diff --git a/config/alfresco/authentication-services-context.xml b/config/alfresco/authentication-services-context.xml
index 2775dc41bd..75962dbec9 100644
--- a/config/alfresco/authentication-services-context.xml
+++ b/config/alfresco/authentication-services-context.xml
@@ -78,6 +78,15 @@
             <value>org.alfresco.repo.security.authentication.MutableAuthenticationDao</value>
          </list>
       </property>
+      <!-- A generic fallback implementation, in case the chain doesn't provide one-->
+      <property name="defaultTarget">
+         <bean class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
+            <property name="allowSetEnabled" value="true" />
+            <property name="allowGetEnabled" value="true" />
+            <property name="allowDeleteUser" value="true" />
+            <property name="allowCreateUser" value="true" />
+         </bean>
+      </property>
    </bean>
 
    <!-- Allow the authentication subsystem to listen for SMB Server session events -->
diff --git a/config/alfresco/invitation-service-context.xml b/config/alfresco/invitation-service-context.xml
index b3b898859d..135b1a8e61 100644
--- a/config/alfresco/invitation-service-context.xml
+++ b/config/alfresco/invitation-service-context.xml
@@ -8,7 +8,6 @@
         <property name="personService" ref="PersonService"/>
         <property name="permissionService" ref="PermissionService"/>
         <property name="authenticationService" ref="AuthenticationService"/>
-        <property name="mutableAuthenticationDao" ref="authenticationDao"/>
         <property name="siteService" ref="SiteService"/>
         <property name="namespaceService" ref="NamespaceService"/>
         <property name="nodeService" ref="NodeService"/>
diff --git a/config/alfresco/public-services-context.xml b/config/alfresco/public-services-context.xml
index 51b528ac9d..ff7cfa0c13 100644
--- a/config/alfresco/public-services-context.xml
+++ b/config/alfresco/public-services-context.xml
@@ -612,7 +612,7 @@
 
     <bean id="AuthenticationService" class="org.springframework.aop.framework.ProxyFactoryBean">
         <property name="proxyInterfaces">
-            <value>org.alfresco.service.cmr.security.AuthenticationService</value>
+            <value>org.alfresco.service.cmr.security.MutableAuthenticationService</value>
         </property>
         <property name="target">
             <ref bean="authenticationService"/>
diff --git a/config/alfresco/public-services-security-context.xml b/config/alfresco/public-services-security-context.xml
index 1a87166940..b3fea8bbf7 100644
--- a/config/alfresco/public-services-security-context.xml
+++ b/config/alfresco/public-services-security-context.xml
@@ -747,11 +747,12 @@
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
         <property name="objectDefinitionSource">
             <value>
-                org.alfresco.service.cmr.security.AuthenticationService.createAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
-                org.alfresco.service.cmr.security.AuthenticationService.updateAuthentication=ACL_ALLOW
-                org.alfresco.service.cmr.security.AuthenticationService.setAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
-                org.alfresco.service.cmr.security.AuthenticationService.deleteAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
-                org.alfresco.service.cmr.security.AuthenticationService.setAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
+                org.alfresco.service.cmr.security.MutableAuthenticationService.isAuthenticationMutable=ACL_ALLOW
+                org.alfresco.service.cmr.security.MutableAuthenticationService.createAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
+                org.alfresco.service.cmr.security.MutableAuthenticationService.updateAuthentication=ACL_ALLOW
+                org.alfresco.service.cmr.security.MutableAuthenticationService.setAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
+                org.alfresco.service.cmr.security.MutableAuthenticationService.deleteAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
+                org.alfresco.service.cmr.security.MutableAuthenticationService.setAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
                 org.alfresco.service.cmr.security.AuthenticationService.getAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
                 org.alfresco.service.cmr.security.AuthenticationService.authenticationExists=ACL_METHOD.ROLE_ADMINISTRATOR
                 org.alfresco.service.cmr.security.AuthenticationService.getCurrentUserName=ACL_ALLOW
diff --git a/config/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml b/config/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
index 27398e0bdf..be86435f4c 100644
--- a/config/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
+++ b/config/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
@@ -104,7 +104,7 @@
    </bean>
 
    <!-- Authentication service for chaining -->
-   <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
+   <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.MutableAuthenticationServiceImpl">
       <property name="authenticationDao">
          <ref bean="authenticationDao" />
       </property>
diff --git a/config/alfresco/subsystems/Authentication/common-ldap-context.xml b/config/alfresco/subsystems/Authentication/common-ldap-context.xml
index 7b5292af23..6ca945e8f4 100644
--- a/config/alfresco/subsystems/Authentication/common-ldap-context.xml
+++ b/config/alfresco/subsystems/Authentication/common-ldap-context.xml
@@ -5,18 +5,6 @@
 -->
 
 <beans>
-   <!--
-      DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings
-      from the UI.
-   -->
-
-   <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
-      <property name="allowSetEnabled" value="true" />
-      <property name="allowGetEnabled" value="true" />
-      <property name="allowDeleteUser" value="true" />
-      <property name="allowCreateUser" value="true" />
-   </bean>
-
    <!-- LDAP authentication configuration -->
 
    <!--
@@ -83,9 +71,6 @@
 
    <!-- Authenticaton service for chaining -->
    <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
-      <property name="authenticationDao">
-         <ref bean="authenticationDao" />
-      </property>
       <property name="ticketComponent">
          <ref bean="ticketComponent" />
       </property>
diff --git a/config/alfresco/subsystems/Authentication/external/external-authentication-context.xml b/config/alfresco/subsystems/Authentication/external/external-authentication-context.xml
index 3de4e66109..02f0190872 100644
--- a/config/alfresco/subsystems/Authentication/external/external-authentication-context.xml
+++ b/config/alfresco/subsystems/Authentication/external/external-authentication-context.xml
@@ -37,18 +37,8 @@
       </property>
    </bean>
 
-   <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
-      <property name="allowSetEnabled" value="true" />
-      <property name="allowGetEnabled" value="true" />
-      <property name="allowDeleteUser" value="true" />
-      <property name="allowCreateUser" value="true" />
-   </bean>
-
    <!-- Authentication service for chaining -->
    <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
-      <property name="authenticationDao">
-         <ref bean="authenticationDao" />
-      </property>
       <property name="ticketComponent">
          <ref bean="ticketComponent" />
       </property>
diff --git a/config/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml b/config/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml
index 77ccf8bd9d..2ba2255825 100644
--- a/config/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml
+++ b/config/alfresco/subsystems/Authentication/kerberos/kerberos-authentication-context.xml
@@ -46,22 +46,8 @@
       </property>
    </bean>
 
-   <!-- DAO that rejects changes - JAAS is read only at the moment.      -->
-   <!-- It does allow users to be deleted with out warnings from the UI. -->
-   <!-- The user is still present in JAAS, only the personal information is removed from alfresco. -->
-
-   <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
-      <property name="allowSetEnabled" value="true" />
-      <property name="allowGetEnabled" value="true" />
-      <property name="allowDeleteUser" value="true" />
-      <property name="allowCreateUser" value="true" />
-   </bean>
-
    <!-- Authenticaton service for chaining -->
    <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
-      <property name="authenticationDao">
-         <ref bean="authenticationDao" />
-      </property>
       <property name="ticketComponent">
          <ref bean="ticketComponent" />
       </property>
diff --git a/config/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml b/config/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml
index b0417da58e..4835346417 100644
--- a/config/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml
+++ b/config/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml
@@ -3,14 +3,6 @@
 
 <beans>
 
-   <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
-      <property name="allowSetEnabled" value="true" />
-      <property name="allowGetEnabled" value="true" />
-      <property name="allowDeleteUser" value="true" />
-      <property name="allowCreateUser" value="true" />
-   </bean>
-
-
    <!-- The passthru servers  -->
    <!-- Properties that specify the server(s) to use for passthru          -->
    <!-- authentication :-                                                  -->
@@ -94,9 +86,6 @@
 
    <!-- Authenticaton service for chaining -->
    <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
-      <property name="authenticationDao">
-         <ref bean="authenticationDao" />
-      </property>
       <property name="ticketComponent">
          <ref bean="ticketComponent" />
       </property>
diff --git a/source/java/org/alfresco/cmis/mapping/BaseCMISTest.java b/source/java/org/alfresco/cmis/mapping/BaseCMISTest.java
index dc0ddbe9c4..ff6a435763 100644
--- a/source/java/org/alfresco/cmis/mapping/BaseCMISTest.java
+++ b/source/java/org/alfresco/cmis/mapping/BaseCMISTest.java
@@ -45,7 +45,7 @@ import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.transaction.TransactionService;
@@ -89,7 +89,7 @@ public abstract class BaseCMISTest extends TestCase
     
     protected CMISQueryService cmisQueryService;
 
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
 
     private MutableAuthenticationDao authenticationDAO;
 
@@ -121,7 +121,7 @@ public abstract class BaseCMISTest extends TestCase
         
         permissionService = (PermissionService) ctx.getBean("permissionService");
         
-        authenticationService = (AuthenticationService) ctx.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) ctx.getBean("authenticationService");
         authenticationDAO = (MutableAuthenticationDao) ctx.getBean("authenticationDao");
         
         testTX = transactionService.getUserTransaction();
diff --git a/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java b/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java
index b5e826c51f..2ba89a31c6 100644
--- a/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java
+++ b/source/java/org/alfresco/repo/activities/ActivityServiceImplTest.java
@@ -33,7 +33,7 @@ import org.alfresco.service.cmr.activities.ActivityService;
 import org.alfresco.service.cmr.activities.FeedControl;
 import org.alfresco.service.cmr.repository.ScriptLocation;
 import org.alfresco.service.cmr.repository.ScriptService;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.site.SiteService;
 import org.alfresco.service.cmr.site.SiteVisibility;
 import org.alfresco.util.BaseSpringTest;
@@ -47,7 +47,7 @@ public class ActivityServiceImplTest extends BaseSpringTest
 {
     private ActivityService activityService;
     private ScriptService scriptService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private SiteService siteService;
     
     private static final String ADMIN_PW = "admin";
@@ -64,7 +64,7 @@ public class ActivityServiceImplTest extends BaseSpringTest
         this.scriptService = (ScriptService)this.applicationContext.getBean("ScriptService");
         this.siteService = (SiteService)this.applicationContext.getBean("SiteService");
         
-        this.authenticationService = (AuthenticationService)applicationContext.getBean("authenticationService");
+        this.authenticationService = (MutableAuthenticationService)applicationContext.getBean("authenticationService");
         
         authenticationService.authenticate(AuthenticationUtil.getAdminUserName(), ADMIN_PW.toCharArray());
     }
diff --git a/source/java/org/alfresco/repo/activities/SiteActivityTest.java b/source/java/org/alfresco/repo/activities/SiteActivityTest.java
index 5642d12e9e..5ca12610c4 100644
--- a/source/java/org/alfresco/repo/activities/SiteActivityTest.java
+++ b/source/java/org/alfresco/repo/activities/SiteActivityTest.java
@@ -38,7 +38,7 @@ import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.repo.site.SiteModel;
 import org.alfresco.service.cmr.activities.ActivityService;
 import org.alfresco.service.cmr.activities.FeedControl;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.site.SiteService;
 import org.alfresco.service.cmr.site.SiteVisibility;
@@ -62,7 +62,7 @@ public class SiteActivityTest extends TestCase
     
     private SiteService siteService;
     private ActivityService activityService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private PersonService personService;
     private PostLookup postLookup;
     private FeedGenerator feedGenerator;
@@ -115,7 +115,7 @@ public class SiteActivityTest extends TestCase
         // Get the required services
         this.activityService = (ActivityService)applicationContext.getBean("activityService");
         this.siteService = (SiteService)applicationContext.getBean("SiteService");
-        this.authenticationService = (AuthenticationService)applicationContext.getBean("AuthenticationService");
+        this.authenticationService = (MutableAuthenticationService)applicationContext.getBean("AuthenticationService");
         this.personService = (PersonService)applicationContext.getBean("PersonService");
         
         this.postLookup = (PostLookup)applicationContext.getBean("postLookup");
diff --git a/source/java/org/alfresco/repo/audit/AuditComponentTest.java b/source/java/org/alfresco/repo/audit/AuditComponentTest.java
index 7c74dc6b61..0b6f31a415 100644
--- a/source/java/org/alfresco/repo/audit/AuditComponentTest.java
+++ b/source/java/org/alfresco/repo/audit/AuditComponentTest.java
@@ -50,7 +50,7 @@ import org.alfresco.service.cmr.audit.AuditService.AuditQueryCallback;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.ApplicationContextHelper;
 import org.alfresco.util.EqualsHelper;
@@ -518,7 +518,7 @@ public class AuditComponentTest extends TestCase
         logger.debug(sb.toString());
         assertTrue("There should be no audit entries for the API test after a clear", results.isEmpty());
         
