Normally when you don't explicitly configure an AuthenticationSuccessHandler
spring configures a SavedRequestAwareAuthenticationSuccessHandler
for you for handling the success case. What it does is after successful authentication sends the user to the initially requested URL (or when specified and forced to the default page specified in the configuration).
Your custom implementation does no such thing it only sets something on the session and is done, it doesn't send anything back to the client. What you probably want is to extend the SavedRequestAwareAuthenticationSuccessHandler
do your thing and then call super.onAuthenticationSuccess