the vulnerability can not be exploited locally when it's run from the IntelliJ without using Dockerfile

[idavollen]

When the war file is deployed in the Docker container, the vulnerability can be exploited after running:

1. docker build . -t spring4shell && docker run -p 8080:8080 spring4shell
2. python3 exploit.py --url "http://localhost:8080/helloworld/greeting"
3. go to http://localhost:8080/shell.jsp?cmd=id

However, if I run this Spring Boot web app locally from IntelliJ (BTW, I had to add server.servlet.context-path=/helloworld in application.properties file) and try these steps:

1. python3 exploit.py --url "http://localhost:8080/helloworld/greeting"
2. go to http://localhost:8080/shell.jsp?cmd=id
   I've just got "HTTP Status 404 – Not Found" with http://localhost:8080/shell.jsp?cmd=id

Can someone shed the light on why the vulnerability can't be exploited when it's run locally from IntelliJ?

[idavollen]

My question is why this vulnerability can not be exploited when it's run locally from IntelliJ WITHOUT using Dockerfile at all?

[ertygiq]

@idavollen From vulnerability descriptions which I read, it only works when app is packaged as WAR and deployed to standalone Tomcat. They say, it doesn't work when run with built-in Tomcat.