Prashant, please use code tags when you post a source code
I've corrected the return statement problem in your code. But the logic also looks wrong to me. If you are thinking that it will try to match the password with every password in the database, then I'm afraid that will not happen. What actually will happen is that it will match the password with only the first password in the database. If it matches, then it will return success otherwise it will return error. Although I'm sure that username would be unique in your database, but since you have used a while loop to check the password, so I am just warning you...
I'd also add that this code is antithetical to current Java (and S2) coding practices.
By embedding all that logic in the action itself things are more difficult to test, debug, and understand. YMMV, but I'd sure consider breaking it out into a service-makes unittesting both the service and the action *much* easier.