Repeatly, the base of Java Security is sandbox model and the Security itself is a multifaceted feature of the Java platform. If you've enough patience to read the respective portion in JDK document, the class java.security document elaborate Java security mechanisms and API calling rules. To be frankly, I deem that to read Sun's document is better than to follow other alanogical papers. Remember, java.security is the place you need to visit when you are eager to find Java Security stuff.
However, I still find one interesting tip in the book instead of Sun's Java document--java.security.debug, one property that can be set diverse values to trace different level's security events. Of course there is another counterpart named javax.net.debug. In the book, all samples could be traced by such debug setting.