diff --git a/docs/manual/src/docbook/class-index-html.xsl b/docs/manual/src/docbook/class-index-html.xsl
index 92d17342b9..d8ccc27c7f 100644
--- a/docs/manual/src/docbook/class-index-html.xsl
+++ b/docs/manual/src/docbook/class-index-html.xsl
@@ -1,27 +1,43 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-  <xsl:variable name="src-xref-base">http://static.springframework.org/spring-security/site/xref/</xsl:variable>
-  <xsl:variable name="ref-man-base">http://static.springframework.org/spring-security/site/reference/html/</xsl:variable>  
+  <!-- Run with xsltproc class-index-html.xsl classindex.xml > class-index.html -->    
+    
+  <xsl:variable name="src-xref-base">http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/</xsl:variable>
+  <xsl:variable name="ref-man-base">http://static.springsource.org/spring-security/site/docs/3.0.x/reference/</xsl:variable>  
 
   <xsl:template match="index">
     <html>
+      <head>
+        <title>Spring Security Class and Interface Index</title>
+      </head>
       <body>
-        <h1>Class and Interface Index</h1>
+        <h2>Class and Interface Index</h2>
+        <p>An list of classes and interfaces used in Spring Security with links to the sections in the Spring Security manual which 
+        refer to them.</p>
+        <div id="classindex">
         <xsl:apply-templates />
+        </div>
       </body>
     </html>  
   </xsl:template>
 
   <xsl:template match="class">
-    <h3><xsl:value-of select="@name"/></h3>
-    <xsl:if test="@src-xref">
-      <p><xsl:element name="a"><xsl:attribute name="href"><xsl:value-of select="concat($src-xref-base, @src-xref)"/></xsl:attribute>Source</xsl:element></p>
-    </xsl:if>
+    <div class="index-class">
+    <xsl:choose>
+      <xsl:when test="@src-xref">
+      <h4><xsl:element name="a"><xsl:attribute name="href"><xsl:value-of select="concat($src-xref-base, @src-xref)"/></xsl:attribute><xsl:value-of select="@name"/></xsl:element></h4>
+      </xsl:when>
+      <xsl:otherwise>
+        <h4><span class="classname"><xsl:value-of select="@name"/></span></h4>      
+      </xsl:otherwise>
+    </xsl:choose>
+    <table>
     <xsl:for-each select="link">
-      <p><xsl:element name="a"><xsl:attribute name="href"><xsl:value-of select="concat($ref-man-base, @href)"/></xsl:attribute><xsl:value-of select="@title"/></xsl:element></p>
+      <tr><td><xsl:element name="a"><xsl:attribute name="href"><xsl:value-of select="concat($ref-man-base, @href)"/></xsl:attribute><xsl:value-of select="@title"/></xsl:element></td>
+      </tr>
     </xsl:for-each>
+    </table>  
+    </div>
   </xsl:template>
-  
-
 
 </xsl:stylesheet>
diff --git a/docs/manual/classindex.pl b/docs/manual/src/docbook/classindex.pl
similarity index 66%
rename from docs/manual/classindex.pl
rename to docs/manual/src/docbook/classindex.pl
index 9e6692f5d4..c317e3e4a9 100755
--- a/docs/manual/classindex.pl
+++ b/docs/manual/src/docbook/classindex.pl
@@ -1,9 +1,22 @@
 #! /usr/bin/perl
 
+# Intended to generate an index of classnames to references in the manual (using the interfacename and classname elements).
+#
+# Builds an index of classnames to Javadoc (or src xref) links, from the allclasses-frame.html file.
+# Processes the ref manual docbook files, building an index of classname to section ids where the class is referenced
+# 
+#
+# $Id$
+
 use strict;
 
 # Get list of links to class src packages from Javadoc
 #system("curl http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/allclasses-frame.html > allclasses-frame.html");
+# Manual front page gives us section numbers
+#system("curl http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html > springsecurity.html");
+
+my $index_page = `cat springsecurity.html`;
+
 my @all_classes = `cat allclasses-frame.html`;
 
