactionService;
 
 /**
  * This class abstract the support required to set up and query the Acegi context for security enforcement. There are
@@ -50,6 +56,12 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
     
     private TenantService tenantService;
 
+    private PersonService personService;
+
+    private NodeService nodeService;
+
+    private TransactionService transactionService;
+
     public AbstractAuthenticationComponent()
     {
         super();
@@ -70,6 +82,26 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
     	this.tenantService = tenantService;
     }
 
+    public void setPersonService(PersonService personService)
+    {
+        this.personService = personService;
+    }
+
+    public void setNodeService(NodeService nodeService)
+    {
+        this.nodeService = nodeService;
+    }
+
+    public void setTransactionService(TransactionService transactionService)
+    {
+        this.transactionService = transactionService;
+    }
+    
+    public TransactionService getTransactionService()
+    {
+        return transactionService;
+    }
+
     public void authenticate(String userName, char[] password) throws AuthenticationException
     {
         // Support guest login from the login screen
@@ -84,9 +116,9 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
     }
 
     /**
-     * Default unsupported authentication implementation 
-     *  - as of 2.1 this is the best way to implement your own authentication component as it will support guest login
-     *  - prior to this direct over ride for authenticate(String , char[]) was used. This will still work.
+     * Default unsupported authentication implementation - as of 2.1 this is the best way to implement your own
+     * authentication component as it will support guest login - prior to this direct over ride for authenticate(String ,
+     * char[]) was used. This will still work.
      * 
      * @param userName
      * @param password
@@ -96,6 +128,37 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
         throw new UnsupportedOperationException();
     }
 
+    public Authentication setCurrentUser(final String userName) throws AuthenticationException
+    {
+        if (AuthenticationUtil.getSystemUserName().equals(userName))
+        {
+            return setCurrentUserImpl(userName);
+        }
+        else
+        {
+            return transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback<Authentication>()
+            {
+
+                public Authentication execute() throws Throwable
+                {
+                    NodeRef userNode = personService.getPerson(userName);
+                    if (userNode != null)
+                    {
+                        // Get the person name and use that as the current user to line up with permission checks
+                        String personName = (String) nodeService.getProperty(userNode, ContentModel.PROP_USERNAME);
+                        return setCurrentUserImpl(personName);
+
+                    }
+                    else
+                    {
+                        // Set using the user name
+                        return setCurrentUserImpl(userName);
+                    }
+                }
+            }, false, false);
+        }
+    }
+
     /**
      * Explicitly set the current user to be authenticated.
      * 
@@ -103,7 +166,7 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
      *            String
      * @return Authentication
      */
-    public Authentication setCurrentUser(String userName) throws AuthenticationException
+    private Authentication setCurrentUserImpl(String userName) throws AuthenticationException
     {
         if (userName == null)
         {
diff --git a/source/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationComponentImpl.java b/source/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationComponentImpl.java
index 074135f8f6..83e33f462b 100644
--- a/source/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationComponentImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationComponentImpl.java
@@ -118,12 +118,6 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
     
     private PassthruReaperThread m_reaperThread;
     
-    // Person service, used to map passthru usernames to Alfresco person names
-    
-    private PersonService m_personService;
-    private NodeService m_nodeService;
-    private TransactionService m_transactionService;
-    
     /**
      * Passthru Session Reaper Thread
      */
@@ -467,36 +461,6 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
         }
     }
     
-    /**
-     * Set the person service
-     * 
-     * @param personService PersonService
-     */
-    public final void setPersonService(PersonService personService)
-    {
-        m_personService = personService;
-    }
-    
-    /**
-     * Set the node service
-     * 
-     * @param nodeService NodeService
-     */
-    public final void setNodeService(NodeService nodeService)
-    {
-        m_nodeService = nodeService;
-    }
-    
-    /**
-     * Set the transaction service
-     * 
-     * @param transService TransactionService
-     */
-    public final void setTransactionService(TransactionService transService)
-    {
-        m_transactionService = transService;
-    }
-
     /**
      * Return the authentication session timeout, in milliseconds
      * 
@@ -693,31 +657,7 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
             
             // Map the passthru username to an Alfresco person
             
-            NodeRef userNode = m_personService.getPerson(username);
-            if ( userNode != null)
-            {
-                // Get the person name and use that as the current user to line up with permission checks
-                
-                String personName = (String) m_nodeService.getProperty(userNode, ContentModel.PROP_USERNAME);
-                setCurrentUser(personName);
-                
-                // DEBUG
-                
-                if ( logger.isDebugEnabled())
-                    logger.debug("Setting current user using person " + personName + " (username " + username + ")");
-            }
-            else
-            {
-                // Set using the user name
-                
-              
-                setCurrentUser( username);
-                
-                // DEBUG
-                
-                if ( logger.isDebugEnabled())
-                    logger.debug("Setting current user using username " + username);
-            }
+            setCurrentUser( username);
             
             // Debug
             
@@ -875,35 +815,13 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
 
                 // Wrap the service calls in a transaction
                 
-            	tx = m_transactionService.getUserTransaction( false);
+            	tx = getTransactionService().getUserTransaction( false);
             	tx.begin();
             	
                 // Map the passthru username to an Alfresco person
                 
-                NodeRef userNode = m_personService.getPerson(username);
-                if ( userNode != null)
-                {
-                    // Get the person name and use that as the current user to line up with permission checks
+                setCurrentUser( username);
                     
-                    String personName = (String) m_nodeService.getProperty(userNode, ContentModel.PROP_USERNAME);
-                    setCurrentUser(personName);
-                    
-                    // DEBUG
-                    
-                    if ( logger.isDebugEnabled())
-                        logger.debug("Setting current user using person " + personName + " (username " + username + ")");
-                }
-                else
-                {
-                    // Set using the user name
-                    
-                    setCurrentUser( username);
-                    
-                    // DEBUG
-                    
-                    if ( logger.isDebugEnabled())
-                        logger.debug("Setting current user using username " + username);
-                }
             }
             catch (NoSuchPersonException ex)
             {