-        final AuthenticationService authenticationService = serviceRegistry.getAuthenticationService();
+        final MutableAuthenticationService authenticationService = serviceRegistry.getAuthenticationService();
         // Create a good authentication
         RunAsWork<Void> createAuthenticationWork = new RunAsWork<Void>()
         {
diff --git a/source/java/org/alfresco/repo/audit/AuditServiceTest.java b/source/java/org/alfresco/repo/audit/AuditServiceTest.java
index 39dcea826d..846bfabdd3 100644
--- a/source/java/org/alfresco/repo/audit/AuditServiceTest.java
+++ b/source/java/org/alfresco/repo/audit/AuditServiceTest.java
@@ -44,8 +44,8 @@ import org.alfresco.service.cmr.dictionary.DictionaryService;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.NamespacePrefixResolver;
 import org.alfresco.service.namespace.NamespaceService;
@@ -67,7 +67,7 @@ public class AuditServiceTest extends BaseSpringTest
 
     private NamespacePrefixResolver namespacePrefixResolver;
 
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
 
     private AuthenticationComponent authenticationComponent;
 
@@ -112,7 +112,7 @@ public class AuditServiceTest extends BaseSpringTest
         permissionService = (PermissionServiceSPI) applicationContext.getBean("permissionService");
         namespacePrefixResolver = (NamespacePrefixResolver) applicationContext
                 .getBean(ServiceRegistry.NAMESPACE_SERVICE.getLocalName());
-        authenticationService = (AuthenticationService) applicationContext.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) applicationContext.getBean("authenticationService");
         authenticationComponent = (AuthenticationComponent) applicationContext.getBean("authenticationComponent");
         serviceRegistry = (ServiceRegistry) applicationContext.getBean(ServiceRegistry.SERVICE_REGISTRY);
         permissionModelDAO = (ModelDAO) applicationContext.getBean("permissionsModelDAO");
diff --git a/source/java/org/alfresco/repo/avm/AVMServicePermissionsTest.java b/source/java/org/alfresco/repo/avm/AVMServicePermissionsTest.java
index 25bb5c09fc..f8ebdc52fb 100644
--- a/source/java/org/alfresco/repo/avm/AVMServicePermissionsTest.java
+++ b/source/java/org/alfresco/repo/avm/AVMServicePermissionsTest.java
@@ -59,6 +59,7 @@ import org.alfresco.service.cmr.security.AccessPermission;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.NamespacePrefixResolver;
@@ -84,7 +85,7 @@ public class AVMServicePermissionsTest extends TestCase
 
     protected PermissionServiceSPI permissionService;
 
-    protected AuthenticationService authenticationService;
+    protected MutableAuthenticationService authenticationService;
 
     private MutableAuthenticationDao authenticationDAO;
 
@@ -140,7 +141,7 @@ public class AVMServicePermissionsTest extends TestCase
         dictionaryService = (DictionaryService) applicationContext.getBean(ServiceRegistry.DICTIONARY_SERVICE.getLocalName());
         permissionService = (PermissionServiceSPI) applicationContext.getBean("permissionService");
         namespacePrefixResolver = (NamespacePrefixResolver) applicationContext.getBean(ServiceRegistry.NAMESPACE_SERVICE.getLocalName());
-        authenticationService = (AuthenticationService) applicationContext.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) applicationContext.getBean("authenticationService");
         authenticationComponent = (AuthenticationComponent) applicationContext.getBean("authenticationComponent");
         serviceRegistry = (ServiceRegistry) applicationContext.getBean(ServiceRegistry.SERVICE_REGISTRY);
         permissionModelDAO = (ModelDAO) applicationContext.getBean("permissionsModelDAO");
diff --git a/source/java/org/alfresco/repo/avm/locking/AVMLockingServiceTest.java b/source/java/org/alfresco/repo/avm/locking/AVMLockingServiceTest.java
index 3920f46efb..ef9c536899 100644
--- a/source/java/org/alfresco/repo/avm/locking/AVMLockingServiceTest.java
+++ b/source/java/org/alfresco/repo/avm/locking/AVMLockingServiceTest.java
@@ -46,6 +46,7 @@ import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.AuthorityType;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
@@ -68,7 +69,7 @@ public class AVMLockingServiceTest extends TestCase
     
     private static AuthorityService fAuthorityService;
     
-    private static AuthenticationService fAuthenticationService;
+    private static MutableAuthenticationService fAuthenticationService;
     
     private static AuthenticationComponent fAuthenticationComponent;
     
@@ -93,7 +94,7 @@ public class AVMLockingServiceTest extends TestCase
             fAttributeService = (AttributeService)fContext.getBean("AttributeService");
             fPersonService = (PersonService)fContext.getBean("PersonService");
             fAuthorityService = (AuthorityService)fContext.getBean("AuthorityService");
-            fAuthenticationService = (AuthenticationService)fContext.getBean("AuthenticationService");
+            fAuthenticationService = (MutableAuthenticationService)fContext.getBean("AuthenticationService");
             fAuthenticationComponent = (AuthenticationComponent)fContext.getBean("AuthenticationComponent");
             fAuthenticationComponent.setSystemUserAsCurrentUser();
             fNodeService = (NodeService)fContext.getBean("NodeService");
diff --git a/source/java/org/alfresco/repo/coci/CheckOutCheckInServiceImplTest.java b/source/java/org/alfresco/repo/coci/CheckOutCheckInServiceImplTest.java
index e007023800..395bf58133 100644
--- a/source/java/org/alfresco/repo/coci/CheckOutCheckInServiceImplTest.java
+++ b/source/java/org/alfresco/repo/coci/CheckOutCheckInServiceImplTest.java
@@ -44,7 +44,7 @@ import org.alfresco.service.cmr.repository.CopyService;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.version.Version;
 import org.alfresco.service.cmr.version.VersionService;
@@ -70,7 +70,7 @@ public class CheckOutCheckInServiceImplTest extends BaseSpringTest
 	private CheckOutCheckInService cociService;
 	private ContentService contentService;
 	private VersionService versionService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private LockService lockService;
     private TransactionService transactionService;
     private PermissionService permissionService;
@@ -114,7 +114,7 @@ public class CheckOutCheckInServiceImplTest extends BaseSpringTest
 		this.cociService = (CheckOutCheckInService)this.applicationContext.getBean("checkOutCheckInService");
 		this.contentService = (ContentService)this.applicationContext.getBean("contentService");
 		this.versionService = (VersionService)this.applicationContext.getBean("versionService");
-        this.authenticationService = (AuthenticationService)this.applicationContext.getBean("authenticationService");
+        this.authenticationService = (MutableAuthenticationService)this.applicationContext.getBean("authenticationService");
         this.lockService = (LockService)this.applicationContext.getBean("lockService");
         this.transactionService = (TransactionService)this.applicationContext.getBean("transactionComponent");
         this.permissionService = (PermissionService)this.applicationContext.getBean("permissionService");
diff --git a/source/java/org/alfresco/repo/i18n/MessageServiceImplTest.java b/source/java/org/alfresco/repo/i18n/MessageServiceImplTest.java
index e1131d8ea2..86ec2ff8b8 100644
--- a/source/java/org/alfresco/repo/i18n/MessageServiceImplTest.java
+++ b/source/java/org/alfresco/repo/i18n/MessageServiceImplTest.java
@@ -19,7 +19,7 @@ import org.alfresco.service.cmr.repository.ContentWriter;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.ApplicationContextHelper;
@@ -37,7 +37,7 @@ public class MessageServiceImplTest extends TestCase implements MessageDeployer
     
 	private MessageService messageService;
 	private NodeService nodeService;
-	private AuthenticationService authenticationService;
+	private MutableAuthenticationService authenticationService;
 	private ContentService contentService;
 
 	private static final String BASE_BUNDLE_NAME = "testMessages";
@@ -72,7 +72,7 @@ public class MessageServiceImplTest extends TestCase implements MessageDeployer
     	// Get the services by name from the application context
     	messageService = (MessageService)applicationContext.getBean("messageService");
         nodeService = (NodeService)applicationContext.getBean("NodeService");
-        authenticationService = (AuthenticationService)applicationContext.getBean("AuthenticationService");
+        authenticationService = (MutableAuthenticationService)applicationContext.getBean("AuthenticationService");
         contentService = (ContentService) applicationContext.getBean("ContentService");
         
         // Re-set the current locale to be the default
diff --git a/source/java/org/alfresco/repo/imap/ImapServiceImplTest.java b/source/java/org/alfresco/repo/imap/ImapServiceImplTest.java
index c077a8303f..d0aa030e2e 100755
--- a/source/java/org/alfresco/repo/imap/ImapServiceImplTest.java
+++ b/source/java/org/alfresco/repo/imap/ImapServiceImplTest.java
@@ -27,7 +27,7 @@ import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.view.ImporterService;
@@ -60,7 +60,7 @@ public class ImapServiceImplTest extends TestCase
     private NodeService nodeService;
     private ImporterService importerService;
     private PersonService personService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private PermissionService permissionService;
     private SearchService searchService;
     private NamespaceService namespaceService;
diff --git a/source/java/org/alfresco/repo/imap/LoadTester.java b/source/java/org/alfresco/repo/imap/LoadTester.java
index def43f91ef..274da79da4 100755
--- a/source/java/org/alfresco/repo/imap/LoadTester.java
+++ b/source/java/org/alfresco/repo/imap/LoadTester.java
@@ -2,33 +2,33 @@ package org.alfresco.repo.imap;
 
 import java.io.IOException;
 import java.util.Date;
-import java.util.LinkedList;
+import java.util.LinkedList;
 import java.util.List;
 
 import javax.mail.Flags;
-import javax.transaction.UserTransaction;
+import javax.transaction.UserTransaction;
 
 import junit.framework.TestCase;
 
-import org.alfresco.model.ContentModel;
+import org.alfresco.model.ContentModel;
 import org.alfresco.repo.importer.ACPImportPackageHandler;
-import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory;
-import org.alfresco.repo.model.filefolder.FileFolderServiceImpl;
+import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory;
+import org.alfresco.repo.model.filefolder.FileFolderServiceImpl;
 import org.alfresco.service.ServiceRegistry;
-import org.alfresco.service.cmr.model.FileFolderService;
+import org.alfresco.service.cmr.model.FileFolderService;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
-import org.alfresco.service.cmr.security.PermissionService;
-import org.alfresco.service.cmr.security.PersonService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
+import org.alfresco.service.cmr.security.PermissionService;
+import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.view.ImporterService;
 import org.alfresco.service.cmr.view.Location;
 import org.alfresco.service.namespace.NamespaceService;
-import org.alfresco.service.transaction.TransactionService;
+import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.ApplicationContextHelper;
-import org.alfresco.util.PropertyMap;
+import org.alfresco.util.PropertyMap;
 import org.alfresco.util.config.RepositoryFolderConfigBean;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -46,7 +46,7 @@ public class LoadTester extends TestCase
  
