When the user logs on, put the user ID in a list of current users kept in Application scope (The ServletContext object)
Keep the current User Id as an attribute of the HTTPSession object
Implement an HTTPSession listener with a sessionDestroyed() method that removes the user ID from the list
When a user tries to log on, check to see if the user Id is in the list of current users. If it is, don't let them log on.
There is still at least one problem you will have to decide how to handle:
If a user loses the connection or closes the browser accidentally, the user ID is still going to be in the list until the session times out. This could be frustrating for a user to have to wait. You may want to put up a dialog saying something like "It appears you have another session open. Only one is allowed at a time. Do you want to release the old session and start a new one now?" This at least gives someone the ability to still log on in this situation.