hi wong,
i think <<
java servlet programming>> by jason is a good book. you can find there's a chapter talking about security.
as for thread-safe servlets, i think it's about synchronization in servlet scenario. any books on servlets covers this topic more or less. such as local variables are always thread-safe, class instance variables are not, and there is a SingleThreadModel interface, etc. I've not found a place where this topic is systematically discussed.
tony