Transport it too far removed from the authentication process to allow this to occur within the jaas login module. You would need to integrate with the transport layer to enforce this restriction.
in that case I will have to drop JAAS as the security for my application, or write my own servlet that handles the jaas logins, from there i can get the ip address from the HTTPServletRequest.
I am not completely sure, if the web page protection kicks in before servlet filters are processed.
If this is the case, why not write a filter that checks if the (authenticated) user is from the allowed address. If so, proceed, else kick him out again.