Spring security siteminder

Question

I have recently conducted a code security scan using Veracode software. One of the vulnerabilities they found was CWE ID 296 (Improper Following of a Certificate's Chain of Trust) with only an URL provided:

[Some domain]/login.fcc?TYPE=33554433&REALMOID=06-0001a0fa-fce9-116f-9124-e48cac184047&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$h5DAp2mUtJV%2b9BSWU0E5b3HEpwYmd7icGcuJcCzyJ79JnAUSHTDMYaehDLGNNWHM&TARGET=$SM$%2f

Now, I know what a Chain of Trust is but the parameters in the URL does not immediately appear to be related to that. However, what I noticed is that the attribues here are all used by SiteMinder. Since our application uses Spring Security's module to support SiteMinder, I would like to know if you guys have any idea of what that is.

Have there been any unresolved issues on the project's queue that relate to Chain of Trust being improperly checked? I did a brief scan there but couldn't find anything.

Answer 1

Well the parameters mean the following:

TYPE=33554433: This is the type of login

REALMOID=06-0001a0fa-fce9-116f-9124-e48cac184047: This is the OID of the SiteMinder realm for which authentication has been requested.

GUID: Not sure

SMAUTHREASON=0: The reason the user is redirected to login URL. 0 means redirect because no existing session authentication needed.

METHOD=GET: The http method which was used to access the protected resource

SMAGENTNAME=$SM$h5DAp2mUtJV%2b9BSWU0E5b3HEpwYmd7icGcuJcCzyJ79JnAUSHTDMYaehDLGNNWHM: The name of the agent that made the request

TARGET=$SM$%2f: The URL to redirect to post successful authentication.

Thanks Avijit