 $#all_classes > 0 || die "No lines in Javadoc";
@@ -16,12 +29,17 @@ $#all_classes > 0 || die "No lines in Javadoc";
 my %classnames_to_src;
 
 while ($_ = pop @all_classes) {
-	next unless $_ =~ /<A HREF="(.*)" title.*>(([a-zA-Z0-9_]+?))<\/A>/;
-	print "Adding class $1, $2\n";
+    chomp;
+# Get rid of the italic tags round interface names
+    $_ =~ s/<I>//;
+    $_ =~ s/<\/I>//;    
+	next unless $_ =~ /<A HREF="(.*)" title=.*>(([a-zA-Z0-9_]+?))<\/A>.*/;
+#	print "Adding class $1, $2\n";
 	$classnames_to_src{$2} = $1;
 }
 
 #my @docbook = glob("*.xml");
+# The list of docbook files xincluded in the manual
 my @docbook;
 
 # Read the includes rather than using globbing to get the ordering right for the index.
@@ -34,12 +52,11 @@ while(<MAINDOC>) {
 
 # Hash of xml:id (i.e. anchor) to filename.html#anchor
 my %id_to_html;
-my %class_index;
 
 # Build map of html pages links
 while (my $file = pop @docbook) {
 	open FILE, $file or die "$!";	
-	print "\nProcessing: $file\n\n";
+#	print "\nProcessing: $file\n\n";
 	my $file_id;
 	while(<FILE>) {
 		if (/.* xml:id="([a-z0-9-]+?)"/) {
@@ -48,11 +65,11 @@ while (my $file = pop @docbook) {
 		}
 	}
 
-	$id_to_html{$file_id} = "$file_id.html#$file_id";
+	$id_to_html{$file_id} = "$file_id.html";
  
 	while (<FILE>) {
 		next unless /.* xml:id="([a-z0-9-]+?)"/;
-		print "$1\n";
+#		print "$1\n";
 		$id_to_html{$1} = "$file_id.html#$1";
 	}
 	close FILE;
@@ -84,11 +101,16 @@ foreach my $class (sort keys %classnames_to_ids) {
 	}
 	print INDEX ">\n";
 	foreach my $id (@{$classnames_to_ids{$class}}) {
-		print INDEX "    <link href='$id_to_html{$id}' title='$id_to_title{$id}'/>\n";
+	    my $href = $id_to_html{$id};
+	    $index_page =~ /$href">([AB0-9\.]* )/;
+	    my $section = $1 ? "$1" : "";
+	    print "$id $href $section\n";
+	    my $title = $id_to_title{$id};
+#	    print "$section$title\n";
+		print INDEX "    <link href='$href' title='$section$title'/>\n";
 	}
 	print INDEX "</class>\n"
 	
