Advice on authentication/authorization

I have two legacy backend apps exchanging SOAP messages. In the next release of the product, confidential data will need to be exchanged between them. Encryption/Decryption on the wire is not necessary, but authentication and authorization will need to be done. What strategy would be feasible and with minimum code impact?

I'll just list them (in my opinion) easy -> complex order.

Simple HTTP Authentication (like when IE pops up a box saying login)- take a look at RFC2617. This'll just be be sent as part of the HTTP Headers, easy to crack as Basic auth is simply
s = "Basic " + toBase64(username + ":" + password);

But if you're sure that you don't need encryption of the data, then that may be the quickest way.

On the other hand, use SSL with Client Cert Authentication - This will ensure comms between the two apps is encrypted, and server-a checks the server-b certificate against its chain of trust, so it's more secure than RFC2617 style. It's not much more complicated than RFC2617, but people seem to have problem with SSL judging by some of the questions that get asked in this forum.

Or, on your third hand, change your SOAP payload so that each server signs the document in question. This will give you a guarantee that it was sent by that app (as much as is possible, if don't keep your certs safe, then you're a bad bad person), as server-b compares the signed server-a hash with one that it generated.