If you're doing any type of production ready service, that requires authentication then, it really should be over SSL. The reason being, is because even if you encrypt a username & password (which you should do whether you're transmitting over SSL or not). Without SSL you're wide open for a MIM attack. Essentially, an attack would eavesdrop on your conversation, capture and save the encrypted user name & password. Now the attacker doesn't need to worry about decrypting the values all they need to worry about is sending the encrypted user name & password with every subsequent malicious request.
If you're testing stuff out locally on your own dev server you can create you own self signed SSL
certificate for testing purposes.
At the most basic level you could just do this.
Custom User Name and Password validator
However please don't deploy something on the net without properly securing it with SSL. Also don't try to role your own encryption.