diff --git a/webapp/lib/cxf-xjc-runtime-2.6.2.jar b/webapp/lib/cxf-xjc-runtime-2.6.2.jar
new file mode 100644
index 000000000..585894097
Binary files /dev/null and b/webapp/lib/cxf-xjc-runtime-2.6.2.jar differ
diff --git a/webapp/lib/cxf-xjc-ts-2.6.2.jar b/webapp/lib/cxf-xjc-ts-2.6.2.jar
new file mode 100644
index 000000000..283ba149d
Binary files /dev/null and b/webapp/lib/cxf-xjc-ts-2.6.2.jar differ
diff --git a/webapp/lib/javax.json-1.0.4.jar b/webapp/lib/javax.json-1.0.4.jar
new file mode 100644
index 000000000..09967d815
Binary files /dev/null and b/webapp/lib/javax.json-1.0.4.jar differ
diff --git a/webapp/lib/javax.json-api-1.0.jar b/webapp/lib/javax.json-api-1.0.jar
new file mode 100644
index 000000000..d276c793c
Binary files /dev/null and b/webapp/lib/javax.json-api-1.0.jar differ
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java
index ae9af0073..1a050608f 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java
@@ -4,7 +4,6 @@ package edu.cornell.mannlib.vitro.webapp.auth.permissions;
 
 import java.util.ArrayList;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -20,15 +19,19 @@ import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
 
 /**
- * An immutable collection of Permission objects, keyed by URI. Resides in the
+ * A collection of Permission objects, keyed by URI. Resides in the
  * ServletContext.
  * 
- * This is not thread-safe, so all Permissions should be added during context
+ * This is not thread-safe, so Permissions should be added only during context
  * initialization.
  */
 public class PermissionRegistry {
 	private static final Log log = LogFactory.getLog(PermissionRegistry.class);
 
+	// ----------------------------------------------------------------------
+	// The factory
+	// ----------------------------------------------------------------------
+
 	private static final String ATTRIBUTE_NAME = PermissionRegistry.class
 			.getName();
 
@@ -55,7 +58,8 @@ public class PermissionRegistry {
 					"PermissionRegistry has already been set.");
 		}
 
-		PermissionRegistry registry = new PermissionRegistry(permissions);
+		PermissionRegistry registry = new PermissionRegistry();
+		registry.addPermissions(permissions);
 		ctx.setAttribute(ATTRIBUTE_NAME, registry);
 	}
 
@@ -80,26 +84,40 @@ public class PermissionRegistry {
 		return (PermissionRegistry) o;
 	}
 
-	private final Map<String, Permission> permissionsMap;
+	// ----------------------------------------------------------------------
+	// The instance
+	// ----------------------------------------------------------------------
 
-	public PermissionRegistry(Collection<? extends Permission> permissions) {
-		Map<String, Permission> map = new HashMap<String, Permission>();
+	private final Map<String, Permission> map = new HashMap<>();
+
+	/**
+	 * This class is not thread-safe, so permissions should be added only during
+	 * context initialization.
+	 */
+	public void addPermissions(Collection<? extends Permission> permissions) {
 		for (Permission p : permissions) {
-			String uri = p.getUri();
-			if (map.containsKey(uri)) {
-				throw new IllegalStateException("A Permission is already "
-						+ "registered with this URI: '" + uri + "'.");
-			}
-			map.put(uri, p);
+			addPermission(p);
 		}
-		this.permissionsMap = Collections.unmodifiableMap(map);
+	}
+
+	/**
+	 * This class is not thread-safe, so permissions should be added only during
+	 * context initialization.
+	 */
+	public void addPermission(Permission p) {
+		String uri = p.getUri();
+		if (map.containsKey(uri)) {
+			throw new IllegalStateException("A Permission is already "
+					+ "registered with this URI: '" + uri + "'.");
+		}
+		map.put(uri, p);
 	}
 
 	/**
 	 * Is there a Permission registered with this URI?
 	 */
 	public boolean isPermission(String uri) {
-		return permissionsMap.containsKey(uri);
+		return map.containsKey(uri);
 	}
 
