Skip to content

PathMatchingResourcePatternResolver fails with absolute paths in JAR manifest Class-Path entries #35730

New issue
New issue
Closed as duplicate
#35732
Closed as duplicate
PathMatchingResourcePatternResolver fails with absolute paths in JAR manifest Class-Path entries#35730
#35732
Assignees
jhoeller
Labels
in: coreIssues in core modules (aop, beans, core, context, expression)status: supersededAn issue that has been superseded by another
@Artur-

Description

@Artur-
Artur-
opened on Oct 31, 2025

PathMatchingResourcePatternResolver incorrectly rejects absolute paths in JAR manifest Class-Path entries, causing classpath scanning to fail with patterns like classpath*:**/*.class.

Minimal reproduction: https://github.com/Artur-/spring-manifest-bug-demo

git clone https://github.com/Artur-/spring-manifest-bug-demo.git
cd spring-manifest-bug-demo
mvn dependency:resolve
./create-classpath-jar.sh
./run-test.sh

Result:

  • classpath*:**/*.class → 2 classes ❌ (missing dependencies)
  • classpath*:org/**/*.class → 458 classes ✓ (works correctly)

Root Cause

File: PathMatchingResourcePatternResolver.java:615

File candidate = new File(parent, path);
if (candidate.isFile() && candidate.getCanonicalPath().contains(parent.getCanonicalPath())) {
    manifestEntries.add(ClassPathManifestEntry.of(candidate));
}

The security check rejects JARs that aren't within the parent directory. However, when Gradle creates a classpath JAR on Windows (to avoid the ~8KB command-line limit), it uses absolute paths to dependency JARs in the user's .gradle/caches/ directory. These are legitimate dependencies, not files that should be restricted to the parent directory.

Example of valid manifest created by Gradle:
Classpath JAR location: C:/project/build/tmp/bootRun/classpath.jar
Manifest Class-Path: C:/Users/developer/.gradle/caches/modules-2/files-2.1/.../spring-core-6.2.1.jar

The code extracts:

parent = "C:/project/build/tmp/bootRun/"  (parent of classpath.jar)
path = "C:/Users/developer/.gradle/caches/.../spring-core-6.2.1.jar"  (from manifest)

The check fails because the Gradle cache path doesn't contain the bootRun directory path, but these are valid dependency JARs that should be loaded.

When This Occurs

  • Windows with Gradle (classpath exceeds ~8KB limit)
  • IntelliJ IDEA with classpath shortening
  • Any build tool using absolute paths in manifest Class-Path

Related Issues

Metadata

Metadata

Assignees

Labels

in: coreIssues in core modules (aop, beans, core, context, expression)status: supersededAn issue that has been superseded by another

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions