[CVE-2016-4974] allow whitelisting trusted classes/packages for deserialization from ObjectMessage

When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return.

This improvement adds the new configuration options to whitelist trusted content permitted for deserialization. When so configured, attempts to deserialize input containing other content will be prevented.