Ok, here are a few resources:
OWASP Code Review Guide:http://www.lulu.com/product/paperback/owasp-code-review/4458615
List of things to look for (while quite basic):http://www.sans.org/security-training/secure-code-review-java-web-apps-1192-mid
OWASP Top 10 vulnerabilities (very good reading!!)http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
It depends if you are reviewing a web application, an applet, a stand alone application, etc. But in my opinion, without spending a week writting on the subject, I would look for:
1) Input validation: Proper server-side validation of all inputs, including drop-down menus, and hidden fields
2) SQL queries: Check if the framework uses Object Relational Mapping (ORM) like Hibernate, prepared statements or stored procedures.
3) Database connections: How the database credentials are stored, database user having "least privileges", encrypted connection
4) AJAX and Web Services: Look at these two very well. Again, validate all inputs, fuzz them. Do you need to sign your web services?
5) Java frameworks for web applications like Spring MVC or MyFaces do a great job filtering bad characters for you. However, you should test different character encoding nevertheless.
6) Spend some time reviewing session management mechanism: login, logout, change password, etc.
7) Basically, review the OWASP Top 10 vulnerabilities and make sure there are none in your code.
8 ) Check they don't copy sensitive data from prod to dev, for example client's account, personal address, etc
9) Is the repository secure?
10) You can also check for proper separation of layers: Model-View-Controller, 3-Tier like Presentation-Service-data layers, Service Oriented Architecture, etc
11) If 2 systems trust each other, make sure they are who they say they are (look for possibnle MitM)
I have to go, but I will add more later.