fix(serialize): respect WARN mode in DefaultSerializeClassChecker

[daguimu]

Problem

DefaultSerializeClassChecker throws IllegalArgumentException even when SerializeCheckStatus is set to WARN. The WARN mode is intended to only log warnings without blocking deserialization, but three code paths still throw exceptions unconditionally.

Root Cause

Three places in DefaultSerializeClassChecker ignore the checkStatus when deciding to throw:

1. loadClass0() disallow list check (case-sensitive, line 165): Logs a WARN-mode message but then unconditionally throws IllegalArgumentException.

2. loadClass0() disallow list check (case-insensitive, line 186): Same issue — warns then throws.

3. loadClass() Serializable interface check (line 118): Only checks the checkSerializable flag but ignores checkStatus. In WARN mode, non-Serializable classes should be warned about, not rejected.

Fix

• loadClass0() disallow list checks: In WARN mode, log a warning and return the loaded class via classForName() instead of throwing. The warning message is updated to say "will allow to deserialize" (matching the existing non-disallowed warning at line 198).

• loadClass() Serializable check: Gate the exception on checkStatus — only throw in STRICT mode (when checkSerializable is also true). In WARN mode, downgrade from logger.error to logger.warn. In DISABLE mode, skip the check entirely.

This makes DefaultSerializeClassChecker consistent with Fastjson2SecurityManager, which already handles WARN mode correctly by returning null instead of throwing.

Tests Added

Change Point	Test
Disallow list in WARN mode no longer throws	testDisallowedClassInWarnModeDoesNotThrow() — loads Runtime.class (disallowed) in WARN mode, verifies no exception and class is in warnedClasses
Disallow list in STRICT mode still throws	testDisallowedClassInStrictModeThrows() — confirms Runtime.class throws in STRICT mode (regression)
Non-Serializable class in WARN mode	testCommon() — updated: Socket.class (disallowed, non-Serializable) now loads without exception in WARN mode
Existing STRICT mode behavior preserved	testStatus(), testBlockAll(), testAddBlock() — all pass unchanged

Impact

Only affects deserialization behavior when checkStatus is explicitly set to WARN. Default mode (STRICT) behavior is unchanged. Users who set WARN mode will now get the expected behavior: warnings are logged but deserialization proceeds.

Fixes #15179

[codecov-commenter]

Codecov Report

❌ Patch coverage is 66.66667% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.80%. Comparing base (b54059d) to head (71d3ae5).
⚠️ Report is 7 commits behind head on 3.3.

Files with missing lines	Patch %	Lines
...bbo/common/utils/DefaultSerializeClassChecker.java	66.66%	1 Missing and 2 partials ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##                3.3   #16177      +/-   ##
============================================
- Coverage     60.80%   60.80%   -0.01%     
+ Complexity    11767    11760       -7     
============================================
  Files          1953     1953              
  Lines         89118    89121       +3     
  Branches      13444    13446       +2     
============================================
  Hits          54190    54190              
+ Misses        29367    29362       -5     
- Partials       5561     5569       +8     

Flag	Coverage Δ
integration-tests-java21	32.12% <33.33%> (-0.05%)	⬇️
integration-tests-java8	32.24% <33.33%> (-0.01%)	⬇️
samples-tests-java21	32.13% <0.00%> (-0.04%)	⬇️
samples-tests-java8	29.71% <0.00%> (-0.01%)	⬇️
unit-tests-java11	59.03% <55.55%> (-0.01%)	⬇️
unit-tests-java17	58.51% <55.55%> (+0.01%)	⬆️
unit-tests-java21	58.53% <55.55%> (-0.01%)	⬇️
unit-tests-java25	58.47% <55.55%> (-0.03%)	⬇️
unit-tests-java8	59.05% <55.55%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.