Add stern javadoc warning about Base64.decodeToObject() being unsafe and mark method as deprecated.

[kwwall]

The Base64.decodeToObject() is unsafe as it attempts to serialize non-validated data. The Java deserialization that it attempts via ObjectInputStream.readObject() can potentially lead to remote code injection vulnerabilities.

This method should be tagged as @deprecated and noted in the javadoc as such, along with a stern warning that it unsafe and will be removed in a future release. (Without potentially breaking someone's code, that's the best we can do for now.)

[kwwall]

Reopened issue to note that in order to use this deprecated method, the system property org.owasp.esapi.enableUnsafeSerialization must be set to the String "true". If this method this method is called without that property being set to "true" it will throw an UnsupportedOperationException.

[kwwall]

While this issue was discussed in general terms with the ESAPI development (see http://lists.owasp.org/pipermail/esapi-dev/2015-December/002575.html for the start of the thread) and user community (same topic; look up the link on same date to the ESAPI-Users mailing list), I alone am responsible for the decision to potentially break backward compatibility for the sake of security. So if you feel you need to blame someone, blame only me and not my ESAPI colleagues.

[kwwall]

Closing issue based on commit 86c89a2. (Screwed up commit comment for auto-close.)