Configure Artifactory Proxy for Shopware Composer Packages Securely

by

Summary

An Artifactory remote repository can proxy the Shopware Store so that developers pull packages without exposing a bearer token. The key is to configure the Custom Download URL and Authentication correctly, and to use Composer’s --repository-url flag when fetching from Artifactory. Without this, Composer falls back to the original Store URLs.

Root Cause

  • Composer reads the packages.json from Artifactory but uses the original download URLs (from Shopware) to fetch binary ZIP files.
  • Artifactory does not rewrite these URLs unless the Custom Download URL is formatted correctly.
  • Composer does not recognize Artifactory as the download provider unless its Repository API URL is used in the command line.

Why This Happens in Real Systems

  • Remote repositories often expose metadata but not the binary files.
  • Tooling assumes binary URLs are absolute and external; it does not rewrite them to the proxy.
  • Security best practices (hiding bearer tokens) force a proxy, increasing the dependency chain.

Real-World Impact

  • Developers are forced to use raw Shopware URLs or store personal tokens.
  • Exposed credentials risk accidental commit to VCS or leakage.
  • Builds depend on external network, introducing latency and single‑point failures.

Example or Code (if necessary and relevant)

- composer require shopware/checkout
+ composer require shopware/checkout --repository-url=https://my-artifactory.local:443/artifactory/my-repo-name

How Senior Engineers Fix It

  • Configure Custom Download URL with URL encoding (%F2 for /) and placeholders {1} and {2} for package name and version. 
    https://packages.shopware.com/download?downloadUrl=%F2packages%F2plugins%F2{1}%F2binaries%F2{2}
  • Enable Token Authentication and supply the Store bearer token.
  • Verify that HTTPS access is allowed from Artifactory to packages.shopware.com.
  • In Composer, always use the Artifactory Repository API URL (--repository-url) to ensure binary download goes through the proxy.
  • Update .artifactory/remote/access if needed to allow GET on binary endpoints.

Why Juniors Miss It

  • They assume configurable metadata automatically redirects binary downloads.
  • They overlook the need to pass --repository-url to Composer.
  • They misread placeholder syntax (%F2 vs. /), causing malformed URLs.
  • They do not realize Composer ignores proxy configuration unless the repository API is explicitly used.

Leave a Comment