     private ImapService imapService;
     private ImporterService importerService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     
     private AlfrescoImapUser user;
     // DH: Do not assume the presence of any specific user or password.  Create a new user for the test.
diff --git a/source/java/org/alfresco/repo/importer/FileImporterTest.java b/source/java/org/alfresco/repo/importer/FileImporterTest.java
index 378fc3c9eb..24bc04268a 100644
--- a/source/java/org/alfresco/repo/importer/FileImporterTest.java
+++ b/source/java/org/alfresco/repo/importer/FileImporterTest.java
@@ -49,7 +49,7 @@ import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.transaction.TransactionService;
@@ -64,7 +64,7 @@ public class FileImporterTest extends TestCase
     private SearchService searchService;
     private DictionaryService dictionaryService;
     private ContentService contentService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private AuthenticationComponent authenticationComponent;
     private PermissionService permissionService;
     private MimetypeService mimetypeService;
@@ -92,7 +92,7 @@ public class FileImporterTest extends TestCase
         searchService = serviceRegistry.getSearchService();
         dictionaryService = serviceRegistry.getDictionaryService();
         contentService = serviceRegistry.getContentService();
-        authenticationService = (AuthenticationService) ctx.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) ctx.getBean("authenticationService");
         authenticationComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");
         permissionService = serviceRegistry.getPermissionService();
         mimetypeService = serviceRegistry.getMimetypeService();
diff --git a/source/java/org/alfresco/repo/invitation/InvitationServiceImpl.java b/source/java/org/alfresco/repo/invitation/InvitationServiceImpl.java
index adc686d55e..aa34f82cd7 100644
--- a/source/java/org/alfresco/repo/invitation/InvitationServiceImpl.java
+++ b/source/java/org/alfresco/repo/invitation/InvitationServiceImpl.java
@@ -32,19 +32,30 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.alfresco.model.ContentModel;
+import org.alfresco.repo.invitation.site.InviteHelper;
+import org.alfresco.repo.node.NodeServicePolicies;
+import org.alfresco.repo.policy.JavaBehaviour;
+import org.alfresco.repo.policy.PolicyComponent;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.security.authentication.PasswordGenerator;
+import org.alfresco.repo.security.authentication.UserNameGenerator;
+import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
+import org.alfresco.repo.site.SiteModel;
+import org.alfresco.repo.workflow.WorkflowModel;
 import org.alfresco.service.cmr.invitation.Invitation;
+import org.alfresco.service.cmr.invitation.InvitationException;
 import org.alfresco.service.cmr.invitation.InvitationExceptionForbidden;
 import org.alfresco.service.cmr.invitation.InvitationExceptionNotFound;
 import org.alfresco.service.cmr.invitation.InvitationExceptionUserError;
 import org.alfresco.service.cmr.invitation.InvitationSearchCriteria;
+import org.alfresco.service.cmr.invitation.InvitationService;
 import org.alfresco.service.cmr.invitation.ModeratedInvitation;
 import org.alfresco.service.cmr.invitation.NominatedInvitation;
-import org.alfresco.service.cmr.invitation.InvitationService;
-import org.alfresco.service.cmr.invitation.InvitationException;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.datatype.DefaultTypeConverter;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.site.SiteService;
@@ -60,18 +71,6 @@ import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.GUID;
 import org.springframework.extensions.surf.util.PropertyCheck;
-import org.alfresco.model.ContentModel;
-import org.alfresco.repo.invitation.site.*;
-import org.alfresco.repo.node.NodeServicePolicies;
-import org.alfresco.repo.policy.JavaBehaviour;
-import org.alfresco.repo.policy.PolicyComponent;
-import org.alfresco.repo.security.authentication.AuthenticationUtil;
-import org.alfresco.repo.security.authentication.MutableAuthenticationDao;
-import org.alfresco.repo.security.authentication.PasswordGenerator;
-import org.alfresco.repo.security.authentication.UserNameGenerator;
-import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
-import org.alfresco.repo.site.SiteModel;
-import org.alfresco.repo.workflow.WorkflowModel;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -94,9 +93,8 @@ public class InvitationServiceImpl implements InvitationService, NodeServicePoli
 	private WorkflowService workflowService;
 	private PersonService personService;
 	private SiteService siteService;
-	private AuthenticationService authenticationService;
+	private MutableAuthenticationService authenticationService;
 	private PermissionService permissionService;
-	private MutableAuthenticationDao mutableAuthenticationDao;
 	private NamespaceService namespaceService;
 	private NodeService nodeService;
 	// user name and password generation beans
@@ -132,7 +130,6 @@ public class InvitationServiceImpl implements InvitationService, NodeServicePoli
         PropertyCheck.mandatory(this, "SiteService", siteService);
         PropertyCheck.mandatory(this, "AuthenticationService", authenticationService);
         PropertyCheck.mandatory(this, "PermissionService", permissionService);
-        PropertyCheck.mandatory(this, "MutableAuthenticationDao", mutableAuthenticationDao);
         PropertyCheck.mandatory(this, "NamespaceService", namespaceService);
         PropertyCheck.mandatory(this, "NodeService", nodeService);
         PropertyCheck.mandatory(this, "UserNameGenerator", usernameGenerator);
@@ -467,7 +464,6 @@ public class InvitationServiceImpl implements InvitationService, NodeServicePoli
 
 		if (invitation instanceof ModeratedInvitation) {
 			WorkflowTaskQuery wfModeratedTaskQuery = new WorkflowTaskQuery();
-			HashMap<QName, Object> wfQueryModifiedProps = new HashMap<QName, Object>(3, 1.0f);
 
 			// Check rejecter is a site manager and throw and exception if not
 			String rejecterUserName = this.authenticationService.getCurrentUserName();
@@ -910,11 +906,11 @@ public class InvitationServiceImpl implements InvitationService, NodeServicePoli
 	}
 
 	public void setAuthenticationService(
-			AuthenticationService authenticationService) {
+	        MutableAuthenticationService authenticationService) {
 		this.authenticationService = authenticationService;
 	}
 
-	public AuthenticationService getAuthenticationService() {
+	public MutableAuthenticationService getAuthenticationService() {
 		return authenticationService;
 	}
 
@@ -950,15 +946,6 @@ public class InvitationServiceImpl implements InvitationService, NodeServicePoli
 		return permissionService;
 	}
 
-	public void setMutableAuthenticationDao(
-			MutableAuthenticationDao mutableAuthenticationDao) {
-		this.mutableAuthenticationDao = mutableAuthenticationDao;
-	}
-
-	public MutableAuthenticationDao getMutableAuthenticationDao() {
-		return mutableAuthenticationDao;
-	}
-
 	public void setNodeService(NodeService nodeService) {
 		this.nodeService = nodeService;
 	}
@@ -1038,11 +1025,9 @@ public class InvitationServiceImpl implements InvitationService, NodeServicePoli
 		char[] generatedPassword = passwordGenerator.generatePassword()
 				.toCharArray();
 
-		// create disabled user account for invitee user name with generated
-		// password
-		this.mutableAuthenticationDao.createUser(inviteeUserName,
-				generatedPassword);
-		this.mutableAuthenticationDao.setEnabled(inviteeUserName, false);
+		// create disabled user account for invitee user name with generated password
+        this.authenticationService.createAuthentication(inviteeUserName, generatedPassword);
+        this.authenticationService.setAuthenticationEnabled(inviteeUserName, false);
 
 		return String.valueOf(generatedPassword);
 	}
@@ -1302,7 +1287,7 @@ public class InvitationServiceImpl implements InvitationService, NodeServicePoli
 		// user name, then local reference to invitee password will be "null"
 		//
 		String inviteePassword = null;
-		if (this.mutableAuthenticationDao.userExists(inviteeUserName) == false) {
+		if (!this.authenticationService.authenticationExists(inviteeUserName)) {
 			if (logger.isDebugEnabled())
 				logger
 						.debug("Invitee user account does not exist, creating disabled account.");
diff --git a/source/java/org/alfresco/repo/jscript/People.java b/source/java/org/alfresco/repo/jscript/People.java
index 5e65db32d0..f88c387883 100644
--- a/source/java/org/alfresco/repo/jscript/People.java
+++ b/source/java/org/alfresco/repo/jscript/People.java
@@ -24,6 +24,8 @@
  */
 package org.alfresco.repo.jscript;
 
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Set;
 import java.util.StringTokenizer;
 
@@ -41,18 +43,21 @@ import org.alfresco.service.cmr.search.LimitBy;
 import org.alfresco.service.cmr.search.ResultSet;
 import org.alfresco.service.cmr.search.SearchParameters;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.AuthorityType;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.usage.ContentUsageService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.springframework.extensions.surf.util.ParameterCheck;
 import org.alfresco.util.PropertyMap;
+import org.alfresco.util.ValueDerivingMapFactory;
+import org.alfresco.util.ValueDerivingMapFactory.ValueDeriver;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.mozilla.javascript.Context;
 import org.mozilla.javascript.Scriptable;
+import org.springframework.beans.factory.InitializingBean;
 
 /**
  * Scripted People service for describing and executing actions against People & Groups.
@@ -60,7 +65,7 @@ import org.mozilla.javascript.Scriptable;
  * @author davidc
  * @author kevinr
  */
-public final class People extends BaseScopableProcessorExtension
+public final class People extends BaseScopableProcessorExtension implements InitializingBean
 {
     private static Log logger = LogFactory.getLog(People.class);
     
@@ -69,13 +74,53 @@ public final class People extends BaseScopableProcessorExtension
     private AuthorityDAO authorityDAO;
     private AuthorityService authorityService;
     private PersonService personService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private ContentUsageService contentUsageService;
     private TenantService tenantService;
     private UserNameGenerator usernameGenerator;
     private StoreRef storeRef;
+    private ValueDerivingMapFactory<ScriptNode, String, Boolean> valueDerivingMapFactory;
     private int numRetries = 10;
+
     
+    public void afterPropertiesSet() throws Exception
+    {
+        Map <String, ValueDeriver<ScriptNode, Boolean>> capabilityTesters = new HashMap<String, ValueDeriver<ScriptNode, Boolean>>(5);
+        capabilityTesters.put("isAdmin", new ValueDeriver<ScriptNode, Boolean>()
+        {
+            public Boolean deriveValue(ScriptNode source)
+            {
+                return isAdmin(source);
+            }
+        });
+        capabilityTesters.put("isGuest", new ValueDeriver<ScriptNode, Boolean>()
+        {
+            public Boolean deriveValue(ScriptNode source)
+            {
+                return isGuest(source);
+            }
+        });
+        capabilityTesters.put("isMutable", new ValueDeriver<ScriptNode, Boolean>()
+        {
+            public Boolean deriveValue(ScriptNode source)
+            {
+                // Check whether the account is mutable according to the authentication service
+                String sourceUser = (String) source.getProperties().get(ContentModel.PROP_USERNAME);
+                if (!authenticationService.isAuthenticationMutable(sourceUser))
+                {
+                    return false;
+                }
+                // Only allow non-admin users to mutate their own accounts
+                String currentUser = authenticationService.getCurrentUserName();
+                if (currentUser.equals(sourceUser) || authorityService.isAdminAuthority(currentUser))
+                {
+                    return true;
+                }
+                return false;
+            }
+        });
+        this.valueDerivingMapFactory = new ValueDerivingMapFactory<ScriptNode, String, Boolean>(capabilityTesters);
+    }
     
     /**
      * Set the default store reference
@@ -98,7 +143,7 @@ public final class People extends BaseScopableProcessorExtension
      * @param authenticationService
      *            the authentication service
      */
-    public void setAuthenticationService(AuthenticationService authenticationService)
+    public void setAuthenticationService(MutableAuthenticationService authenticationService)
     {
         this.authenticationService = authenticationService;
     }
@@ -324,7 +369,7 @@ public final class People extends BaseScopableProcessorExtension
         ParameterCheck.mandatoryString("userName", userName);
         ParameterCheck.mandatoryString("password", password);
         
-        AuthenticationService authService = this.services.getAuthenticationService();
+        MutableAuthenticationService authService = this.services.getAuthenticationService();
         if (this.authorityService.hasAdminAuthority() && (userName.equalsIgnoreCase(authService.getCurrentUserName()) == false))
         {
             authService.setAuthentication(userName, password.toCharArray());
@@ -725,6 +770,21 @@ public final class People extends BaseScopableProcessorExtension
         return this.authorityService.isGuestAuthority((String) person.getProperties().get(ContentModel.PROP_USERNAME));
     }
 
+    /**
+     * Gets a map of capabilities (boolean assertions) for the given person.
+     * 
+     * @param person
+     *            the person
+     * @return the capability map
+     */
+    public Map<String, Boolean> getCapabilities(final ScriptNode person)
+    {
+        ParameterCheck.mandatory("Person", person);
+        Map<String,Boolean> retVal = new ScriptableHashMap<String, Boolean>();
+        retVal.putAll(this.valueDerivingMapFactory.getMap(person));
+        return retVal;
+    }
+
     /**
      * Get Contained Authorities
      * 
diff --git a/source/java/org/alfresco/repo/lock/LockBehaviourImplTest.java b/source/java/org/alfresco/repo/lock/LockBehaviourImplTest.java
index 2f0fc04b31..7373212c33 100644
--- a/source/java/org/alfresco/repo/lock/LockBehaviourImplTest.java
+++ b/source/java/org/alfresco/repo/lock/LockBehaviourImplTest.java
@@ -37,7 +37,7 @@ import org.alfresco.service.cmr.repository.ChildAssociationRef;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.version.VersionService;
 import org.alfresco.service.namespace.QName;
@@ -69,7 +69,7 @@ public class LockBehaviourImplTest extends BaseSpringTest
     /**
      * The authentication service
      */
-    private AuthenticationService authenticationService;    
+    private MutableAuthenticationService authenticationService;    
     
     private PermissionService permissionService;
     
@@ -99,7 +99,7 @@ public class LockBehaviourImplTest extends BaseSpringTest
         this.nodeService = (NodeService)applicationContext.getBean("dbNodeService");
         this.lockService = (LockService)applicationContext.getBean("lockService");
 		this.versionService = (VersionService)applicationContext.getBean("versionService");
-        this.authenticationService = (AuthenticationService)applicationContext.getBean("authenticationService");
+        this.authenticationService = (MutableAuthenticationService)applicationContext.getBean("authenticationService");
         this.permissionService = (PermissionService)applicationContext.getBean("permissionService");
         