-	
 }
 print INDEX "</index>\n";
 close INDEX;
diff --git a/docs/manual/src/docbook/el-access.xml b/docs/manual/src/docbook/el-access.xml
index a3102dea4c..d7f0df4955 100644
--- a/docs/manual/src/docbook/el-access.xml
+++ b/docs/manual/src/docbook/el-access.xml
@@ -15,7 +15,7 @@
             Security uses specific classes for web and method security as the root object, in order
             to provide built-in expressions and access to values such as the current
             principal.</para>
-        <section>
+        <section  xml:id="el-common-built-in">
             <title>Common Built-In Expressions</title>
             <para>The base class for expression root objects is
                     <classname>SecurityExpressionRoot</classname>. This provides some common
@@ -121,7 +121,7 @@
         <para>Method security is a bit more complicated than a simple allow or deny rule. Spring
             Security 3.0 introduced some new annotations in order to allow comprehensive support for
             the use of expressions.</para>
-        <section>
+        <section  xml:id="el-pre-post-annotations">
             <title><literal>@Pre</literal> and <literal>@Post</literal> Annotations</title>
             <para>There are four annotations which support expression attributes to allow pre and
                 post-invocation authorization checks and also to support filtering of submitted
@@ -147,8 +147,9 @@
                     we're actually using a method argument as part of the expression to decide
                     whether the current user has the <quote>admin</quote>permission for the given
                     contact. The built-in <literal>hasPermission()</literal> expression is linked
-                    into the Spring Security ACL module through the application context. You can
-                    access any of the method arguments by name as expression variables, provided
+                    into the Spring Security ACL module through the application context, as we'll 
+                    <link xlink:href="#el-permission-evaluator">see
+                    below</link>. You can access any of the method arguments by name as expression variables, provided
                     your code has debug information compiled in. Any Spring-EL functionality is
                     available within the expression, so you can also access properties on the
                     arguments. For example, if you wanted a particular method to only allow access
@@ -189,5 +190,52 @@
                     the entries then this is likely to be inefficient.</para>
             </section>
         </section>
+        <section xml:id="el-method-built-in">
+            <title>Built-In Expressions</title>
+            <para>There are some built-in expressions which are specific to method security, which
+                we have already seen in use above. The <literal>filterTarget</literal> and
+                    <literal>returnValue</literal> values are simple enough, but the use of the
+                    <literal>hasPermission()</literal> expression warrants a closer look.</para>
+            <section  xml:id="el-permission-evaluator">
+                <title>The <interfacename>PermissionEvaluator</interfacename> interface</title>
+                <para><literal>hasPermission()</literal> expressions are delegated to an instance of
+                        <interfacename>PermissionEvaluator</interfacename>. It is intended to bridge
+                    between the expression system and Spring Security's ACL system, allowing you to
+                    specify authorization constraints on domain objects, based on abstract
+                    permissions. It has no explicit dependencies on the ACL module, so you could
+                    swap that out for an alternative implementation if required. The interface has
+                    two methods:
+                    <programlisting language="java">  boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission);
+
+  boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission);</programlisting>which
+                    map directly to the available versions of the expression, with the exception
+                    that the first argument (the <interfacename>Authentication</interfacename>
+                    object) is not supplied. The first is used in situations where the domain
+                    object, to which access is being controlled, is already loaded. Then expression
+                    will return true if the current user has the given permission for that object.
+                    The second version is used in cases where the object is not loaded, but its
+                    identifier is known. An abstract <quote>type</quote> specifier for the domain
+                    object is also required, allowing the correct ACL permissions to be loaded. This
+                    has traditionally been the Java class of the object, but does not have to be as
+                    long as it is consistent with how the permissions are loaded.</para>
+                <para>To use <literal>hasPermission()</literal> expressions, you have to explicitly
+                    configure a <interfacename>PermissionEvaluator</interfacename> in your
+                    application context. This would look something like
+                    this:<programlisting language="xml"> <![CDATA[ <security:global-method-security pre-post-annotations="enabled">
+    <security:expression-handler ref="expressionHandler"/>
+  </security:global-method-security>
+
+  <bean id="expressionHandler" 
+      class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
+        <property name="permissionEvaluator" ref="myPermissionEvaluator"/>
+  </bean>]]></programlisting>Where
+                        <literal>myPermissionEvaluator</literal> is the bean which implements
