Add check

dubbo-common/src/main/java/org/apache/dubbo/common/CommonScopeModelInitializer.java

@@ -22,6 +22,7 @@
 import org.apache.dubbo.common.lang.ShutdownHookCallbacks;
 import org.apache.dubbo.common.status.reporter.FrameworkStatusReportService;
 import org.apache.dubbo.common.threadpool.manager.FrameworkExecutorRepository;
+import org.apache.dubbo.common.utils.SerializeSecurityManager;
 import org.apache.dubbo.rpc.model.ApplicationModel;
 import org.apache.dubbo.rpc.model.FrameworkModel;
 import org.apache.dubbo.rpc.model.ModuleModel;
@@ -33,6 +34,7 @@ public void initializeFrameworkModel(FrameworkModel frameworkModel) {
         ScopeBeanFactory beanFactory = frameworkModel.getBeanFactory();
         beanFactory.registerBean(FrameworkExecutorRepository.class);
         beanFactory.registerBean(ConverterUtil.class);
+        beanFactory.registerBean(SerializeSecurityManager.class);
     }
 
     @Override

dubbo-common/src/main/java/org/apache/dubbo/common/constants/CommonConstants.java

@@ -422,6 +422,8 @@ public interface CommonConstants {
 
     String SERIALIZE_BLOCKED_LIST_FILE_PATH = "security/serialize.blockedlist";
 
+    String SERIALIZE_ALLOW_LIST_FILE_PATH = "security/serialize.allowlist";
+
     String QOS_LIVE_PROBE_EXTENSION = "dubbo.application.liveness-probe";
 
     String QOS_READY_PROBE_EXTENSION = "dubbo.application.readiness-probe";

dubbo-common/src/main/java/org/apache/dubbo/common/utils/AllowClassNotifyListener.java

@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.common.utils;
+
+import java.util.Set;
+
+public interface AllowClassNotifyListener {
+
+    SerializeCheckStatus DEFAULT_STATUS = SerializeCheckStatus.STRICT;
+
+    void notify(SerializeCheckStatus status, Set<String> prefixList);
+}

dubbo-common/src/main/java/org/apache/dubbo/common/utils/ClassLoaderResourceLoader.java

@@ -24,11 +24,11 @@
 import java.lang.ref.SoftReference;
 import java.lang.reflect.Field;
 import java.net.URL;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.LinkedHashMap;
 import java.util.LinkedHashSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
@@ -46,7 +46,7 @@ public class ClassLoaderResourceLoader {
         GlobalResourcesRepository.registerGlobalDisposable(() -> destroy());
     }
 
-    public static Map<ClassLoader, Set<URL>> loadResources(String fileName, List<ClassLoader> classLoaders) throws InterruptedException {
+    public static Map<ClassLoader, Set<URL>> loadResources(String fileName, Collection<ClassLoader> classLoaders) throws InterruptedException {
         Map<ClassLoader, Set<URL>> resources = new ConcurrentHashMap<>();
         CountDownLatch countDownLatch = new CountDownLatch(classLoaders.size());
         for (ClassLoader classLoader : classLoaders) {

dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeCheckStatus.java

@@ -0,0 +1,23 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dubbo.common.utils;
+
+public enum SerializeCheckStatus {
+    DISABLED,
+    WARN,
+    STRICT,
+}

dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java

@@ -17,7 +17,6 @@
 package org.apache.dubbo.common.utils;
 
 import org.apache.dubbo.common.beanutil.JavaBeanSerializeUtil;
-import org.apache.dubbo.common.config.ConfigurationUtils;
 import org.apache.dubbo.common.constants.CommonConstants;
 import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
 import org.apache.dubbo.common.logger.LoggerFactory;
@@ -52,10 +51,10 @@ public class SerializeClassChecker {
     private final AtomicLong counter = new AtomicLong(0);
 
     private SerializeClassChecker() {
-        String openCheckClass = ConfigurationUtils.getProperty(CommonConstants.CLASS_DESERIALIZE_OPEN_CHECK, "true");
+        String openCheckClass = System.getProperty(CommonConstants.CLASS_DESERIALIZE_OPEN_CHECK, "true");
         OPEN_CHECK_CLASS = Boolean.parseBoolean(openCheckClass);
 
-        String blockAllClassExceptAllow = ConfigurationUtils.getProperty(CLASS_DESERIALIZE_BLOCK_ALL, "false");
+        String blockAllClassExceptAllow = System.getProperty(CLASS_DESERIALIZE_BLOCK_ALL, "false");
 
         BLOCK_ALL_CLASS_EXCEPT_ALLOW = Boolean.parseBoolean(blockAllClassExceptAllow);
 
@@ -79,8 +78,8 @@ private SerializeClassChecker() {
             logger.error(COMMON_IO_EXCEPTION, "", "", "Failed to load blocked class list! Will ignore default blocked list.", e);
         }
 
-        String allowedClassList = ConfigurationUtils.getProperty(CLASS_DESERIALIZE_ALLOWED_LIST, "").trim().toLowerCase(Locale.ROOT);
-        String blockedClassList = ConfigurationUtils.getProperty(CLASS_DESERIALIZE_BLOCKED_LIST, "").trim().toLowerCase(Locale.ROOT);
+        String allowedClassList = System.getProperty(CLASS_DESERIALIZE_ALLOWED_LIST, "").trim().toLowerCase(Locale.ROOT);
+        String blockedClassList = System.getProperty(CLASS_DESERIALIZE_BLOCKED_LIST, "").trim().toLowerCase(Locale.ROOT);
 
         if (StringUtils.isNotEmpty(allowedClassList)) {
             String[] classStrings = allowedClassList.trim().split(",");
@@ -120,34 +119,45 @@ protected static void clearInstance() {
      * @throws IllegalArgumentException if class is blocked
      */
     public void validateClass(String name) {
+        validateClass(name, true);
+    }
+
+    public boolean validateClass(String name, boolean failOnError) {
         if (!OPEN_CHECK_CLASS) {
-            return;
+            return true;
         }
 
         name = name.toLowerCase(Locale.ROOT);
         if (CACHE == CLASS_ALLOW_LFU_CACHE.get(name)) {
-            return;
+            return true;
         }
 
         if (CACHE == CLASS_BLOCK_LFU_CACHE.get(name)) {
-            error(name);
+            if (failOnError) {
+                error(name);
+            }
+            return false;
         }
 
         for (String allowedPrefix : CLASS_DESERIALIZE_ALLOWED_SET) {
             if (name.startsWith(allowedPrefix)) {
                 CLASS_ALLOW_LFU_CACHE.put(name, CACHE);
-                return;
+                return true;
             }
         }
 
         for (String blockedPrefix : CLASS_DESERIALIZE_BLOCKED_SET) {
             if (BLOCK_ALL_CLASS_EXCEPT_ALLOW || name.startsWith(blockedPrefix)) {
                 CLASS_BLOCK_LFU_CACHE.put(name, CACHE);
-                error(name);
+                if (failOnError) {
+                    error(name);
+                }
+                return false;
             }
         }
 
         CLASS_ALLOW_LFU_CACHE.put(name, CACHE);
+        return true;
     }
 
     private void error(String name) {