Make SubTypeValidator.DEFAULT_NO_DESER_CLASS_NAMES configurable

[dave-b-uk]

As more vulnerable gadgets are flagged as vulnerable, why not make the blacklist configurable? This would reduce the burden on consumers of the library to make sure they are not affected by changing the configuration in their projects

[cowtowncoder]

That would have been another possibility, but route taken for 2.10 was doing #2195 so that specific validator to use will be explicitly passed by users. Default implementation offers convenient base implementation for allow list (nee white-list) but not one for reverse, as fundamentally adding blocks will never cover all cases.

SubTypeValidator itself will eventually be removed (from 3.0 for sure I think), although for 2.x timeline it is probably best left as-is.