Use JDK `ObjectInputFilter` instead of calling `AllowedListDeserializingMessageConverter::checkAllowedList` in `ConfigurableObjectInputStream::resolveClass`

[quaff]

I think it's better to use standard API. see Java Serialization Filters

https://github.com/spring-projects/spring-amqp/blob/603e6c8c09838aff5a8dcf3f9e6e1ab1d3488cde/spring-amqp/src/main/java/org/springframework/amqp/support/converter/SimpleMessageConverter.java#L158-L162

https://github.com/spring-projects/spring-amqp/blob/603e6c8c09838aff5a8dcf3f9e6e1ab1d3488cde/spring-amqp/src/main/java/org/springframework/amqp/support/converter/SerializerMessageConverter.java#L167-L172

[artembilan]

Well, the ConfigurableObjectInputStream is still going to be there since it relies on the specific ClassLoader:

/**
 * Special {@link ObjectInputStream} subclass that resolves class names
 * against a specific {@link ClassLoader}.
 *
 * @author Juergen Hoeller
 * @since 2.5.5
 * @see org.springframework.core.serializer.DefaultDeserializer
 */
public class ConfigurableObjectInputStream extends ObjectInputStream {

Please, revise your request about the logic we do in the AllowedListDeserializingMessageConverter to use that ObjectInputFilter instead of resolveClass() override. Otherwise this is confusing and might be closed without the fix.

Thanks