Thank you for pointing me to that review. Thomas Paul reviewed a draft of the book about one and a half year ago when we were still writing big parts of the book. He was hired by Addison-Wesley. Since his review, the book changed completely. New chapters were added with tons of sample code. He probably never saw those chapters and copied and pasted on amazon.com,
word by word, the review he made for Addison-Wesley more than a year ago.
J2EE access control is mainly declarative. So in the first chapters, the ones that talk about the architecture of J2EE security (those initially reviewed by Thomas Paul) we did not put so much code, but we did put lots of XML fragments showing what the deployment descriptor should look like.
Part III and IV of the book is where a lot of sample code is. For example, the chapters that cover the architecture of J2SE security, JAAS, JCA and JCE, and JSSE are FULL of sample code and comparing them to a white paper is simply misleading. I am afraid that Thomas Paul never saw those chapters, otherwise he could not say that the book resembles a white paper.
But let me present fact rather than words: I have just looked throughout the whole book and counted sixthy-eight code examples. I am talking about Java code, not XML or HTML code (we have that too, of course). In some cases, one single program reaches even 5 pages of length. Have you ever seen anything like that in a white paper?
Thanks,
Marco Pistoia