This is the second J2EE security book that has been released by Addison-Wesley in the past six months. The earlier book was J2EE Security for Servlets, EJBs, and Web Services by Pankaj Kumar and I have to admit that I liked the first one a lot more.
This book is very detailed with a lot of information but virtually no code to show how to actually implement anything. The chapter on cryptography, for example, looks like it belongs in a college textbook and not a book for developers to actually use. There are all sorts of formulas and equations, and graphs that really don't tell me much. There are chapters without a bit of code in them. Chapter 2 is a discussion of using applets through a firewall with RMI (is that really so commonly used that it rates a chapter in the front of a book on J2EE security). There is not a single line of Java in the entire chapter.
But not every chapter is like that. The chapter on JAAS has quite a few samples. The servlet/JSP chapter has a couple of short program samples. But the EJB chapter has a reasonable amount of sample code. My guess is that the authors of the book (there are four listed) didn't agree on a general style and that different authors approached writing a security book in different ways. Some people have complained that the Kumar book isn't technical enough so perhaps the combination of these two books will provide exactly what is needed.
The review is on my amazon review page.