If I get your Question, You need only one user should be logged in with xyz credentials at one time and if other user(A) tries to log in when one user(B) is already logged in the you don't want other user A to get log in and prompt it that someone is logged in with same credentials.
you can achieve this by max-sessions="1"
<security:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsp">
<security:form-login login-page="/index.jsp"
default-target-url="/jsp/home.jsp"
authentication-failure-handler-ref="authenticationFailureHandler"/>
<security:session-management>
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
</security:session-management>
</security:http>
Somewhere I am getting confused in understanding your actual need, If you need both session should remain active then increase max-sessions="max_session_you_need" and just register session creation listener and there you can check regarding active sessions with the session request just came, if it matches with one of active session then some user is already logged in and do whatever you wants to do...