         // Set the authentication
diff --git a/source/java/org/alfresco/repo/lock/LockServiceImplTest.java b/source/java/org/alfresco/repo/lock/LockServiceImplTest.java
index 4104f9eb89..24233e7a1b 100644
--- a/source/java/org/alfresco/repo/lock/LockServiceImplTest.java
+++ b/source/java/org/alfresco/repo/lock/LockServiceImplTest.java
@@ -38,7 +38,7 @@ import org.alfresco.service.cmr.lock.UnableToReleaseLockException;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.BaseSpringTest;
 import org.alfresco.util.TestWithUserUtils;
@@ -55,7 +55,7 @@ public class LockServiceImplTest extends BaseSpringTest
      */
     private NodeService nodeService;
     private LockService lockService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     
     /**
      * Data used in tests
@@ -79,7 +79,7 @@ public class LockServiceImplTest extends BaseSpringTest
     {
         this.nodeService = (NodeService)applicationContext.getBean("dbNodeService");
         this.lockService = (LockService)applicationContext.getBean("lockService");
-        this.authenticationService = (AuthenticationService)applicationContext.getBean("authenticationService");
+        this.authenticationService = (MutableAuthenticationService)applicationContext.getBean("authenticationService");
         
         // Set the authentication
         AuthenticationComponent authComponent = (AuthenticationComponent)this.applicationContext.getBean("authenticationComponent");
diff --git a/source/java/org/alfresco/repo/model/filefolder/FileFolderPerformanceTester.java b/source/java/org/alfresco/repo/model/filefolder/FileFolderPerformanceTester.java
index b65b5af86d..acaf78beba 100644
--- a/source/java/org/alfresco/repo/model/filefolder/FileFolderPerformanceTester.java
+++ b/source/java/org/alfresco/repo/model/filefolder/FileFolderPerformanceTester.java
@@ -50,7 +50,7 @@ import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.search.ResultSet;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.service.transaction.TransactionService;
@@ -421,7 +421,7 @@ public class FileFolderPerformanceTester extends TestCase
         final NodeRef selectedFolderNodeRef = folderRefStr == null ? null : new NodeRef(folderRefStr);
         
         ServiceRegistry serviceRegistry = (ServiceRegistry) ctx.getBean(ServiceRegistry.SERVICE_REGISTRY);
-        final AuthenticationService authenticationService = serviceRegistry.getAuthenticationService();
+        final MutableAuthenticationService authenticationService = serviceRegistry.getAuthenticationService();
         final PermissionService permissionService = serviceRegistry.getPermissionService();
         final NodeService nodeService = serviceRegistry.getNodeService();
         final TransactionService transactionService = serviceRegistry.getTransactionService();
diff --git a/source/java/org/alfresco/repo/node/archive/ArchiveAndRestoreTest.java b/source/java/org/alfresco/repo/node/archive/ArchiveAndRestoreTest.java
index 9dd7806192..478bdbc672 100644
--- a/source/java/org/alfresco/repo/node/archive/ArchiveAndRestoreTest.java
+++ b/source/java/org/alfresco/repo/node/archive/ArchiveAndRestoreTest.java
@@ -47,7 +47,7 @@ import org.alfresco.service.cmr.repository.ChildAssociationRef;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
@@ -80,7 +80,7 @@ public class ArchiveAndRestoreTest extends TestCase
     private NodeService nodeService;
     private PermissionService permissionService;
     private AuthenticationComponent authenticationComponent;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private OwnableService ownableService;
     private TransactionService transactionService;
     
diff --git a/source/java/org/alfresco/repo/ownable/impl/OwnableServiceTest.java b/source/java/org/alfresco/repo/ownable/impl/OwnableServiceTest.java
index fba17c25b3..743ff0d4ec 100644
--- a/source/java/org/alfresco/repo/ownable/impl/OwnableServiceTest.java
+++ b/source/java/org/alfresco/repo/ownable/impl/OwnableServiceTest.java
@@ -40,7 +40,7 @@ import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.security.AccessStatus;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.QName;
@@ -54,7 +54,7 @@ public class OwnableServiceTest extends TestCase
 
     private NodeService nodeService;
 
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     
     private AuthenticationComponent authenticationComponent;
     
@@ -83,7 +83,7 @@ public class OwnableServiceTest extends TestCase
     public void setUp() throws Exception
     {
         nodeService = (NodeService) ctx.getBean("nodeService");
-        authenticationService = (AuthenticationService) ctx.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) ctx.getBean("authenticationService");
         authenticationComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");
         ownableService = (OwnableService) ctx.getBean("ownableService");
         permissionService = (PermissionService) ctx.getBean("permissionService");
diff --git a/source/java/org/alfresco/repo/rule/RuleServiceImplTest.java b/source/java/org/alfresco/repo/rule/RuleServiceImplTest.java
index b8485051b5..5abda7628e 100644
--- a/source/java/org/alfresco/repo/rule/RuleServiceImplTest.java
+++ b/source/java/org/alfresco/repo/rule/RuleServiceImplTest.java
@@ -43,7 +43,7 @@ import org.alfresco.service.cmr.repository.CyclicChildRelationshipException;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.rule.Rule;
 import org.alfresco.service.cmr.rule.RuleType;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.QName;
 
@@ -55,7 +55,7 @@ import org.alfresco.service.namespace.QName;
  */
 public class RuleServiceImplTest extends BaseRuleTest
 {    
-    AuthenticationService authenticationService;
+    MutableAuthenticationService authenticationService;
 	PermissionService permissionService;  
 	
 	@Override
@@ -63,7 +63,7 @@ public class RuleServiceImplTest extends BaseRuleTest
 	{
 		super.onSetUpInTransaction();		
 		this.permissionService = (PermissionService)this.applicationContext.getBean("permissionService");
-		this.authenticationService = (AuthenticationService)this.applicationContext.getBean("authenticationService");
+		this.authenticationService = (MutableAuthenticationService)this.applicationContext.getBean("authenticationService");
 	}
 	
     /**
diff --git a/source/java/org/alfresco/repo/search/SearchServiceTest.java b/source/java/org/alfresco/repo/search/SearchServiceTest.java
index 118bed588c..e3fe0240c9 100644
--- a/source/java/org/alfresco/repo/search/SearchServiceTest.java
+++ b/source/java/org/alfresco/repo/search/SearchServiceTest.java
@@ -41,7 +41,7 @@ import org.alfresco.service.cmr.search.PermissionEvaluationMode;
 import org.alfresco.service.cmr.search.ResultSet;
 import org.alfresco.service.cmr.search.SearchParameters;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.service.transaction.TransactionService;
@@ -55,7 +55,7 @@ public class SearchServiceTest extends TestCase
 
     private AuthenticationComponent authenticationComponent;
 
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
 
     private MutableAuthenticationDao authenticationDAO;
 
@@ -98,7 +98,7 @@ public class SearchServiceTest extends TestCase
     {
         nodeService = (NodeService) ctx.getBean("dbNodeService");
         authenticationComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");
-        authenticationService = (AuthenticationService) ctx.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) ctx.getBean("authenticationService");
         authenticationDAO = (MutableAuthenticationDao) ctx.getBean("authenticationDao");
         pubSearchService = (SearchService) ctx.getBean("SearchService");
         pubPermissionService = (PermissionService) ctx.getBean("PermissionService");
diff --git a/source/java/org/alfresco/repo/security/authentication/AbstractChainingAuthenticationService.java b/source/java/org/alfresco/repo/security/authentication/AbstractChainingAuthenticationService.java
index fd1a9dde63..87be816923 100644
--- a/source/java/org/alfresco/repo/security/authentication/AbstractChainingAuthenticationService.java
+++ b/source/java/org/alfresco/repo/security/authentication/AbstractChainingAuthenticationService.java
@@ -30,6 +30,7 @@ import java.util.Set;
 import java.util.TreeSet;
 
 import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 
 /**
  * A base class for chaining authentication services. Where appropriate, methods will 'chain' across multiple
@@ -37,9 +38,8 @@ import org.alfresco.service.cmr.security.AuthenticationService;
  * 
  * @author dward
  */
-public abstract class AbstractChainingAuthenticationService extends AbstractAuthenticationService
+public abstract class AbstractChainingAuthenticationService extends AbstractAuthenticationService implements MutableAuthenticationService
 {
-
     /**
      * Instantiates a new abstract chaining authentication service.
      */
@@ -53,7 +53,7 @@ public abstract class AbstractChainingAuthenticationService extends AbstractAuth
      * 
      * @return the mutable authentication service
      */
-    public abstract AuthenticationService getMutableAuthenticationService();
+    public abstract MutableAuthenticationService getMutableAuthenticationService();
 
     /**
      * Gets the authentication services across which methods will chain.
@@ -130,6 +130,16 @@ public abstract class AbstractChainingAuthenticationService extends AbstractAuth
         getMutableAuthenticationService().setAuthenticationEnabled(userName, enabled);
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    public boolean isAuthenticationMutable(String userName)
+    {
+        MutableAuthenticationService mutableAuthenticationService = getMutableAuthenticationService();
+        return mutableAuthenticationService == null ? false : mutableAuthenticationService
+                .isAuthenticationMutable(userName);
+    }
+
     /**
      * {@inheritDoc}
      */
@@ -149,7 +159,7 @@ public abstract class AbstractChainingAuthenticationService extends AbstractAuth
                 // Ignore and chain
             }
         }
-        return false;
+        return true;
     }
 
     /**
@@ -226,7 +236,7 @@ public abstract class AbstractChainingAuthenticationService extends AbstractAuth
         // it doesn't exist in any of the authentication components
         return false;
     }
-
+    
     /**
      * {@inheritDoc}
      */
@@ -529,5 +539,7 @@ public abstract class AbstractChainingAuthenticationService extends AbstractAuth
         }
         return defaultGuestUserNames;
     }
+    
+    
 
 }
\ No newline at end of file
diff --git a/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java b/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
index da4c8cfcec..e3aaf81c3d 100644
--- a/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
@@ -32,8 +32,6 @@ import org.alfresco.repo.security.authentication.AuthenticationComponent.UserNam
 
 public class AuthenticationServiceImpl extends AbstractAuthenticationService implements ActivateableBean
 {
-    MutableAuthenticationDao authenticationDao;
-
     AuthenticationComponent authenticationComponent;
     
     TicketComponent ticketComponent;
@@ -51,11 +49,6 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
         super();
     }
     
-    public void setAuthenticationDao(MutableAuthenticationDao authenticationDao)
-    {
-        this.authenticationDao = authenticationDao;
-    }
-
     public void setTicketComponent(TicketComponent ticketComponent)
     {
         this.ticketComponent = ticketComponent;
@@ -76,46 +69,6 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
                 || ((ActivateableBean) this.authenticationComponent).isActive();
     }
 
-    public void createAuthentication(String userName, char[] password) throws AuthenticationException
-    {
-        authenticationDao.createUser(userName, password);
-    }
-
-    public void updateAuthentication(String userName, char[] oldPassword, char[] newPassword)
-            throws AuthenticationException
-    {
-        // Need to preserve the run-as user
-        String currentUser = AuthenticationUtil.getRunAsUser();
-        try
-        {
-            authenticate(userName, oldPassword);
-        }
-        finally
-        {
-            AuthenticationUtil.setRunAsUser(currentUser);
-        }
-        authenticationDao.updateUser(userName, newPassword);
-    }
-
-    public void setAuthentication(String userName, char[] newPassword) throws AuthenticationException
-    {
-        authenticationDao.updateUser(userName, newPassword);
-    }
-
-    public void deleteAuthentication(String userName) throws AuthenticationException
-    {
-        authenticationDao.deleteUser(userName);
-    }
-
-    public boolean getAuthenticationEnabled(String userName) throws AuthenticationException
-    {
-        return authenticationDao.getEnabled(userName);
-    }
-
-    public void setAuthenticationEnabled(String userName, boolean enabled) throws AuthenticationException
-    {
-        authenticationDao.setEnabled(userName, enabled);
-    }
 
     public void authenticate(String userName, char[] password) throws AuthenticationException
     {
@@ -136,11 +89,6 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
         ticketComponent.getCurrentTicket(userName); // to ensure new ticket is created (even if client does not explicitly call getCurrentTicket)
     }
     
