I already quoted this in your previous problem Redirecting URL after user logged out to previous page opened

Following a successful authentication SavedRequestAwareAuthenticationSuccessHandler: 
If the alwaysUseDefaultTargetUrl property is set to true, the defaultTargetUrl 
will be used for the destination. 
Any DefaultSavedRequest stored in the session will be removed.

So you should set always-use-default-target="false" also you can remove default-target-url attribute.

Hope this helps.

You shouldn't be calling setDefaultTargetUrl while your application is running. It's a field on the class, not a local variable, so it will apply to all users of your site.

Take a look at the code you are extending in SavedRequestAwareAuthenticationSuccessHandler. It's essential you understand how it works if you are going to call the superclass method. You call super.onAuthenticationSuccess as the first thing in your method. This will take the current value of defaultTargetUrl (or a cached request) and redirect to that URL. You are setting the property after the redirect has taken place.

As I said you shouldn't be setting the property at all at runtime. I's guess your method should be more like

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {

    String hashValue = request.getParameter(HASH_URL);
    if(hashValue != null) {
        response.sendRedirect(getDefaultTargetUrl() + "/" + hashValue;
    } else {
        response.sendRedirect(getDefaultTargetUrl());
    }
}

You probable don't need to extend a class at all. Just implement AuthenticationSuccessHandler directly yourself. It will be easier to understand what's going on without the inheritance involved.

Not that if you're using a custom handler class, namespace properties like always-use-default-target which affect the default handler won't have any effect.