Java serialization whitelist should include primitive wrapper classes and arrays types, if only because it's tedious to specify all of them in the configuration.

There's a similar argument for adding java.util.ArrayList to the default whitelist, especially to use as keys, because Object[] keys do not work with OBJECT storage (equals() and hashCode() are wrong). I'm not convinced yet, because applications eventually want to use a custom key class, and POCs can get away with converting to String and concatenating.