-    public boolean authenticationExists(String userName)
-    {
-        return authenticationDao.userExists(userName);
-    }
-
     public String getCurrentUserName() throws AuthenticationException
     {
         return authenticationComponent.getCurrentUserName();
@@ -327,4 +275,20 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
     {
         return authenticationComponent.getDefaultGuestUserNames();
     }
+
+    /**
+     * {@inheritDoc}
+     */
+    public boolean authenticationExists(String userName)
+    {
+        return true;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public boolean getAuthenticationEnabled(String userName) throws AuthenticationException
+    {
+        return true;
+    }        
 }
diff --git a/source/java/org/alfresco/repo/security/authentication/AuthenticationTest.java b/source/java/org/alfresco/repo/security/authentication/AuthenticationTest.java
index e3a043353d..798947ad12 100644
--- a/source/java/org/alfresco/repo/security/authentication/AuthenticationTest.java
+++ b/source/java/org/alfresco/repo/security/authentication/AuthenticationTest.java
@@ -44,11 +44,9 @@ import net.sf.acegisecurity.DisabledException;
 import net.sf.acegisecurity.LockedException;
 import net.sf.acegisecurity.UserDetails;
 import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
-import net.sf.acegisecurity.providers.dao.SaltSource;
 
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.cache.SimpleCache;
-import org.alfresco.repo.management.subsystems.ApplicationContextFactory;
 import org.alfresco.repo.management.subsystems.ChildApplicationContextManager;
 import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
 import org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl.ExpiryMode;
@@ -62,7 +60,7 @@ import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.DynamicNamespacePrefixResolver;
 import org.alfresco.service.namespace.NamespacePrefixResolver;
@@ -103,9 +101,9 @@ public class AuthenticationTest extends TestCase
 
     private SimpleCache<String, Ticket> ticketsCache;
 
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
 
-    private AuthenticationService pubAuthenticationService;
+    private MutableAuthenticationService pubAuthenticationService;
 
     private AuthenticationComponent authenticationComponent;
 
@@ -140,8 +138,8 @@ public class AuthenticationTest extends TestCase
         dictionaryService = (DictionaryService) ctx.getBean("dictionaryService");
         passwordEncoder = (MD4PasswordEncoder) ctx.getBean("passwordEncoder");
         ticketComponent = (TicketComponent) ctx.getBean("ticketComponent");
-        authenticationService = (AuthenticationService) ctx.getBean("authenticationService");
-        pubAuthenticationService = (AuthenticationService) ctx.getBean("AuthenticationService");
+        authenticationService = (MutableAuthenticationService) ctx.getBean("authenticationService");
+        pubAuthenticationService = (MutableAuthenticationService) ctx.getBean("AuthenticationService");
         authenticationComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");
         authenticationComponentImpl = (AuthenticationComponent) ctx.getBean("authenticationComponent");
         pubPersonService =  (PersonService) ctx.getBean("PersonService");
diff --git a/source/java/org/alfresco/repo/security/authentication/ChainingAuthenticationServiceImpl.java b/source/java/org/alfresco/repo/security/authentication/ChainingAuthenticationServiceImpl.java
index 3fb849d5dc..f12849f5ba 100644
--- a/source/java/org/alfresco/repo/security/authentication/ChainingAuthenticationServiceImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/ChainingAuthenticationServiceImpl.java
@@ -28,6 +28,7 @@ import java.util.ArrayList;
 import java.util.List;
 
 import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 
 /**
  * This class implements a simple chaining authentication service. It chains together other authentication services so
@@ -47,7 +48,7 @@ public class ChainingAuthenticationServiceImpl extends AbstractChainingAuthentic
 
     List<AuthenticationService> authenticationServices;
 
-    AuthenticationService mutableAuthenticationService;
+    MutableAuthenticationService mutableAuthenticationService;
 
     public ChainingAuthenticationServiceImpl()
     {
@@ -60,12 +61,12 @@ public class ChainingAuthenticationServiceImpl extends AbstractChainingAuthentic
     }
 
     @Override
-    public AuthenticationService getMutableAuthenticationService()
+    public MutableAuthenticationService getMutableAuthenticationService()
     {
         return this.mutableAuthenticationService;
     }
 
-    public void setMutableAuthenticationService(AuthenticationService mutableAuthenticationService)
+    public void setMutableAuthenticationService(MutableAuthenticationService mutableAuthenticationService)
     {
         this.mutableAuthenticationService = mutableAuthenticationService;
     }
diff --git a/source/java/org/alfresco/repo/security/authentication/MutableAuthenticationServiceImpl.java b/source/java/org/alfresco/repo/security/authentication/MutableAuthenticationServiceImpl.java
new file mode 100644
index 0000000000..140964d350
--- /dev/null
+++ b/source/java/org/alfresco/repo/security/authentication/MutableAuthenticationServiceImpl.java
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2005-2009 Alfresco Software Limited.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+ * As a special exception to the terms and conditions of version 2.0 of 
+ * the GPL, you may redistribute this Program in connection with Free/Libre 
+ * and Open Source Software ("FLOSS") applications as described in Alfresco's 
+ * FLOSS exception.  You should have received a copy of the text describing 
+ * the FLOSS exception, and it is also available here: 
+ * http://www.alfresco.com/legal/licensing"
+ */
+package org.alfresco.repo.security.authentication;
+
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
+
+/**
+ * The default implementation of {@link MutableAuthenticationService}.
+ * 
+ * @author dward
+ */
+public class MutableAuthenticationServiceImpl extends AuthenticationServiceImpl implements MutableAuthenticationService
+{
+
+    /** The authentication dao. */
+    MutableAuthenticationDao authenticationDao;
+
+    /**
+     * Sets the authentication dao.
+     * 
+     * @param authenticationDao
+     *            the authentication dao
+     */
+    public void setAuthenticationDao(MutableAuthenticationDao authenticationDao)
+    {
+        this.authenticationDao = authenticationDao;
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.service.cmr.security.MutableAuthenticationService#createAuthentication(java.lang.String,
+     * char[])
+     */
+    public void createAuthentication(String userName, char[] password) throws AuthenticationException
+    {
+        this.authenticationDao.createUser(userName, password);
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.service.cmr.security.MutableAuthenticationService#updateAuthentication(java.lang.String,
+     * char[], char[])
+     */
+    public void updateAuthentication(String userName, char[] oldPassword, char[] newPassword)
+            throws AuthenticationException
+    {
+        // Need to preserve the run-as user
+        String currentUser = AuthenticationUtil.getRunAsUser();
+        try
+        {
+            authenticate(userName, oldPassword);
+        }
+        finally
+        {
+            AuthenticationUtil.setRunAsUser(currentUser);
+        }
+        this.authenticationDao.updateUser(userName, newPassword);
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.service.cmr.security.MutableAuthenticationService#setAuthentication(java.lang.String, char[])
+     */
+    public void setAuthentication(String userName, char[] newPassword) throws AuthenticationException
+    {
+        this.authenticationDao.updateUser(userName, newPassword);
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.service.cmr.security.MutableAuthenticationService#deleteAuthentication(java.lang.String)
+     */
+    public void deleteAuthentication(String userName) throws AuthenticationException
+    {
+        this.authenticationDao.deleteUser(userName);
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see
+     * org.alfresco.repo.security.authentication.AuthenticationServiceImpl#getAuthenticationEnabled(java.lang.String)
+     */
+    @Override
+    public boolean getAuthenticationEnabled(String userName) throws AuthenticationException
+    {
+        return this.authenticationDao.getEnabled(userName);
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.service.cmr.security.MutableAuthenticationService#setAuthenticationEnabled(java.lang.String,
+     * boolean)
+     */
+    public void setAuthenticationEnabled(String userName, boolean enabled) throws AuthenticationException
+    {
+        this.authenticationDao.setEnabled(userName, enabled);
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.repo.security.authentication.AuthenticationServiceImpl#authenticationExists(java.lang.String)
+     */
+    @Override
+    public boolean authenticationExists(String userName)
+    {
+        return this.authenticationDao.userExists(userName);
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.service.cmr.security.MutableAuthenticationService#isAuthenticationMutable(java.lang.String)
+     */
+    public boolean isAuthenticationMutable(String userName)
+    {
+        return authenticationExists(userName);
+    }
+
+}
diff --git a/source/java/org/alfresco/repo/security/authentication/TestAuthenticationServiceImpl.java b/source/java/org/alfresco/repo/security/authentication/TestAuthenticationServiceImpl.java
index d6f97e8062..d3298b9f06 100644
--- a/source/java/org/alfresco/repo/security/authentication/TestAuthenticationServiceImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/TestAuthenticationServiceImpl.java
@@ -41,11 +41,11 @@ import net.sf.acegisecurity.context.security.SecureContextImpl;
 import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import net.sf.acegisecurity.providers.dao.User;
 
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.util.EqualsHelper;
 import org.alfresco.util.GUID;
 
-public class TestAuthenticationServiceImpl implements AuthenticationService
+public class TestAuthenticationServiceImpl implements MutableAuthenticationService
 {
     private Map<String, String> userNamesAndPasswords = new HashMap<String, String>();
 
@@ -246,6 +246,11 @@ public class TestAuthenticationServiceImpl implements AuthenticationService
     {
         return userNamesAndPasswords.containsKey(userName);
     }
+        
+    public boolean isAuthenticationMutable(String userName)
+    {
+        return authenticationExists(userName);
+    }
 
     public String getCurrentUserName() throws AuthenticationException
     {
diff --git a/source/java/org/alfresco/repo/security/authentication/subsystems/SubsystemChainingAuthenticationService.java b/source/java/org/alfresco/repo/security/authentication/subsystems/SubsystemChainingAuthenticationService.java
index e808d1a22a..2e94bd21ae 100644
--- a/source/java/org/alfresco/repo/security/authentication/subsystems/SubsystemChainingAuthenticationService.java
+++ b/source/java/org/alfresco/repo/security/authentication/subsystems/SubsystemChainingAuthenticationService.java
@@ -31,6 +31,7 @@ import org.alfresco.repo.management.subsystems.ActivateableBean;
 import org.alfresco.repo.management.subsystems.ChildApplicationContextManager;
 import org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService;
 import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 
@@ -77,7 +78,7 @@ public class SubsystemChainingAuthenticationService extends AbstractChainingAuth
      * org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService#getMutableAuthenticationService()
      */
     @Override
-    public AuthenticationService getMutableAuthenticationService()
+    public MutableAuthenticationService getMutableAuthenticationService()
     {
         for (String instance : this.applicationContextManager.getInstanceIds())
         {
@@ -87,11 +88,12 @@ public class SubsystemChainingAuthenticationService extends AbstractChainingAuth
                 AuthenticationService authenticationService = (AuthenticationService) context.getBean(sourceBeanName);
                 // Only add active authentication services. E.g. we might have an ldap context that is only used for
                 // synchronizing
-                if (!(authenticationService instanceof ActivateableBean)
-                        || ((ActivateableBean) authenticationService).isActive())
+                if (authenticationService instanceof MutableAuthenticationService
+                        && (!(authenticationService instanceof ActivateableBean) || ((ActivateableBean) authenticationService)
+                                .isActive()))
                 {
 
-                    return authenticationService;
+                    return (MutableAuthenticationService) authenticationService;
                 }
             }
             catch (NoSuchBeanDefinitionException e)
diff --git a/source/java/org/alfresco/repo/security/authority/AuthorityServiceTest.java b/source/java/org/alfresco/repo/security/authority/AuthorityServiceTest.java
index b7f45233e2..8c8b2f3a5a 100644
--- a/source/java/org/alfresco/repo/security/authority/AuthorityServiceTest.java
+++ b/source/java/org/alfresco/repo/security/authority/AuthorityServiceTest.java
@@ -44,9 +44,9 @@ import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.datatype.DefaultTypeConverter;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.AuthorityType;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.QName;
@@ -62,7 +62,7 @@ public class AuthorityServiceTest extends TestCase
 
     private AuthenticationComponent authenticationComponentImpl;
 
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
 
     private MutableAuthenticationDao authenticationDAO;
 
@@ -88,7 +88,7 @@ public class AuthorityServiceTest extends TestCase
     {
         authenticationComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");
         authenticationComponentImpl = (AuthenticationComponent) ctx.getBean("authenticationComponent");
-        authenticationService = (AuthenticationService) ctx.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) ctx.getBean("authenticationService");
         authorityService = (AuthorityService) ctx.getBean("authorityService");
         pubAuthorityService = (AuthorityService) ctx.getBean("AuthorityService");
         personService = (PersonService) ctx.getBean("personService");
diff --git a/source/java/org/alfresco/repo/security/authority/SimpleAuthorityServiceTest.java b/source/java/org/alfresco/repo/security/authority/SimpleAuthorityServiceTest.java
index 3426f1b72c..d648aa5e57 100644
--- a/source/java/org/alfresco/repo/security/authority/SimpleAuthorityServiceTest.java
+++ b/source/java/org/alfresco/repo/security/authority/SimpleAuthorityServiceTest.java
@@ -32,9 +32,9 @@ import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.authentication.MutableAuthenticationDao;
 import org.alfresco.service.ServiceRegistry;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.AuthorityType;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.transaction.TransactionService;
@@ -47,7 +47,7 @@ public class SimpleAuthorityServiceTest extends TestCase
 
     private AuthenticationComponent authenticationComponent;
 
