Further document adding types to the Jackson allowlist

[jzheaux]

Given some of the responses in #4370, it would likely be helpful to add to the Jackson documentation, detailing the rationale for how things are and some simple samples for how to extend it.

It would also be nice if the snippets added to this documentation were included directly from tests in Spring Security to ensure their ongoing compatibility. Spring Session follows a pattern of including testable documentation snippets inside of the documentation.

This may be an opportunity to revisit the allowlist error message to see if it can be improved:

The class ... {className} ... is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details

Possibly, it would be nice to point to the additional documentation.