Identifying new features about Core & Platform, Framework Enhancements, and the latest Security Improvements

In September 2025, SAP Commerce Cloud will upgrade to JDK 21 and Spring 6. Please note for all the on-going projects, the validity of the current version with JDK 17 will be extended from six to twelve months, providing security fixes until the end of Q2 2026.

All the Accelerator UIs and related addons, as well as OCC template extensions have been deprecated since the 2205 release, with a deletion date scheduled for Q3 2028.

All the phased-out Cockpit extensions (cockpit, admincockpit, cmscockpit, productcockpit, etc.) will be officially removed by Q3 2025.

As of September 2025, the OAuth extension will shift to the Spring Authorization Server, adopting more current OAuth2 security practices. Especially the Resource Owner Password Flow and Implicit Flow are deprecated and discouraged. Any existing uses of these flows should transition to the Authorization Code Flow.

SmartEdit has seen an upgrade from Angular 15 to Angular 17 in 2211.24, with plans for further enhancement to Angular 19 by June 2025. Existing SmartEdit customizations need to be tested and updated to ensure continued functionality.

To enhance security and maintain compatibility with future updates, we have upgraded from Tomcat 8.5.x to Tomcat 9.x. Notably, the 8.5.x version is set to reach end-of-life in March 2024, making this upgrade a necessary step. Be sure to study the migration steps to ensure a smooth transition to Tomcat 9.

In response to user demand, SAP Commerce Cloud now supports JUnit 5, offering a more modern testing framework for your development projects. This support enhances testing capabilities, making it easier to execute and manage your test cases effectively.

We’ve made significant updates to various libraries to keep your framework modern and efficient. Major updates include:

• Jersey: 2.34 to 2.43
• FastUtil: 6.5.16 to 8.5.13
• Spring Session: 1.3.5 to 2.7.4
• Microsoft Azure Storage Client SDK: 8.6.6 to selected Microsoft Azure Java Client 12.x libraries.

One of the notable improvements is how we validate attributes across multiple languages. In previous versions, the most restrictive constraint was validated universally for each language. Now, each language's attribute constraints are validated separately, enabling more precise control and consistency.

You can now manage how SAP Commerce Cloud responds to create data errors during an upgrade or initialization process. By setting the property 'system.setup.create.data.fail.on.error=true, you can choose to halt the process if errors occur, ensuring that configurations and project data are processed correctly.

In version 2211.30/32, you can globally disable FlexibleSearch restrictions that are defined for individual users, opting to retain only user group restrictions. This feature not only streamlines access but also enhances system performance by reducing unnecessary database calls.

Introducing the Open Payment Framework Module in version 2211.30/32! This low-code platform allows seamless integration of your preferred digital payment service providers into your transactional and acceptance payment flows, enhancing your commerce platform's efficiency and flexibility. It offers an intuitive user interface to support integration and customization with payment service providers. Does this mean we are moving away from the extension-based approach for enhancing payment functionality? Let’s look forward to the new developments in Q1 2025!

Several older password hashing algorithms, including MD5, PBKDF2, SHA-1, SHA-256, and SHA-512, are now deprecated and deactivated by default. The Argon2 algorithm has been adopted as the new default password hashing function, replacing bcrypt. Additionally, a configurable rehashing mechanism during login is introduced: any attempt to utilize insecure password encoders will trigger an exception in the logs, ensuring your system remains secure.

We now offer the capability to create and validate one-time passwords, bolstering two-factor authentication (2FA). This provides enhanced security by verifying the ownership of an email during customer logins. With this feature, even if credentials are compromised on other platforms, your customer's accounts remain secure.

Mutual Transport Layer Security (mTLS) has been integrated, providing bi-directional authentication for environment endpoints. This feature allows for more secure client access through certificate utilization and domain configuration, ensuring specified endpoints are only accessible from designated sources, such as your Content Delivery Network (CDN).

We’ve introduced new measures to further protect against brute force attacks:

• SAPBruteForceOAuthLoginAttempts Model: This new model captures failed login attempts specifically for OAuth clients, while standard attempts are tracked in the existing BruteForceLoginAttempts model. Please note, a database update via a new build is required for activation.
• Admin Login Disabling: In versions 2211.30/32, administrators can now disable login for the admin user as a brute force attack prevention measure. This greatly enhances security by protecting admin privileges from potential brute force exploits.