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
 
     private AuthorityService authorityService;
 
@@ -68,7 +68,7 @@ public class SimpleAuthorityServiceTest extends TestCase
     public void setUp() throws Exception
     {
         authenticationComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");
-        authenticationService = (AuthenticationService) ctx.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) ctx.getBean("authenticationService");
         authorityService = (AuthorityService) ctx.getBean("authorityService");
         pubAuthorityService = (AuthorityService) ctx.getBean("AuthorityService");
         personService = (PersonService) ctx.getBean("personService");
diff --git a/source/java/org/alfresco/repo/security/permissions/dynamic/LockOwnerDynamicAuthorityTest.java b/source/java/org/alfresco/repo/security/permissions/dynamic/LockOwnerDynamicAuthorityTest.java
index f9ea1a5a08..2247e8cddd 100644
--- a/source/java/org/alfresco/repo/security/permissions/dynamic/LockOwnerDynamicAuthorityTest.java
+++ b/source/java/org/alfresco/repo/security/permissions/dynamic/LockOwnerDynamicAuthorityTest.java
@@ -43,7 +43,7 @@ import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.security.AccessStatus;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.QName;
@@ -63,7 +63,7 @@ public class LockOwnerDynamicAuthorityTest extends TestCase
 
     private NodeService nodeService;
 
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
 
     private AuthenticationComponent authenticationComponent;
     
@@ -102,7 +102,7 @@ public class LockOwnerDynamicAuthorityTest extends TestCase
     public void setUp() throws Exception
     {
         nodeService = (NodeService) ctx.getBean("nodeService");
-        authenticationService = (AuthenticationService) ctx.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) ctx.getBean("authenticationService");
         authenticationComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");
         lockService = (LockService) ctx.getBean("lockService");
         permissionService = (PermissionService) ctx.getBean("permissionService");
diff --git a/source/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java b/source/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
index 638ed4cf28..e545e42bf2 100644
--- a/source/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
+++ b/source/java/org/alfresco/repo/security/permissions/impl/AbstractPermissionTest.java
@@ -42,8 +42,8 @@ import org.alfresco.service.cmr.dictionary.DictionaryService;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.NamespacePrefixResolver;
 import org.alfresco.service.namespace.NamespaceService;
@@ -62,7 +62,7 @@ public class AbstractPermissionTest extends BaseSpringTest
 
     protected PermissionServiceSPI permissionService;
 
-    protected AuthenticationService authenticationService;
+    protected MutableAuthenticationService authenticationService;
     
     private MutableAuthenticationDao authenticationDAO;
 
@@ -106,7 +106,7 @@ public class AbstractPermissionTest extends BaseSpringTest
         permissionService = (PermissionServiceSPI) applicationContext.getBean("permissionService");
         namespacePrefixResolver = (NamespacePrefixResolver) applicationContext
                 .getBean(ServiceRegistry.NAMESPACE_SERVICE.getLocalName());
-        authenticationService = (AuthenticationService) applicationContext.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) applicationContext.getBean("authenticationService");
         authenticationComponent = (AuthenticationComponent) applicationContext.getBean("authenticationComponent");
         serviceRegistry = (ServiceRegistry) applicationContext.getBean(ServiceRegistry.SERVICE_REGISTRY);
         permissionModelDAO = (ModelDAO) applicationContext.getBean("permissionsModelDAO");
diff --git a/source/java/org/alfresco/repo/security/permissions/impl/AclDaoComponentTest.java b/source/java/org/alfresco/repo/security/permissions/impl/AclDaoComponentTest.java
index 270d36c5e2..17929612b5 100644
--- a/source/java/org/alfresco/repo/security/permissions/impl/AclDaoComponentTest.java
+++ b/source/java/org/alfresco/repo/security/permissions/impl/AclDaoComponentTest.java
@@ -31,11 +31,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-import javax.transaction.HeuristicMixedException;
-import javax.transaction.HeuristicRollbackException;
-import javax.transaction.RollbackException;
 import javax.transaction.Status;
-import javax.transaction.SystemException;
 import javax.transaction.UserTransaction;
 
 import junit.framework.TestCase;
@@ -59,8 +55,8 @@ import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.security.AccessStatus;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.NamespacePrefixResolver;
 import org.alfresco.service.namespace.NamespaceService;
@@ -81,7 +77,7 @@ public class AclDaoComponentTest extends TestCase
 
     protected PermissionServiceSPI permissionService;
 
-    protected AuthenticationService authenticationService;
+    protected MutableAuthenticationService authenticationService;
     
     private MutableAuthenticationDao authenticationDAO;
 
@@ -125,7 +121,7 @@ public class AclDaoComponentTest extends TestCase
         permissionService = (PermissionServiceSPI) applicationContext.getBean("permissionService");
         namespacePrefixResolver = (NamespacePrefixResolver) applicationContext
                 .getBean(ServiceRegistry.NAMESPACE_SERVICE.getLocalName());
-        authenticationService = (AuthenticationService) applicationContext.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) applicationContext.getBean("authenticationService");
         authenticationComponent = (AuthenticationComponent) applicationContext.getBean("authenticationComponent");
         serviceRegistry = (ServiceRegistry) applicationContext.getBean(ServiceRegistry.SERVICE_REGISTRY);
         permissionModelDAO = (ModelDAO) applicationContext.getBean("permissionsModelDAO");
diff --git a/source/java/org/alfresco/repo/security/person/PersonServiceImpl.java b/source/java/org/alfresco/repo/security/person/PersonServiceImpl.java
index 911e341a5c..0784856449 100644
--- a/source/java/org/alfresco/repo/security/person/PersonServiceImpl.java
+++ b/source/java/org/alfresco/repo/security/person/PersonServiceImpl.java
@@ -64,9 +64,9 @@ import org.alfresco.service.cmr.search.ResultSet;
 import org.alfresco.service.cmr.search.ResultSetRow;
 import org.alfresco.service.cmr.search.SearchParameters;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.AuthorityType;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.NoSuchPersonException;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.NamespacePrefixResolver;
@@ -109,7 +109,7 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per
 
     private AuthorityService authorityService;
     
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
 
     private DictionaryService dictionaryService;
 
@@ -874,7 +874,7 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per
         this.authorityService = authorityService;
     }
     
-    public void setAuthenticationService(AuthenticationService authenticationService)
+    public void setAuthenticationService(MutableAuthenticationService authenticationService)
     {
         this.authenticationService = authenticationService;
     }
diff --git a/source/java/org/alfresco/repo/service/ServiceDescriptorRegistry.java b/source/java/org/alfresco/repo/service/ServiceDescriptorRegistry.java
index dbb8cb3253..6ffa4f621f 100644
--- a/source/java/org/alfresco/repo/service/ServiceDescriptorRegistry.java
+++ b/source/java/org/alfresco/repo/service/ServiceDescriptorRegistry.java
@@ -60,8 +60,8 @@ import org.alfresco.service.cmr.repository.TemplateService;
 import org.alfresco.service.cmr.rule.RuleService;
 import org.alfresco.service.cmr.search.CategoryService;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
@@ -152,9 +152,9 @@ public class ServiceDescriptorRegistry
     /* (non-Javadoc)
      * @see org.alfresco.repo.service.ServiceRegistry#getNodeService()
      */
-    public AuthenticationService getAuthenticationService()
+    public MutableAuthenticationService getAuthenticationService()
     {
-        return (AuthenticationService)getService(AUTHENTICATION_SERVICE);
+        return (MutableAuthenticationService)getService(AUTHENTICATION_SERVICE);
     }
 
     /* (non-Javadoc)
diff --git a/source/java/org/alfresco/repo/tagging/TaggingServiceImplTest.java b/source/java/org/alfresco/repo/tagging/TaggingServiceImplTest.java
index e1f6c3964c..9a5e60022e 100644
--- a/source/java/org/alfresco/repo/tagging/TaggingServiceImplTest.java
+++ b/source/java/org/alfresco/repo/tagging/TaggingServiceImplTest.java
@@ -41,14 +41,13 @@ import org.alfresco.repo.policy.PolicyComponent;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.service.cmr.action.Action;
 import org.alfresco.service.cmr.action.ActionService;
-import org.alfresco.service.cmr.repository.ContentReader;
 import org.alfresco.service.cmr.repository.ContentService;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.ScriptLocation;
 import org.alfresco.service.cmr.repository.ScriptService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.tagging.TagDetails;
 import org.alfresco.service.cmr.tagging.TagScope;
 import org.alfresco.service.cmr.tagging.TaggingService;
@@ -99,7 +98,7 @@ public class TaggingServiceImplTest extends BaseAlfrescoSpringTest
         this.taggingService = (TaggingService)this.applicationContext.getBean("TaggingService");
         this.nodeService = (NodeService) this.applicationContext.getBean("NodeService");
         this.contentService = (ContentService) this.applicationContext.getBean("ContentService");
-        this.authenticationService = (AuthenticationService) this.applicationContext.getBean("authenticationService");
+        this.authenticationService = (MutableAuthenticationService) this.applicationContext.getBean("authenticationService");
         this.actionService = (ActionService)this.applicationContext.getBean("ActionService");
         this.transactionService = (TransactionService)this.applicationContext.getBean("transactionComponent");
         this.scriptService = (ScriptService)this.applicationContext.getBean("scriptService");        
diff --git a/source/java/org/alfresco/repo/template/People.java b/source/java/org/alfresco/repo/template/People.java
index bf528bd26c..c75ae8e31b 100644
--- a/source/java/org/alfresco/repo/template/People.java
+++ b/source/java/org/alfresco/repo/template/People.java
@@ -26,7 +26,9 @@ package org.alfresco.repo.template;
 
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 import org.alfresco.model.ContentModel;
@@ -35,28 +37,70 @@ import org.alfresco.repo.security.authority.AuthorityDAO;
 import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.AuthorityType;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.springframework.extensions.surf.util.ParameterCheck;
+import org.alfresco.util.ValueDerivingMapFactory;
+import org.alfresco.util.ValueDerivingMapFactory.ValueDeriver;
+import org.springframework.beans.factory.InitializingBean;
 
 /**
  * People and users support in FreeMarker templates.
  * 
  * @author Kevin Roast
  */
-public class People extends BaseTemplateProcessorExtension
+public class People extends BaseTemplateProcessorExtension implements InitializingBean
 {
     /** Repository Service Registry */
     private ServiceRegistry services;
     private AuthorityDAO authorityDAO;
     private AuthorityService authorityService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private PersonService personService;
     private StoreRef storeRef;
+    private ValueDerivingMapFactory<TemplateNode, String, Boolean> valueDerivingMapFactory;        
     
-    
+    public void afterPropertiesSet() throws Exception
+    {
+        Map <String, ValueDeriver<TemplateNode, Boolean>> capabilityTesters = new HashMap<String, ValueDeriver<TemplateNode, Boolean>>(5);
+        capabilityTesters.put("isAdmin", new ValueDeriver<TemplateNode, Boolean>()
+                {
+                    public Boolean deriveValue(TemplateNode source)
+                    {
+                        return isAdmin(source);
+                    }
+                });
+                capabilityTesters.put("isGuest", new ValueDeriver<TemplateNode, Boolean>()
+                {
+                    public Boolean deriveValue(TemplateNode source)
+                    {
+                        return isGuest(source);
+                    }
+                });
+                capabilityTesters.put("isMutable", new ValueDeriver<TemplateNode, Boolean>()
+                {
+                    public Boolean deriveValue(TemplateNode source)
+                    {
+                        // Check whether the account is mutable according to the authentication service
+                        String sourceUser = (String) source.getProperties().get(ContentModel.PROP_USERNAME);
+                        if (!authenticationService.isAuthenticationMutable(sourceUser))
+                        {
+                            return false;
+                        }
+                        // Only allow non-admin users to mutate their own accounts
+                        String currentUser = authenticationService.getCurrentUserName();
+                        if (currentUser.equals(sourceUser) || authorityService.isAdminAuthority(currentUser))
+                        {
+                            return true;
+                        }
+                        return false;
+                    }
+                });
+        this.valueDerivingMapFactory = new ValueDerivingMapFactory<TemplateNode, String, Boolean>(capabilityTesters);
+    }
+
     /**
      * Set the default store reference
      * 
@@ -118,7 +162,7 @@ public class People extends BaseTemplateProcessorExtension
      * @param authenticationService
      *            the new authentication service
      */
-    public void setAuthenticationService(AuthenticationService authenticationService)
+    public void setAuthenticationService(MutableAuthenticationService authenticationService)
     {
         this.authenticationService = authenticationService;
     }
@@ -213,7 +257,7 @@ public class People extends BaseTemplateProcessorExtension
         }
         return parents;
     }
-    
+
     /**
      * Return true if the specified user is an Administrator authority.
      * 
@@ -239,6 +283,19 @@ public class People extends BaseTemplateProcessorExtension
         ParameterCheck.mandatory("Person", person);
         return this.authorityService.isGuestAuthority((String)person.getProperties().get(ContentModel.PROP_USERNAME));
     }
+    
+    /**
+     * Gets a map of capabilities (boolean assertions) for the given person.
+     * 
+     * @param person
+     *            the person
+     * @return the capability map
+     */
+    public Map<String, Boolean> getCapabilities(final TemplateNode person)
+    {
+        ParameterCheck.mandatory("Person", person);
+        return this.valueDerivingMapFactory.getMap(person);
+    }
 
