Assuming that you create a new session for every logged in user, there's no straight forward approach to get the user name of all logged in users. This is because there is no api by which you can get a handle to all existing sessions.
One way to do this would be to override the HttpSessionListener interface and in the sessionCreated() method, retrieve the user name (you have to be careful here because this method may fire even before you add the attribute to the session) and store it somewhere. Similarly in the sessionDestroyed() method, you have to retrieve the user name and delete it from wherever you stored it in. (You can retrieve the attribute from the sesssion in this case).