the book seems to be exactly what I'm looking for.
Do you also give rule of thumbs at which project phase Spring security should be implemented? Can Spring security easily be applied after implementing the features? Are there any pitfalls when integrating Spring security too late or the design is not compatible with Spring security?
Glad to hear the feedback, and thanks for the great question!
In general I think it's important to design the application with an understanding of the concepts behind the security infrastructure, even if you don't incorporate security up front, especially for applications that are going to use complex techniques such as method-level security or ACLs. We do cover some techniques for planning authorization at the page level using Visio or other diagramming tools as well. It's quite common for applications to add Spring Security to either augment existing, unsecured applications, or to replace homebrew security infrastructure.
Hope that answers your question!
Author, Spring Security 3 (the Book), Packt Publishing, 2010