Hi:
An easy way is via an Apache frontend (working as reverse proxy), where an Allow from in a Location section for the considered REST API urls in the config may be enough for your case. If you don't have an Apache frontend and your access layer is the application server, you can always setup iptables for inbound traffic from some IPs, but in this case you will block all the connections via ports 8080, 8443 or 8009 for the rest of IPs. Both configurations may be needed indeed, because in some situations you only will want to use the Apache frontend as unique entry point, disallowing all requests directly to the application layer.
Regards.
--C.
