We don't cover unit testing specifically in the book, but the general strategy that I have employed successfully in past projects with Spring Security goes something like this:
* In your Spring Security configuration files, separate out the few bits that will change between unit tests and production (for example, the UserDetailsService in unit tests may be configured with a static list of users, and not backed by a database)
* As part of your build / deploy environment, you have two secondary configuration files - one with a UserDetailsService containing static, unit test data, and one that is used in "production" (backed by JDBC, Hibernate, etc.)
Sounds pretty simple, but it really does work - it depends on how invasive your tests are, and how they are run (for example, Selenium or the like can be used to test the security of a running web application).
I'd suggest looking at the unit tests that ship with Spring Security 3 itself - they are very illustrative of how to set up some complex scenarios (such as embedded LDAP), and are quite easy to follow once you're familiar with how the framework works.
Hope that answers your question!
Author, Spring Security 3 (the Book), Packt Publishing, 2010