Well, first of all it's bad form to have that sort of code in a JSP. Put it in a servlet, and forward to the JSP once you decide what you want to do.
And don't forward until you have decided. Your code there forwards once for every record in the table. That's a bad idea and not likely to produce the correct results. It would be better to have a Select statement with a where-clause which returns one record for a correct login and zero records for an incorrect login.
But most of all, your code here
compares the data read from the database to certain string constants instead of comparing it to the variables where you saved the request parameters.