     /**
      * Return true if the specified user account is enabled.
diff --git a/source/java/org/alfresco/repo/tenant/MultiTDemoTest.java b/source/java/org/alfresco/repo/tenant/MultiTDemoTest.java
index 3c40e7e6d2..67ece06469 100644
--- a/source/java/org/alfresco/repo/tenant/MultiTDemoTest.java
+++ b/source/java/org/alfresco/repo/tenant/MultiTDemoTest.java
@@ -57,9 +57,9 @@ import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.search.CategoryService;
 import org.alfresco.service.cmr.search.ResultSet;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.AuthorityType;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
@@ -81,7 +81,7 @@ public class MultiTDemoTest extends TestCase
             );
     
     private NodeService nodeService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private PersonService personService;
     private SearchService searchService;
     private ContentService contentService;
@@ -141,7 +141,7 @@ public class MultiTDemoTest extends TestCase
         super.setUp();
         
         nodeService = (NodeService) ctx.getBean("NodeService");
-        authenticationService = (AuthenticationService) ctx.getBean("AuthenticationService");
+        authenticationService = (MutableAuthenticationService) ctx.getBean("AuthenticationService");
         tenantAdminService = (TenantAdminService) ctx.getBean("tenantAdminService");
         tenantService = (TenantService) ctx.getBean("tenantService");
         personService = (PersonService) ctx.getBean("PersonService");
diff --git a/source/java/org/alfresco/repo/tenant/TenantInterpreter.java b/source/java/org/alfresco/repo/tenant/TenantInterpreter.java
index 57532b7cd4..86ecffebdc 100755
--- a/source/java/org/alfresco/repo/tenant/TenantInterpreter.java
+++ b/source/java/org/alfresco/repo/tenant/TenantInterpreter.java
@@ -31,21 +31,21 @@ import java.io.InputStream;
 import java.io.PrintStream;
 import java.util.List;
 
-import org.springframework.extensions.surf.util.I18NUtil;
 import org.alfresco.repo.admin.BaseInterpreter;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
 import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
-import org.springframework.extensions.surf.util.PropertyCheck;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.InitializingBean;
+import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
 import org.springframework.core.io.ClassPathResource;
+import org.springframework.extensions.surf.util.I18NUtil;
+import org.springframework.extensions.surf.util.PropertyCheck;
 
 /**
  * An interactive console for Tenants.
@@ -61,7 +61,7 @@ public class TenantInterpreter extends BaseInterpreter implements ApplicationCon
     
     private TenantAdminService tenantAdminService;
     protected TenantService tenantService;
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     
     private String baseAdminUsername = null;
     
@@ -72,7 +72,7 @@ public class TenantInterpreter extends BaseInterpreter implements ApplicationCon
         this.tenantAdminService = tenantAdminService;
     }
     
-    public void setAuthenticationService(AuthenticationService authenticationService)
+    public void setAuthenticationService(MutableAuthenticationService authenticationService)
     {
         this.authenticationService = authenticationService;
     }
diff --git a/source/java/org/alfresco/repo/usage/UserUsageTest.java b/source/java/org/alfresco/repo/usage/UserUsageTest.java
index c93f93add2..2e7916d277 100644
--- a/source/java/org/alfresco/repo/usage/UserUsageTest.java
+++ b/source/java/org/alfresco/repo/usage/UserUsageTest.java
@@ -45,7 +45,7 @@ import org.alfresco.service.cmr.repository.ContentWriter;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.usage.UsageService;
@@ -64,7 +64,7 @@ public class UserUsageTest extends TestCase
     
     protected NodeService nodeService;
     protected FileFolderService fileFolderService;
-    protected AuthenticationService authenticationService;
+    protected MutableAuthenticationService authenticationService;
     private MutableAuthenticationDao authenticationDAO;
     protected NodeRef rootNodeRef;
     protected NodeRef systemNodeRef;
@@ -85,7 +85,7 @@ public class UserUsageTest extends TestCase
         nodeService = (NodeService) applicationContext.getBean("nodeService");
         fileFolderService = (FileFolderService) applicationContext.getBean("fileFolderService");
         
-        authenticationService = (AuthenticationService) applicationContext.getBean("authenticationService");
+        authenticationService = (MutableAuthenticationService) applicationContext.getBean("authenticationService");
         authenticationComponent = (AuthenticationComponent) applicationContext.getBean("authenticationComponent");
         
         authenticationComponent.setCurrentUser(authenticationComponent.getSystemUserName());
diff --git a/source/java/org/alfresco/repo/usage/UserUsageTrackingComponentTest.java b/source/java/org/alfresco/repo/usage/UserUsageTrackingComponentTest.java
index 8b7b486819..285a4e762d 100644
--- a/source/java/org/alfresco/repo/usage/UserUsageTrackingComponentTest.java
+++ b/source/java/org/alfresco/repo/usage/UserUsageTrackingComponentTest.java
@@ -41,7 +41,7 @@ import org.alfresco.service.cmr.repository.ContentWriter;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.usage.ContentUsageService;
 import org.alfresco.service.namespace.NamespaceService;
@@ -59,7 +59,7 @@ public class UserUsageTrackingComponentTest extends TestCase
 
     private boolean clean = true;
     
-    private AuthenticationService authenticationService;
+    private MutableAuthenticationService authenticationService;
     private ContentService contentService;
     private TransactionService transactionService;
     private PersonService personService;
@@ -80,7 +80,7 @@ public class UserUsageTrackingComponentTest extends TestCase
     protected void setUp() throws Exception
     {
         nodeService = (NodeService)applicationContext.getBean("NodeService");
-        authenticationService = (AuthenticationService)applicationContext.getBean("authenticationService");   
+        authenticationService = (MutableAuthenticationService)applicationContext.getBean("authenticationService");   
         transactionService = (TransactionService)applicationContext.getBean("transactionComponent");
         personService = (PersonService)applicationContext.getBean("PersonService");
         contentService = (ContentService)applicationContext.getBean("ContentService");
diff --git a/source/java/org/alfresco/repo/version/BaseVersionStoreTest.java b/source/java/org/alfresco/repo/version/BaseVersionStoreTest.java
index f105aa409b..cf9333165e 100644
--- a/source/java/org/alfresco/repo/version/BaseVersionStoreTest.java
+++ b/source/java/org/alfresco/repo/version/BaseVersionStoreTest.java
@@ -24,7 +24,6 @@
  */
 package org.alfresco.repo.version;
 
-import java.io.InputStream;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -37,7 +36,6 @@ import java.util.Map;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.dictionary.DictionaryBootstrap;
 import org.alfresco.repo.dictionary.DictionaryDAO;
-import org.alfresco.repo.dictionary.M2Model;
 import org.alfresco.repo.node.archive.NodeArchiveService;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.authentication.MutableAuthenticationDao;
@@ -51,7 +49,7 @@ import org.alfresco.service.cmr.repository.MLText;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.version.Version;
 import org.alfresco.service.cmr.version.VersionService;
@@ -69,7 +67,7 @@ public abstract class BaseVersionStoreTest extends BaseSpringTest
     protected VersionCounterService versionCounterDaoService;
     protected ContentService contentService;
 	protected DictionaryDAO dictionaryDAO;
-    protected AuthenticationService authenticationService;
+    protected MutableAuthenticationService authenticationService;
     protected TransactionService transactionService;
     protected RetryingTransactionHelper txnHelper;
     protected MutableAuthenticationDao authenticationDAO;
@@ -159,7 +157,7 @@ public abstract class BaseVersionStoreTest extends BaseSpringTest
         this.dbNodeService = (NodeService)applicationContext.getBean("dbNodeService");
         this.versionCounterDaoService = (VersionCounterService)applicationContext.getBean("versionCounterService");
         this.contentService = (ContentService)applicationContext.getBean("contentService");
-        this.authenticationService = (AuthenticationService)applicationContext.getBean("authenticationService");
+        this.authenticationService = (MutableAuthenticationService)applicationContext.getBean("authenticationService");
         this.transactionService = (TransactionService)this.applicationContext.getBean("transactionComponent");
         this.txnHelper = (RetryingTransactionHelper) applicationContext.getBean("retryingTransactionHelper");
         this.authenticationDAO = (MutableAuthenticationDao) applicationContext.getBean("authenticationDao");
diff --git a/source/java/org/alfresco/service/ServiceRegistry.java b/source/java/org/alfresco/service/ServiceRegistry.java
index e5486cb5a5..42a0048a83 100644
--- a/source/java/org/alfresco/service/ServiceRegistry.java
+++ b/source/java/org/alfresco/service/ServiceRegistry.java
@@ -59,8 +59,8 @@ import org.alfresco.service.cmr.repository.TemplateService;
 import org.alfresco.service.cmr.rule.RuleService;
 import org.alfresco.service.cmr.search.CategoryService;
 import org.alfresco.service.cmr.search.SearchService;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
@@ -214,7 +214,7 @@ public interface ServiceRegistry
      * @return the authentication service (or null, if one is not provided)
      */
     @NotAuditable
-    AuthenticationService getAuthenticationService();
+    MutableAuthenticationService getAuthenticationService();
 
