We are setting up a SRU target that is intended to allow for
username/password authentication. When we have done this between
instances of our own software, we have used HTTP Basic Authentication
However, it is not clear to me what current practices are in this area,
and I'd like to set up a server that supports as many existing client
applications as possible.

Does anyone have a sense of what's most commonly supported by commercial
or OSS SRU clients today?