Most Application servers have a setting that allows you to specify the maximum number of HTTPSession objects given out at any one time. If your application uses sessions, this might be a way to limit the number of users. If the user can't get a session, you display an error telling him/her to wait and try logging in again later.
Is this for a specific Application Server. Check down further in the list of forums and select the Application Server that you are using to ask this questions. Since I have no idea which server you are using, I can't quite choose which forum would be best for this question.