     /**
      * @return the node service (or null, if one is not provided)
diff --git a/source/java/org/alfresco/service/cmr/security/AuthenticationService.java b/source/java/org/alfresco/service/cmr/security/AuthenticationService.java
index b9fb0d1858..a1c7129277 100644
--- a/source/java/org/alfresco/service/cmr/security/AuthenticationService.java
+++ b/source/java/org/alfresco/service/cmr/security/AuthenticationService.java
@@ -40,56 +40,6 @@ import org.alfresco.service.PublicService;
 @PublicService
 public interface AuthenticationService
 {
-    /**
-     * Create an authentication for the given user.
-     * 
-     * @param userName
-     * @param password
-     * @throws AuthenticationException
-     */
-    @Auditable(parameters = {"userName", "password"}, recordable = {true, false})
-    public void createAuthentication(String userName, char[] password) throws AuthenticationException;
-    
-    /**
-     * Update the login information for the user (typically called by the user)
-     * 
-     * @param userName
-     * @param oldPassword
-     * @param newPassword
-     * @throws AuthenticationException
-     */
-    @Auditable(parameters = {"userName", "oldPassword", "newPassword"}, recordable = {true, false, false})
-    public void updateAuthentication(String userName, char[] oldPassword, char[] newPassword) throws AuthenticationException;
-    
-    /**
-     * Set the login information for a user (typically called by an admin user) 
-     * 
-     * @param userName
-     * @param newPassword
-     * @throws AuthenticationException
-     */
-    @Auditable(parameters = {"userName", "newPassword"}, recordable = {true, false})
-    public void setAuthentication(String userName, char[] newPassword) throws AuthenticationException;
-    
-
-    /**
-     * Delete an authentication entry
-     * 
-     * @param userName
-     * @throws AuthenticationException
-     */
-    @Auditable(parameters = {"userName"})
-    public void deleteAuthentication(String userName) throws AuthenticationException;
-    
-    /**
-     * Enable or disable an authentication entry
-     * 
-     * @param userName
-     * @param enabled
-     */
-    @Auditable(parameters = {"userName", "enabled"})
-    public void setAuthenticationEnabled(String userName, boolean enabled) throws AuthenticationException;
-    
     /**
      * Is an authentication enabled or disabled?
      * 
diff --git a/source/java/org/alfresco/service/cmr/security/MutableAuthenticationService.java b/source/java/org/alfresco/service/cmr/security/MutableAuthenticationService.java
new file mode 100644
index 0000000000..16f1aa7dca
--- /dev/null
+++ b/source/java/org/alfresco/service/cmr/security/MutableAuthenticationService.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2005-2009 Alfresco Software Limited.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+ * As a special exception to the terms and conditions of version 2.0 of 
+ * the GPL, you may redistribute this Program in connection with Free/Libre 
+ * and Open Source Software ("FLOSS") applications as described in Alfresco's 
+ * FLOSS exception.  You should have received a copy of the text describing 
+ * the FLOSS exception, and it is also available here: 
+ * http://www.alfresco.com/legal/licensing"
+ */
+package org.alfresco.service.cmr.security;
+
+import org.alfresco.repo.security.authentication.AuthenticationException;
+import org.alfresco.service.Auditable;
+
+/**
+ * An extended {@link AuthenticationService} that allows mutation of some or all of its user accounts.
+ * 
+ * @author dward
+ */
+public interface MutableAuthenticationService extends AuthenticationService
+{
+    /**
+     * Determines whether this user's authentication may be mutated via the other methods.
+     * 
+     * @param userName the user ID
+     * @return <code>true</code> if this user's authentication may be mutated via the other methods.
+     */
+    @Auditable(parameters = {"userName"}, recordable = {true})
+    public boolean isAuthenticationMutable(String userName);
+    
+    /**
+     * Create an authentication for the given user.
+     * 
+     * @param userName
+     * @param password
+     * @throws AuthenticationException
+     */
+    @Auditable(parameters = {"userName", "password"}, recordable = {true, false})
+    public void createAuthentication(String userName, char[] password) throws AuthenticationException;
+    
+    /**
+     * Update the login information for the user (typically called by the user)
+     * 
+     * @param userName
+     * @param oldPassword
+     * @param newPassword
+     * @throws AuthenticationException
+     */
+    @Auditable(parameters = {"userName", "oldPassword", "newPassword"}, recordable = {true, false, false})
+    public void updateAuthentication(String userName, char[] oldPassword, char[] newPassword) throws AuthenticationException;
+    
+    /**
+     * Set the login information for a user (typically called by an admin user) 
+     * 
+     * @param userName
+     * @param newPassword
+     * @throws AuthenticationException
+     */
+    @Auditable(parameters = {"userName", "newPassword"}, recordable = {true, false})
+    public void setAuthentication(String userName, char[] newPassword) throws AuthenticationException;
+    
+
+    /**
+     * Delete an authentication entry
+     * 
+     * @param userName
+     * @throws AuthenticationException
+     */
+    @Auditable(parameters = {"userName"})
+    public void deleteAuthentication(String userName) throws AuthenticationException;
+    
+    /**
+     * Enable or disable an authentication entry
+     * 
+     * @param userName
+     * @param enabled
+     */
+    @Auditable(parameters = {"userName", "enabled"})
+    public void setAuthenticationEnabled(String userName, boolean enabled) throws AuthenticationException;
+    
+    
+}
diff --git a/source/java/org/alfresco/util/BaseAlfrescoSpringTest.java b/source/java/org/alfresco/util/BaseAlfrescoSpringTest.java
index 4119007511..1cfed2b0f6 100644
--- a/source/java/org/alfresco/util/BaseAlfrescoSpringTest.java
+++ b/source/java/org/alfresco/util/BaseAlfrescoSpringTest.java
@@ -30,7 +30,7 @@ import org.alfresco.service.cmr.repository.ContentService;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.transaction.TransactionService;
 
 /**
@@ -51,7 +51,7 @@ public abstract class BaseAlfrescoSpringTest extends BaseSpringTest
     protected ContentService contentService;
 
     /** The authentication service */
-    protected AuthenticationService authenticationService;
+    protected MutableAuthenticationService authenticationService;
 
     /** The store reference */
     protected StoreRef storeRef;
@@ -74,7 +74,7 @@ public abstract class BaseAlfrescoSpringTest extends BaseSpringTest
         // Get a reference to the node service
         this.nodeService = (NodeService) this.applicationContext.getBean("nodeService");
         this.contentService = (ContentService) this.applicationContext.getBean("contentService");
-        this.authenticationService = (AuthenticationService) this.applicationContext.getBean("authenticationService");
+        this.authenticationService = (MutableAuthenticationService) this.applicationContext.getBean("authenticationService");
         this.actionService = (ActionService)this.applicationContext.getBean("actionService");
         this.transactionService = (TransactionService)this.applicationContext.getBean("transactionComponent");
 
diff --git a/source/java/org/alfresco/util/TestWithUserUtils.java b/source/java/org/alfresco/util/TestWithUserUtils.java
index 6126c76e03..b54eb0a83c 100644
--- a/source/java/org/alfresco/util/TestWithUserUtils.java
+++ b/source/java/org/alfresco/util/TestWithUserUtils.java
@@ -32,6 +32,7 @@ import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
 
@@ -56,7 +57,7 @@ public abstract class TestWithUserUtils
             String password, 
             NodeRef rootNodeRef,
             NodeService nodeService,
-            AuthenticationService authenticationService)
+            MutableAuthenticationService authenticationService)
     {
         // ignore if the user's authentication already exists
         if (authenticationService.authenticationExists(userName))
@@ -105,7 +106,7 @@ public abstract class TestWithUserUtils
     public static void authenticateUser(
             String userName,
             String password,
-            AuthenticationService authenticationService,
+            MutableAuthenticationService authenticationService,
             AuthenticationComponent authenticationComponent)
     {
         // go system
@@ -144,7 +145,7 @@ public abstract class TestWithUserUtils
         
     }
 
-    public static void deleteUser(String user_name, String pwd, NodeRef ref, NodeService service, AuthenticationService service2)
+    public static void deleteUser(String user_name, String pwd, NodeRef ref, NodeService service, MutableAuthenticationService service2)
     {
         service2.deleteAuthentication(user_name);
     }
diff --git a/source/java/org/alfresco/util/ValueDerivingMapFactory.java b/source/java/org/alfresco/util/ValueDerivingMapFactory.java
new file mode 100644
index 0000000000..6f770dfac1
--- /dev/null
+++ b/source/java/org/alfresco/util/ValueDerivingMapFactory.java
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2005-2009 Alfresco Software Limited.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+ * As a special exception to the terms and conditions of version 2.0 of 
+ * the GPL, you may redistribute this Program in connection with Free/Libre 
+ * and Open Source Software ("FLOSS") applications as described in Alfresco's 
+ * FLOSS exception.  You should have received a copy of the text describing 
+ * the FLOSS exception, and it is also available here: 
+ * http://www.alfresco.com/legal/licensing"
+ */
+package org.alfresco.util;
+
+import java.util.AbstractMap;
+import java.util.AbstractSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * A factory for maps that dynamically derive their looked up values from a given source object.
+ * 
+ * @author dward
+ */
+public class ValueDerivingMapFactory<O, K, V>
+{
+
+    /** A map of value derivers that derive the value of each entry from a given source. */
+    private final Map<K, ValueDeriver<O, V>> valueDerivers;
+
+    /**
+     * Instantiates a new value deriving map factory.
+     * 
+     * @param valueDerivers
+     *            a map of value derivers that derive the value of each entry from a given source
+     */
+    public ValueDerivingMapFactory(Map<K, ValueDeriver<O, V>> valueDerivers)
+    {
+        this.valueDerivers = valueDerivers;
+    }
+
+    /**
+     * Gets a map that derives its values from the given source.
+     * 
+     * @param source
+     *            the source
+     * @return the map
+     */
+    public Map<K, V> getMap(final O source)
+    {
+        return new AbstractMap<K, V>()
+        {
+
+            @Override
+            public V get(Object key)
+            {
+                ValueDeriver<O, V> valueDeriver = ValueDerivingMapFactory.this.valueDerivers.get(key);
+                return valueDeriver == null ? null : valueDeriver.deriveValue(source);
+            }
+
+            @Override
+            public boolean containsKey(Object key)
+            {
+                return ValueDerivingMapFactory.this.valueDerivers.containsKey(key);
+            }
+
+            @Override
+            public Set<K> keySet()
+            {
+                return ValueDerivingMapFactory.this.valueDerivers.keySet();
+            }
+
+            @Override
+            public int size()
+            {
+                return ValueDerivingMapFactory.this.valueDerivers.size();
+            }
+
+            @Override
+            public Set<Map.Entry<K, V>> entrySet()
+            {
+                final Set<Map.Entry<K, ValueDeriver<O, V>>> entries = ValueDerivingMapFactory.this.valueDerivers
+                        .entrySet();
+                return new AbstractSet<Entry<K, V>>()
+                {
+
+                    @Override
+                    public Iterator<Map.Entry<K, V>> iterator()
+                    {
+                        final Iterator<Map.Entry<K, ValueDeriver<O, V>>> i = entries.iterator();
+                        return new Iterator<Map.Entry<K, V>>()
+                        {
+
+                            public boolean hasNext()
+                            {
+                                return i.hasNext();
+                            }
+
+                            public Map.Entry<K, V> next()
+                            {
+                                final Map.Entry<K, ValueDeriver<O, V>> next = i.next();
+                                return new Map.Entry<K, V>()
+                                {
+
+                                    public K getKey()
+                                    {
+                                        return next.getKey();
+                                    }
+
+                                    public V getValue()
+                                    {
+                                        return get(next.getKey());
+                                    }
+
+                                    public V setValue(V value)
+                                    {
+                                        throw new UnsupportedOperationException();
+                                    }
+                                };
+                            }
+
+                            public void remove()
+                            {
+                                throw new UnsupportedOperationException();
+                            }
+                        };
+                    }
+
+                    @Override
+                    public int size()
+                    {
+                        return entries.size();
+                    }
+                };
+            }
+        };
+    }
+
+    /**
+     * An interface for objects that derive the value for a specific entry in the map.
+     */
+    public interface ValueDeriver<O, V>
+    {
+
+        /**
+         * Derives a value from the given source.
+         * 
+         * @param source
+         *            the source
+         * @return the derived value
+         */
+        public V deriveValue(O source);
+    }
+}
diff --git a/source/java/org/alfresco/wcm/AbstractWCMServiceImplTest.java b/source/java/org/alfresco/wcm/AbstractWCMServiceImplTest.java
index af10a05d04..7068f02355 100644
--- a/source/java/org/alfresco/wcm/AbstractWCMServiceImplTest.java
+++ b/source/java/org/alfresco/wcm/AbstractWCMServiceImplTest.java
@@ -32,7 +32,7 @@ import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
-import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.ApplicationContextHelper;
@@ -102,7 +102,7 @@ public class AbstractWCMServiceImplTest extends TestCase
     protected SandboxService sbService;
     protected AssetService assetService;
     
-    protected AuthenticationService authenticationService;
+    protected MutableAuthenticationService authenticationService;
     protected PersonService personService;
     
     protected TransactionService transactionService;
@@ -115,7 +115,7 @@ public class AbstractWCMServiceImplTest extends TestCase
         sbService = (SandboxService)ctx.getBean("SandboxService");
         assetService = (AssetService)ctx.getBean("AssetService");
         
-        authenticationService = (AuthenticationService)ctx.getBean("AuthenticationService");
+        authenticationService = (MutableAuthenticationService)ctx.getBean("AuthenticationService");
         personService = (PersonService)ctx.getBean("PersonService");
         transactionService = (TransactionService)ctx.getBean("TransactionService");
         
diff --git a/source/java/org/alfresco/wcm/webproject/WebProjectServiceImplTest.java b/source/java/org/alfresco/wcm/webproject/WebProjectServiceImplTest.java
index 979d38d8fb..fe74a5c5c4 100644
--- a/source/java/org/alfresco/wcm/webproject/WebProjectServiceImplTest.java
+++ b/source/java/org/alfresco/wcm/webproject/WebProjectServiceImplTest.java
@@ -42,9 +42,9 @@ import org.alfresco.service.cmr.model.FileFolderService;
 import org.alfresco.service.cmr.repository.DuplicateChildNodeNameException;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.AuthorityType;
+import org.alfresco.service.cmr.security.MutableAuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.wcm.AbstractWCMServiceImplTest;
@@ -95,7 +95,7 @@ public class WebProjectServiceImplTest extends AbstractWCMServiceImplTest
         super.setUp();
         
         // Get the required services
-        authenticationService = (AuthenticationService)ctx.getBean("AuthenticationService");
+        authenticationService = (MutableAuthenticationService)ctx.getBean("AuthenticationService");
         personService = (PersonService)ctx.getBean("PersonService");
         fileFolderService = (FileFolderService)ctx.getBean("FileFolderService");
         authorityService = (AuthorityService)ctx.getBean("AuthorityService");