A class is identified by its fully-qualified class name AND its classloader. A class with the same name but different package name is different, and a class with the same fully-qualified name but which has been loaded with a different classloader is also different.
You may frequently want to know whether a given object has a specific class, or whether 2 objects have the same class, for example, in implementing the equals() method. If the comparison is performed incorrectly, your code might assume that 2 objects are of the same class when they're not. Depending on the function that this code performs, this might introduce a vulnerability to a mix-and-match attack.
An attacker can supply code that is the same name as your class; if you rely on comparing the classname as a string, you might end up believing it is privileged code and granting it undue privileges.
Non-Compliant Solution
 // determine whether object h has required/expected class name
if (h.getClass().getName().equals("DefaultAuthenticationHandler")) {
   // code assumes it's an authorized class
}
Compliant Solution
 // determine whether object h has required/expected class name
if (h.getClass() == this.getClassLoader().loadClass("DefaultAuthenticationHandler")) {
   // code determines authorized class loaded by same classloader
}
Non-Compliant Solution
 // determine whether objects x and y have same class name
if (x.getClass().getName().equals( y.getClass().getName() )) {
   // code assumes objects have same class
}
Compliant Solution
 // determine whether objects x and y have same class
if (x.getClass() == y.getClass()) {
   // code determines objects have same class
}
Conversely, a source of error is assuming that the same codebase will result in the same class in a JVM. While it is usually true in common user applications, it is not the case with J2EE servers like servlet containers, which could use different instances of classloaders to be able to deploy and undeploy applications at runtime without restarting the JVM. In this situation, 2 objects whose classes come from the same codebase could be different classes to the JVM and it could be confusing to get false from the equals() method on their respective classes.
