I just needed to allow only particular IPs to have access to a servlet or web app and was somehow surprised IP filtering of requests is not part of the standards. The portable way of doing so is to write a custom filter   but this is not something I want to bother with.
Fortunately JBoss AS has this capability OOB being based on Apache Tomcat which has a valve to help with that . update: Wildfly, the JBoss AS new name will be using undertow as the servlet and web server engine so this won't work on it.
In short you can create a file WEB-INF/context.xml for JBoss or see docs  for Tomcat with content like:
<?xml version="1.0" encoding="UTF-8"?>
 http://hcmc.uvic.ca/blogs/index.php?blog=30&p=2658&more=1&c=1&tb=1&pb=1 - I've started here and saved me lots of time