[Java] add check for multiple disallowed.txt

[pjfanning]

Feature Request

A malicious lib provider could sneakily include a fury/disallowed.txt file in their lib. Users might have this malicious lib on their classpath. Could override the fury built-in one.

Is your feature request related to a problem? Please describe

No response

Describe the solution you'd like

No response

Describe alternatives you've considered

No response

Additional context

No response

[chaokunyang]

good suggestion, I added sha256 check in #2102

[philippemarcelino]

Hi,
I think this last update may have some portability issues. I compiled and ran the latest version on an Ubuntu machine with no problem.
On a Win11 machine though, the SHA hash test always fails. My guess is that the disallowed.txt content file can differ a bit from OS to OS (or maybe depending on some Git checkout options). But as a matter of fact, the latest 0.11.0-SNAPSHOT jar compiled on my machine can't be used at all (and I use all default/suggested Git options).
Potential fix: compute hash on class names (vs the whole raw stream content).

[chaokunyang]

I can reproduce it in https://github.com/apache/fury/actions/runs/14132457129/job/39595994643?pr=2128: