void ObjectAcl::validateOwner(AclValidationContext &ctx)
{
    instantiateAcl();
    
    ctx.init(this, mOwner.subject);
    if (mOwner.validate(ctx))
        return;
    CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
}
bool ObjectAcl::validates(AclValidationContext &ctx)
{
	// make sure we are ready to go
	instantiateAcl();

	IFDUMPING("acleval", Debug::dump("<<WANT(%d)<", ctx.authorization()));

    //@@@ should pre-screen based on requested auth, maybe?

#if defined(ACL_OMNIPOTENT_OWNER)
    // try owner (owner can do anything)
    if (mOwner.validate(ctx))
        return;
#endif //ACL_OMNIPOTENT_OWNER

    // try applicable ACLs
    pair<EntryMap::const_iterator, EntryMap::const_iterator> range;
    if (getRange(ctx.s_credTag(), range) == 0)	// no such tag
        CssmError::throwMe(CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND);
    // try each entry in turn
    for (EntryMap::const_iterator it = range.first; it != range.second; it++) {
        const AclEntry &slot = it->second;
		IFDUMPING("acleval", (Debug::dump(" EVAL["), slot.debugDump(), Debug::dump("]")));
        if (slot.authorizes(ctx.authorization())) {
			ctx.init(this, slot.subject);
			ctx.entryTag(slot.tag);
			if (slot.validate(ctx)) {
				IFDUMPING("acleval", Debug::dump(">PASS>>\n"));
				return true;		// passed
			}
			IFDUMPING("acleval", Debug::dump(" NO"));
		}
    }
	IFDUMPING("acleval", Debug::dump(">FAIL>>\n"));
	return false;	// no joy
}