This should not be in a
JSP page.
At the least it should be in a
servlet.
Log the SQL
string used (you might want to move that into a separate SQL String variable).
That way you'll see what query is being run.
Also, that's not a PreparedStatement.
There's no binding of variables done in it.
Finally I would suggest giving the user a role, rather than checking the username. You also don't need to recheck the password. You already know it's correct.
Oh yes, just noticed, you're not closing your resources, either by using a try-with-resources, or in a finally block.