Consider types in sun.* package(s) to be JDK (platform) types for purposes of handling #4205
Description
Describe your Issue
(note: follow-up on #4204)
Currently types under java.* and javax.* packages get different (stricter) handling compared to all other types, wrt Reflection-based discovery. This is done for following reasons:
- Later JDK versions have stricter access checks, and reducing amount of discovery/access-forcing for JDK types reduces warnings (and sometimes actual failures), without reducing access to User-Provided Types (UPT)
- Forced access to Platform types may open up security holes in conjunction with Polymorphic Deserialization -- problematic as they are known to exist and hence much easier to exploit that User-Provided Types. So closing access may improve security as well
- JDK types to support mostly already have explicit (de)serializers, so auto-detection is rarely used for actual handling (and can be added for types as needed)
Due to legacy reasons, there are also "well-known" Platform types under some other packages; most notably sun.security (and generally anything under sun.*). For example see #4204.
So, for Jackson 2.17, let's consider adding this set of classes as "platform" (JDK) types for more limited auto-discovery.