After some additional research, I suppose I can just use the com.wm.app.b2b.server.UGClass.checkPassword method to authenticate the credentials in my SOAP Header against a wM User. In this scenario I probably don’t need to implement ACLs at all.
However, I’m still confused about how the Default and RPC SOAP processors authenticate requests. Based on my understanding of these processors I assume that credential information must be provided by the client in the HTTP request in order for the IS to perform Basic HTTP Authentication.
Fred