dominicdasilva recently asked this question in his welog: which J2EE Security book should he buy -- my J2EE Security for ... or Enterprise Java Security: ...?
Obviously, I was interested in reading at comments and was pleasantly suprised to see the following post: "I actually have both of them. They are both very good, very well written, and very accurate. I think the Marco Pistoia book is less example driven and because it has multiple authors the quality and style tends to vary a bit. The Kumar book is full of code samples and the writing is very consistently good. I think your best bet is to drop into your local bookstore and examine them both to decide which one covers the topics you are interested in the most detail."
My own advise is more pragmatic: "if you are looking for coverage of Kerberos, IPSEC, SAML, Liberty, XACML then you are better of not buying my book." However, I should add: "you won't be disapponited if you are beginner/intermediate in Java Security and seek to learn about JCA, JCE, PKI, JSSE Java APIs and details of XML-DSig, XML-Enc, WS-Security and security issues in RMI, EJB, Web Apps, and Web Services."