+                        <interfacename>PermissionEvaluator</interfacename>. Usually this will be the
+                    implementation from the ACL module which is called
+                        <classname>AclPermissionEvaluator</classname>. See the
+                        <quote>Contacts</quote> sample application configuration for more
+                    details.</para>
+            </section>
+        </section>
     </section>
 </chapter>
diff --git a/docs/manual/src/docbook/namespace-config.xml b/docs/manual/src/docbook/namespace-config.xml
index e25200d38d..f6bac69d6b 100644
--- a/docs/manual/src/docbook/namespace-config.xml
+++ b/docs/manual/src/docbook/namespace-config.xml
@@ -16,12 +16,12 @@
       complexity from the user. A simple element may conceal the fact that multiple beans and
       processing steps are being added to the application context. For example, adding the following
       element from the security namespace to an application context will start up an embedded LDAP
-      server for testing use within the application: <programlisting><![CDATA[ 
+      server for testing use within the application: <programlisting language="xml"><![CDATA[ 
   <security:ldap-server />
 ]]></programlisting> This is much simpler than wiring up the equivalent Apache Directory Server
       beans. The most common alternative configuration requirements are supported by attributes on
       the <literal>ldap-server</literal> element and the user is isolated from worrying about which
-      beans they need create and what the bean property names are. <footnote><para>You can find out
+      beans they need to create and what the bean property names are. <footnote><para>You can find out
           more about the use of the <literal>ldap-server</literal> element in the chapter on <link
             xlink:href="#ldap">LDAP</link>.</para></footnote>. Use of a good XML editor while
       editing the application context file should provide information on the attributes and elements
@@ -380,11 +380,11 @@
         <title>Detecting Timeouts</title>
         <para> You can configure Spring Security to detect the submission of an invalid session ID
           and redirect the user to an appropriate URL. This is achieved through the
-            <literal>session-management</literal> element:<![CDATA[     
+            <literal>session-management</literal> element: <programlisting language="xml"><![CDATA[     
   <http>
     ...
     <session-management invalid-session-url="/sessionTimeout.htm" />
-  </http>]]></para>
+  </http>]]></programlisting></para>
       </section>
       <section xml:id="ns-concurrent-sessions">
         <title>Concurrent Session Control</title>
@@ -392,13 +392,13 @@
           application, Spring Security supports this out of the box with the following simple
           additions. First you need to add the following listener to your
             <filename>web.xml</filename> file to keep Spring Security updated about session
-          lifecycle events: <![CDATA[         
+          lifecycle events: <programlisting language="xml"><![CDATA[         
   <listener>
     <listener-class>
       org.springframework.security.web.session.HttpSessionEventPublisher
     </listener-class>
   </listener>
-]]> Then add the following lines to your application context: <programlisting language="xml"><![CDATA[     
+]]></programlisting> Then add the following lines to your application context: <programlisting language="xml"><![CDATA[     
   <http>
     ...
     <session-management>
@@ -457,7 +457,7 @@
   </http>
   ]]></programlisting> You should then register yourself with an OpenID provider (such as
         myopenid.com), and add the user information to your in-memory
-          <literal>&lt;user-service&gt;</literal>: <programlisting><![CDATA[
+          <literal>&lt;user-service&gt;</literal>: <programlisting language="xml"><![CDATA[
   <user name="http://jimi.hendrix.myopenid.com/" password="notused" 
           authorities="ROLE_USER" />
   ]]></programlisting> You should be able to login using the <literal>myopenid.com</literal> site to
@@ -689,7 +689,6 @@
   </authentication-manager>
   <bean id="casAuthenticationProvider" 
       class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
-    <security:custom-authentication-provider />
     ...
   </bean>
   ]]></programlisting></para>
diff --git a/docs/manual/src/docbook/technical-overview.xml b/docs/manual/src/docbook/technical-overview.xml
index 9e2a4d8f03..5278c89d9a 100644
--- a/docs/manual/src/docbook/technical-overview.xml
+++ b/docs/manual/src/docbook/technical-overview.xml
@@ -284,7 +284,7 @@ Successfully authenticated. Security context contains: \
         here to show that the question of what actually constitutes authentication in Spring
         Security has quite a simple answer. A user is authenticated when the
           <classname>SecurityContextHolder</classname> contains a fully populated
-          <interfacename>Authentiation</interfacename> object.</para>
+          <interfacename>Authentication</interfacename> object.</para>
       <section>
         <title>Setting the SecurityContextHolder Contents Directly</title>
         <para>In fact, Spring Security doesn't mind how you put the
@@ -424,7 +424,7 @@ Successfully authenticated. Security context contains: \
   <section xml:id="tech-intro-access-control">
     <title>Access-Control (Authorization) in Spring Security</title>
     <para> The main interface resposible for making access-control decisions in Spring Security is
-      the <interfacename>AccessDecisionMananger</interfacename>. It has a
+      the <interfacename>AccessDecisionManager</interfacename>. It has a
         <methodname>decide</methodname> method which takes an
         <interfacename>Authentication</interfacename> object representing the principal requesting
       access, a <quote>secure object</quote> (see below) and a list of security metadata attributes