if you want to allow just 4 ip for all app of the jboss, you can do it with the remote address valve which configuration is in the server.xml. if you want to allow 1 ip for each ear, the easier way is to implement a servlet filter to control the ip address of the remote client.