Specify credentials for HTTP authentication when using unparsed-text in XSLT 2.0

Question 1

After a bit of research, I am quite confident it can only be done with an extension function to handle HTTP requests appropriately. In other words, using unparsed-text() alone will not get you anywhere, as you have noticed.

It seems to me that the extension functions written by Florent Georges would meet your needs. The code below is not my own, I have adapted it from an example on the website.

It is an example for a delete request, with basic authentication in place. This works both for document() and unparsed-text().

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                xmlns:ex="java:org.fgeorges.xslt.Exslt2"
                exclude-result-prefixes="ex"
                version="2.0">

   <!-- Parameters: the user (default to admin), the password
        (required) and the document to delete. -->
   <xsl:param name="user" select="'test'"/>
   <xsl:param name="pwd" required="yes"/>
   <xsl:param name="doc" select="'/file.txt'"/>

   <!-- The URI to be resolved -->
   <xsl:variable name="uri" select="
       'http://localhost'"/>

   <!-- The HTTP request -->
   <xsl:variable name="request">
      <http-request
          method="delete"
          user="{ $user }"
          password="{ $pwd }"/>
   </xsl:variable>

   <!-- The main template -->
   <xsl:template match="/" name="initial">
      <xsl:variable name="res" select="
          ex:http-send($request, concat($uri, $doc))"/>
     <!--Further processing-->
   </xsl:template>

</xsl:stylesheet>

I am sure whether those extensions can still be used with recent versions of Saxon. Perhaps you should use the EXPath HTTP Client instead - which is very similar to the extension described above.

Question 2

As an alternative to using extension functions, with Saxon you can register an UnparsedTextURIResolver to look after the URI dereferencing.