[Bug] In `DefaultSerializeClassChecker` When the check mode is `WARN`, an exception still occurs.

[wuwen5]

Pre-check

• I am sure that all the content I provide is in English.

Search before asking

• I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

Dubbo Java 3.2.16、3.3.3

Steps to reproduce this issue

@Test
void testCheckStatusWarn() throws IOException {
    FrameworkModel frameworkModel = new FrameworkModel();
    SerializeSecurityManager ssm = frameworkModel.getBeanFactory().getBean(SerializeSecurityManager.class);
    ssm.setCheckStatus(SerializeCheckStatus.WARN);

    Serialization serialization = frameworkModel.getExtensionLoader(Serialization.class)
        //When using fastjson2, it's ok.
        .getExtension("hessian2");
    URL url = URL.valueOf("").setScopeModel(frameworkModel);
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    ObjectOutput objectOutput = serialization.serialize(url, outputStream);
    objectOutput.writeObject(Level.ALL);
    objectOutput.flushBuffer();

    Assertions.assertDoesNotThrow(() -> serialization.deserialize(url, new 
        ByteArrayInputStream(outputStream.toByteArray())));
}

@Test
void testCommon() throws ClassNotFoundException {
    FrameworkModel.defaultModel()
        .getBeanFactory()
        .getBean(SerializeSecurityManager.class)
        .setCheckStatus(SerializeCheckStatus.WARN);
    DefaultSerializeClassChecker defaultSerializeClassChecker = DefaultSerializeClassChecker.getInstance();
       
    Assertions.assertDoesNotThrow(() -> {
        defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName());
        });
    Assertions.assertNotEquals(
        Socket.class, defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName()));
}

What you expected to happen

No exceptions，Expected to be consistent with the logic and results of Fastjson2SecurityManager

Anything else

No response

Are you willing to submit a pull request to fix on your own?

• Yes I am willing to submit a pull request on my own!

Code of Conduct

• I agree to follow this project's Code of Conduct

[AlbumenJ]

This is by design. Because Level.class is in the default deny list. Default deny list has the highest priority

[wuwen5]

The Level is just an example I used for unit testing, primarily to highlight the inconsistency with the verification logic in Fastjson2SecurityManager. When using Fastjson2, if the check status is set to WARN, it should log a warning instead of throwing an exception.