diff --git a/src/docbkx/authorization-common.xml b/src/docbkx/authorization-common.xml
index fbd86b988e..0aadb002a7 100644
--- a/src/docbkx/authorization-common.xml
+++ b/src/docbkx/authorization-common.xml
@@ -93,21 +93,18 @@
     <literal>AccessDecisionManager</literal> to control all aspects of
     authorization, Spring Security includes several
     <literal>AccessDecisionManager</literal> implementations that are
-    based on voting. Figure 4 illustrates the relevant classes.</para>
-
-    <para><mediaobject>
+    based on voting. <xref linkend="authz-access-voting"/> illustrates the relevant classes.</para>
+      <figure xml:id="authz-access-voting">
+        <title>Voting Decision Manager</title>
+      <mediaobject>
         <imageobject role="fo">
           <imagedata align="center" fileref="resources/images/AccessDecisionVoting.gif" format="GIF"/>
         </imageobject>
         <imageobject role="html">
           <imagedata align="center" fileref="images/AccessDecisionVoting.gif" format="GIF"/>
         </imageobject>
-
-        <caption>
-          <para>Figure 4: Voting Decision Manager</para>
-        </caption>
-      </mediaobject></para>
-
+      </mediaobject>
+      </figure>
     <para>Using this approach, a series of
     <literal>AccessDecisionVoter</literal> implementations are polled on
     an authorization decision. The
@@ -265,21 +262,23 @@ boolean supports(Class clazz);
     several concrete implementations that integrate with its ACL
     capabilities.</para>
 
-    <para>Figure 5 illustrates Spring Security's
+    <para><xref linkend="authz-after-invocation"/> illustrates Spring Security's
     <literal>AfterInvocationManager</literal> and its concrete
-    implementations.</para>
-
-    <para><mediaobject>
-        <imageobject>
-          <imagedata role="fo" align="center" fileref="resources/images/AfterInvocation.gif" format="GIF"/>
+    implementations.
+      
+    <figure xml:id="authz-after-invocation">
+      <title>After Invocation Implementation</title>
+      <mediaobject>
+        <imageobject role="fo">
+          <imagedata  align="center" fileref="resources/images/AfterInvocation.gif" format="GIF"/>
         </imageobject>
-        <imageobject>
-          <imagedata role="html" align="center" fileref="images/AfterInvocation.gif" format="GIF"/>
+        <imageobject role="html">
+          <imagedata  align="center" fileref="images/AfterInvocation.gif" format="GIF"/>
         </imageobject>
-        <caption>
-          <para>Figure 5: After Invocation Implementation</para>
-        </caption>
-      </mediaobject></para>
+      </mediaobject>
+    
+    </figure>
+    </para>
 
     <para>Like many other parts of Spring Security,
     <literal>AfterInvocationManager</literal> has a single concrete
@@ -315,7 +314,6 @@ boolean supports(Class clazz);
     <literal>ROLE_AUTHENTICATED</literal> configuration attribute</para>
 
     <section xml:id="after-invocation-acl-aware"><info><title>ACL-Aware AfterInvocationProviders</title></info>
-      
 
       <para>PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new
       ACL module. The new ACL module is a significant rewrite of the
diff --git a/src/docbkx/domain-acls-old.xml b/src/docbkx/domain-acls-old.xml
index da729e82a7..e1acfc152e 100644
--- a/src/docbkx/domain-acls-old.xml
+++ b/src/docbkx/domain-acls-old.xml
@@ -104,21 +104,21 @@
 
     <para>The <literal>org.springframework.security.acl</literal> package
     is very simple, comprising only a handful of interfaces and a single
-    class, as shown in Figure 6. It provides the basic foundation for
-    access control list (ACL) lookups.</para>
+    class, as shown in <xref linkend="acl-manager"/>. It provides the basic foundation for
+    access control list (ACL) lookups.
 
