planning on using a X509 cert to validate that a business client is who they
say they are. After we authenticate user, then we need a username and
password to authorize users permissions. Should we store this in the SOAP
header or just as part of the XML message structure?