Limit what packages can be deserialized by ObjectMessage (CVE-2016-6194)

[michaelklishin]

ObjectMessage#getObject currently would deserialize any value without performing input validation. Limiting supported classes via package prefixes seems to be a fairly standard solution [1][2][3].

CVE assigned to this issue: CVE-2016-6194.

1. https://issues.apache.org/jira/browse/AMQ-6013
2. https://jira.spring.io/browse/AMQP-590
3. spring-projects/spring-amqp@4150f10