It’s fairly popular in Java for frameworks, containers, and sometimes even scripting languages to do a classpath scan to find components, implementations and other interesting classes. Most people think nothing of this, except that it makes life easier (if sometimes a little slower). However, classpath scanning can be a very bad thing.
Most people seem to forget that Java no longer works with the classpath in the same way it used to. The classpath is simply used to define a bootstrap environment, from with the URLClassLoader can work. I have come across systems that don’t even have the full JRE deployed in their client environments, opting instead to load all their classes over the network, or sometimes even out of a database.
The classpath only takes into account the basic set of classes given to the VM. A lot of classpath scanners also assume that classes are only stored in either a JAR file or a Directory. This is not at all the fact, they could be stored in a Pack200 file, a tar.gz / tar.bz2 file, or even some file-format that you’ve never heard of.