
My aim is to check that a Joomla username and password is valid from my external application. It is not necessary that the user is logged into the system, just that their account exists. I decided to create my own authentication plugin based on the Joomla Authentication (JOOMLA_PATH/plugins/authentication/joomla). I only changed the name:

// No direct access
defined('_JEXEC') or die;


class plgAuthenticationWebservice extends JPlugin
    function onUserAuthenticate($credentials, $options, &$response)

        $response->type = 'Webservice';
        // Joomla does not like blank passwords
        if (empty($credentials['password'])) {
            $response->status = JAUTHENTICATE_STATUS_FAILURE;
            $response->error_message = JText::_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED');
            return false;

        // Initialise variables.
        $conditions = '';

        // Get a database object
        $db     = JFactory::getDbo();
        $query  = $db->getQuery(true);

        $query->select('id, password');
        $query->where('username=' . $db->Quote($credentials['username']));

        $result = $db->loadObject();

        if ($result) {
            $parts  = explode(':', $result->password);
            $crypt  = $parts[0];
            $salt   = @$parts[1];
            $testcrypt = JUserHelper::getCryptedPassword($credentials['password'], $salt);

            if ($crypt == $testcrypt) {
                $user = JUser::getInstance($result->id); // Bring this in line with the rest of the system
                $response->email = $user->email;
                $response->fullname = $user->name;
                if (JFactory::getApplication()->isAdmin()) {
                    $response->language = $user->getParam('admin_language');
                else {
                    $response->language = $user->getParam('language');
                $response->status = JAUTHENTICATE_STATUS_SUCCESS;
                $response->error_message = '';
            } else {
                $response->status = JAUTHENTICATE_STATUS_FAILURE;
                $response->error_message = JText::_('JGLOBAL_AUTH_INVALID_PASS');
        } else {
            $response->status = JAUTHENTICATE_STATUS_FAILURE;
            $response->error_message = JText::_('JGLOBAL_AUTH_NO_USER');

I added one more file to my plugin to access the authentication, I called it test_auth.php and it goes like this:

define('_JEXEC', 1 );
define('JPATH_BASE', 'C:\xampp\htdocs\joomla');

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );


$credentials = array(
    'username' => 'test',
    'password' => 'test');

$options = array();

$response = array();

$auth = new plgAuthenticationWebservice();
$auth->onUserAuthenticate($credentials, $options, &$response);


But when I call it, it get these errors:

Warning: Missing argument 1 for JPlugin::__construct(), called in C:\xampp\htdocs\joomla\plugins\authentication\Webservice\test_auth.php on line 25 and defined in C:\xampp\htdocs\joomla\libraries\joomla\plugin\plugin.php on line 57
Fatal error: Call to a member function attach() on a non-object in C:\xampp\htdocs\joomla\libraries\joomla\base\observer.php on line 41

What am I doing wrong? I think I could place all php scripts outside and independent from joomla and work with require_once(JPATH_BASE .DS.'includes'.DS.'defines.php') etc. Or I could write a plugin, install it with the extension manager and won't struggle with an unavailable joomla framework. But in fact it won't work if I leave out defines.php and framework.php.

I think a guide for plugin creation in Joomla 1.7 would be helpful.

What language are you using in your external application? Is it on different host? Are you aware about Joomla Tokens?WooDzu
see here exactly same question: stackoverflow.com/questions/2176595/…WooDzu
@WooDzu My external app is on the same host as Joomla and I use PHP for this. I am not aware about Joomla Tokens. Is this still used in joomla 1.7?K B

OK, i completely dropped my first try.

Instead I use JOOMLA_ROOT/libraries/joomla/user/authentication.php now (insprired by JOOMLA_ROOT/libraries/joomla/application/application.php).

My test_auth.php looks like this now:


define('_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) . DS . '..' . DS . '..' . DS . '..'); // assuming we are in the authorisation plugin folder and need to go up 3 steps to get to the Joomla root

require_once (JPATH_BASE .DS. 'includes' .DS. 'defines.php');
require_once (JPATH_BASE .DS. 'includes' .DS. 'framework.php');
require_once (JPATH_BASE .DS. 'libraries' .DS. 'joomla'. DS. 'user' .DS. 'authentication.php');

$mainframe =& JFactory::getApplication('site');

$credentials = array(
    'username' => 'test',
    'password' => 'test');

$options = array();

$authenticate = JAuthentication::getInstance();
$response   = $authenticate->authenticate($credentials, $options);

if ($response->status === JAUTHENTICATE_STATUS_SUCCESS) {
    echo('<br />It works<br />');

For any improvements I would be deeply grateful!

EDIT: I dismissed the plugin installation. It is a simple external script, which wouldn't be called from Joomla itself. I simply moved it to a new folder in the Joomla root.