This is known as 3rd party call control. With Cisco Communications Manager (which is likely what you're IP phone is talking to), all of the methods to control your IP phone will require credentials configured in admin interface of Cisco Communications Manager. There are multiple ways to do what you're doing. The various APIs are:
Cisco IP Phone Services XML (which you referenced above). Specifically, you would send an HTTP Post to your IP phone with an IPPhoneExecute message. Inside this message, the action will be a Dial URI in the form: Dial:12345. 12345 is, of course, the number you want to call. You can achieve this method with only a browser--it is the simplest way to go.
Cisco JTAPI or TAPI. Both of these require you to write a program using a somewhat complicated API. Both JTAPI and TAPI will give you control over your IP Phone and allow you to place calls, etc.
Cisco WebDialer API. This is a SOAP web service that runs on one of the Cisco Communications Manager nodes. It provides similiar, but fewer, capabilities as JTAPI/TAPI, but does bring the added benefit that it is a SOAP API and will be generally easier to consume for a non-telephony programmer.
Finally, you can look at Cisco Unified Application Environment. This is a development environment that wraps all of the above functionality and makes it very easy to consume. You can write applications in C#, Java, or with a graphical modeling language in the Cisco Visual Designer.
In terms of complexity, #1 is the easiest. #4 is the second easiest to program but is more complicated to setup and maintain. The CUAE is also not free so it will cost money to purchase the licenses from Cisco.
Depending on how motivated you are, it is fairly straightforward to fake out the IP phone. When the IP phone is asked to authenticate a user, it does an HTTP get to http:///Authenticate.jsp (I think, you will need to verify the actual URL as it has been some time). The username and password are passed in clear text to the web page for validation. The response is a simple text/plain response alng the lines of "VALID" or "NOT VALID" (again, do some checking as it has been a very long time for me). If you want, you can try to put a computer you control between the phone and the switch to see if you can intercept these HTTP requests. This method won't work if your network guys have configured fancy voice VLANs or done some other tricks to ensure that IP phones are plugged into the switch ports, but it's worth a try if you care enough to get control over your IP phone. Certainly the easiest thing to do is get your username/password from your administrator.