Why don't you use the powers of the database to verify the login?
You're hauling the
complete database table over the network into
Java's memory and comparing every row against the given username/password combo in Java instead of using the SQL's WHERE clause!!
Just do a "SELECT id FROM users WHERE username = ? AND password = ?" and simply check if ResultSet#next() returns true or not.
Another thing: what if one hijacked your database? All passwords are stored in plain vanilla text instead of in an one-way encryption like MD5!!
Secure the passwords using MD5 or SHA. Most self-respected databases has functions for it. E.g. "INSERT INTO users (username, password) VALUES (?, MD5(?))" and "SELECT id FROM users WHERE username = ? AND password = MD5(?)".
Make use of the powers of the database as much as possible.