Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Can I Use HTML, CSS, and JavaScript Code in a .JAR Format for Private Jira Apps?

Navdeep Singh
Navdeep Singh January 13, 2025

Currently, I have a Connect app for Jira that uses GitHub Pages as the backend, and the code is hosted on my personal GitHub account. I have enabled development mode in my personal Jira instance and uploaded the app.

However, the issue I'm facing is that, with this setup, I have to keep my code public, which I don’t feel is secure. I am looking for a way to make my code private.

One option I came across is uploading a .jar or .obr file for private listings. My question is: how can I upload my HTML, CSS, and JavaScript code in a .jar format? Does Atlassian provide any documentation or guidelines on this process?

Note: I don't want to switch to the Forge app as I'm already using Jira Connect for my current implementation.

Any help or guidance would be greatly appreciated!

 

Answer
Watch
Like # people like this
79 views

1 answer

0 votes
Tuncay Senturk
Tuncay Senturk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 14, 2025

Hi @Navdeep Singh 

You can host your backend (HTML, CSS, js) in a private repository instead of Github Pages. This way your code will remain private and not exposed publicly.

Atlassian allows Server/Data Center apps to be packaged in a .jar or .obr files, but this is not applicable for Connect apps. You can deploy a private connect app by sharing the atlassian-connect.json descriptor URL with the specific instances without publishing it on the Atlassian Marketplace, this way no one will be able to see your code or app and use it.

I hope I wasn't missing anything and this helps!

View More Comments
Navdeep Singh
Navdeep Singh January 14, 2025


Hi @Tuncay Senturk 

Thanks for the quick turnaround. I am a bit unsure about how to achieve what you are proposing. For example, here is how my atlassian-connect.json file and directory structure looks like:{…json..} | 

Based on what you are suggesting I am able to conclude below 2 points:
1. “baseUrl”: https://myserver.com/public/myJiraPlugin    should be kept public(accessible and visible to all), so it is accessible when I am trying to create the private app via Jira Marketplace  https://marketplace.atlassian.com/manage/apps/create 

2. The “url”: “/index.html”, in generalPages modules should be a link to a private repository with some access control rather than living in the same repo as atlassian-connect.json?

If above points are correct, how will marketplace/jira be able to access index.html if it is behind some security like ouath? May be behind an “allowed-ip” access list, but what would be those ip addresses? I am not sure what is the best practice here so please provide some more info. on what you are suggesting.

Like
Navdeep Singh
Navdeep Singh January 14, 2025

image (18).png

Above is the screenshot of the Atlassian connect.json file
Below is my file structure

Screenshot 2025-01-14 at 4.57.58 PM.png

Like
Tuncay Senturk
Tuncay Senturk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 14, 2025

Your understanding of the baseUrl is correct. It must remain publicly accessible because Atlassian Connect uses this endpoint to load your app's resources (connect-json, index.html, etc.). This is mandatory. baseUrl and any endpoint defined under it must be accessible over the internet.

You can host only what is necessary (e.g. frontend code) on a server. Use secure backend API. But you cannot use a fully private repository because Jira cannot access resources behind oAuth or other access controls.

Use a publicly hosted, read-only version of static files like index.html, style.css and store sensitive logic in a private backend API which can be accessible via authentication.

You can also restrict access to your backend files to Jira (whitelisting Atlassian's outgoing IP ranges, refer to Atlassian's IP addresses and domains documentation)

I hope I was clear!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events