-    <para><mediaobject>
-        <imageobject>
-          <imagedata role="fo" align="center" fileref="resources/images/ACLSecurity.gif" format="GIF"/>
+    <figure xml:id="acl-manager">
+      <title>Access Control List Manager</title>
+      <mediaobject>
+        <imageobject role="fo">
+          <imagedata align="center" fileref="resources/images/ACLSecurity.gif" format="GIF"/>
         </imageobject>
         <imageobject role="html">
           <imagedata align="center" fileref="images/ACLSecurity.gif" format="GIF"/>
         </imageobject>
-
-        <caption>
-          <para>Figure 6: Access Control List Manager</para>
-        </caption>
-      </mediaobject></para>
+      </mediaobject>
+    </figure>
+    </para>
 
     <para>The central interface is <literal>AclManager</literal>, which is
     defined by two methods:</para>
@@ -166,20 +166,19 @@ public AclEntry[] getAcls(java.lang.Object domainInstance, Authentication authen
     implementation.</para>
 
     <para>Spring Security includes a production-quality ACL provider
-    implementation, which is shown in Figure 7.</para>
+    implementation, which is shown in <xref linkend="acl-basic-mgr"/>.
 
-    <para><mediaobject>
+    <figure xml:id="acl-basic-mgr">
+      <title>Basic ACL Manager</title>
+      <mediaobject>
         <imageobject role="fo">
           <imagedata align="center" fileref="resources/images/BasicAclProvider.gif" format="GIF"/>
         </imageobject>
         <imageobject role="html">
           <imagedata align="center" fileref="images/BasicAclProvider.gif" format="GIF"/>
         </imageobject>
-
-        <caption>
-          <para>Figure 7: Basic ACL Manager</para>
-        </caption>
-      </mediaobject></para>
+      </mediaobject>
+    </figure></para>
 
     <para>The implementation is based on integer masking, which is
     commonly used for ACL permissions given its flexibility and speed.
@@ -462,6 +461,8 @@ END;
     <literal>GrantedAuthority</literal>[]s. Please refer to the JavaDocs
     for more information.</para>
 
+    <figure xml:id="acl-instantiation">
+      <title>ACL Instantiation Approach</title>
     <mediaobject>
       <imageobject role="fo">
         <imagedata align="center" fileref="resources/images/Permissions.gif" format="GIF"/>
@@ -469,13 +470,10 @@ END;
       <imageobject role="html">
         <imagedata align="center" fileref="images/Permissions.gif" format="GIF"/>
       </imageobject>
-
-      <caption>
-        <para>Figure 8: ACL Instantiation Approach</para>
-      </caption>
     </mediaobject>
+    </figure>
 
-    <para>The above figure explains the key relationships between objects
+    <para><xref linkend="acl-instantiation"/> explains the key relationships between objects
     in the Basic ACL package.</para>
   </section>
 </chapter>
\ No newline at end of file
diff --git a/src/docbkx/technical-overview.xml b/src/docbkx/technical-overview.xml
index d378bb2ca0..536633e02b 100644
--- a/src/docbkx/technical-overview.xml
+++ b/src/docbkx/technical-overview.xml
@@ -472,19 +472,20 @@ if (obj instanceof UserDetails) {
 
     <para>Because <literal>AbstractSecurityInterceptor</literal> is the
     central template class, it seems fitting that the first figure should
-    be devoted to it.</para>
-
-    <para><mediaobject>
+    be devoted to it.
+      
+    <figure>
+      <title>The key "secure object" model</title>
+      <mediaobject>
         <imageobject role="html">
           <imagedata align="center" fileref="images/SecurityInterception.gif" format="GIF"/>
         </imageobject>
         <imageobject role="fo">
           <imagedata align="center" fileref="resources/images/SecurityInterception.gif" format="GIF"/>
         </imageobject>
-        <caption>
-          <para>Figure 1: The key "secure object" model</para>
-        </caption>
-      </mediaobject></para>
+      </mediaobject>
+    </figure>
+    </para>
 
     <para>Only developers contemplating an entirely new way of
     intercepting and authorizing requests would need to use secure objects