 	/**
@@ -110,7 +128,7 @@ public class PermissionRegistry {
 	 * this URI, call isPermission() instead.
 	 */
 	public Permission getPermission(String uri) {
-		Permission p = permissionsMap.get(uri);
+		Permission p = map.get(uri);
 		if (p == null) {
 			log.warn("No Permission is registered for '" + uri + "'");
 			return new BrokenPermission(uri);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java
index 3c5944665..665c46eff 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java
@@ -37,6 +37,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.freemarker.TemplateProcessing
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder.Route;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.ExceptionResponseValues;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.ForwardResponseValues;
+import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.NotAuthorizedResponseValues;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.RdfResponseValues;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.RedirectResponseValues;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.ResponseValues;
@@ -229,17 +230,19 @@ public class FreemarkerHttpServlet extends VitroHttpServlet  {
                 response.setStatus(statusCode);
             }
 
-            if (values instanceof ExceptionResponseValues) {
-                doException(vreq, response, values);
-            } else if (values instanceof TemplateResponseValues) {
-                doTemplate(vreq, response, values);
-            } else if (values instanceof RedirectResponseValues) {
-                doRedirect(vreq, response, values);
-            } else if (values instanceof ForwardResponseValues) {
-                doForward(vreq, response, values);
-            } else if (values instanceof RdfResponseValues) {
-                doRdf(vreq, response, values);
-            } 
+			if (values instanceof NotAuthorizedResponseValues) {
+				doNotAuthorized(vreq, response, (NotAuthorizedResponseValues)values);
+			} else if (values instanceof ExceptionResponseValues) {
+				doException(vreq, response, values);
+			} else if (values instanceof TemplateResponseValues) {
+				doTemplate(vreq, response, values);
+			} else if (values instanceof RedirectResponseValues) {
+				doRedirect(vreq, response, values);
+			} else if (values instanceof ForwardResponseValues) {
+				doForward(vreq, response, values);
+			} else if (values instanceof RdfResponseValues) {
+				doRdf(vreq, response, values);
+			}
         } catch (ServletException e) {
             log.error("ServletException in doResponse()", e);
         } catch (IOException e) {
@@ -247,7 +250,15 @@ public class FreemarkerHttpServlet extends VitroHttpServlet  {
         }
     }
 
-    protected void doTemplate(VitroRequest vreq, HttpServletResponse response, 
+	private void doNotAuthorized(VitroRequest vreq,
+			HttpServletResponse response, NotAuthorizedResponseValues values) {
+		// This method does a redirect if the required authorizations are 
+		// not met (and they won't be), so just return.
+		isAuthorizedToDisplayPage(vreq, response, values.getUnauthorizedAction());
+		return;
+	}
+
+	protected void doTemplate(VitroRequest vreq, HttpServletResponse response, 
             ResponseValues values) throws TemplateProcessingException {
      
         Map<String, Object> templateDataModel = new HashMap<String, Object>();        
@@ -548,4 +559,5 @@ public class FreemarkerHttpServlet extends VitroHttpServlet  {
         // to set up the data model.
         new FreemarkerComponentGenerator(request);
     }
+    
 }
\ No newline at end of file
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/responsevalues/NotAuthorizedResponseValues.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/responsevalues/NotAuthorizedResponseValues.java
new file mode 100644
index 000000000..035833bae
--- /dev/null
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/responsevalues/NotAuthorizedResponseValues.java
@@ -0,0 +1,31 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues;
+
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
+
+/**
+ * This allows processRequest() in sub-classes of FreemarkerHttpServlet to
+ * decide that the request is not authorized, and properly handle the
+ * redirection.
+ */
+public class NotAuthorizedResponseValues extends BaseResponseValues {
+	/**
+	 * If logging is turned on, this will be written to the log as a reason for
+	 * rejecting the servlet.
+	 */
+	private final String logMessage;
+
+	public NotAuthorizedResponseValues(String logMessage) {
+		this.logMessage = logMessage;
+	}
+
+	public RequestedAction getUnauthorizedAction() {
+		return new RequestedAction() {
+			@Override
+			public String toString() {
+				return "Servlet not authorized: " + logMessage;
+			}
+		};
+	}
+}