diff --git a/core/lib/Drupal/Core/Access/AccessCheckInterface.php b/core/lib/Drupal/Core/Access/AccessCheckInterface.php
new file mode 100644
index 0000000..0ce0abb
--- /dev/null
+++ b/core/lib/Drupal/Core/Access/AccessCheckInterface.php
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * @file
+ * Definition of Drupal\Core\Access\AccessCheckInterface.
+ */
+
+namespace Drupal\Core\Access;
+
+use Symfony\Component\Routing\Route;
+
+/**
+ * A access check service determines access rules for particular routes.
+ */
+interface AccessCheckInterface {
+
+  /**
+   * Declares whether the access check applies to a specific route or not.
+   *
+   * @param Symfony\Component\Routing\Route $route
+   *    The route to consider attaching to.
+   *
+   * @return boolean
+   *    True if check applies to passed route, false if not.
+   */
+  public function applies(Route $route);
+
+  /**
+   * Checks for access to route.
+   *
+   * @param Symfony\Component\Routing\Route $route
+   *    The route to check against.
+   *
+   * @return mixed
+   *    TRUE if access is allowed.
+   *    FALSE if not.
+   *    NULL if no opinion.
+   */
+  public function access(Route $route);
+}
diff --git a/core/lib/Drupal/Core/Access/AccessManager.php b/core/lib/Drupal/Core/Access/AccessManager.php
new file mode 100644
index 0000000..2c487f9
--- /dev/null
+++ b/core/lib/Drupal/Core/Access/AccessManager.php
@@ -0,0 +1,134 @@
+<?php
+/**
+ * @file
+ * Definition of Drupal\Core\Access\AccessManager.
+ */
+
+namespace Drupal\Core\Access;
+
+use Symfony\Component\Routing\RouteCollection;
+use Symfony\Component\Routing\Route;
+use Symfony\Component\DependencyInjection\ContainerAware;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+/**
+ * Attaches access checks services to routes and runs them on request.
+ */
+class AccessManager extends ContainerAware {
+
+  /**
+   * Array of registered access check service ids.
+   *
+   * @var array
+   */
+  protected $checkIds;
+
+  /**
+   * Array of access check objects keyed by service id.
+   *
+   * @var array
+   */
+  protected $checks;
+
+  /**
+   * Registers a new AccessCheck by service ID.
+   *
+   * @param string $service_id
+   *   The ID of the service in the Container that provides a check.
+   */
+  public function addCheckService($service_id) {
+    $this->checkIds[] = $service_id;
+  }
+
+  /**
+   * For each route, saves a list of applicable access checks to the route.
+   *
+   * @param RouteCollection $routes
+   *    A collection of routes to apply checks to.
+   */
+  public function setChecks(RouteCollection $routes) {
+    foreach ($routes as $route) {
+      $checks = $this->applies($route);
+      if (!empty($checks)) {
+        $route->setOption('_access_checks', $checks);
+      }
+    }
+  }
+
+  /**
+   * Determine which registered access checks apply to a route.
+   *
+   * @param Symfony\Component\Routing\Route $route
+   *    The route to get list of access checks for.
+   *
+   * @return array
+   *    An array of service ids for the access checks that apply to passed
+   *    route.
+   */
+  protected function applies(Route $route) {
+    $checks = array();
+
+    foreach ($this->checkIds as $service_id) {
+      if (empty($this->checks[$service_id])) {
+        $this->loadCheck($service_id);
+      }
+
+      if ($this->checks[$service_id]->applies($route)) {
+        $checks[] = $service_id;
+      }
+    }
+
+    return $checks;
+  }
+
+  /**
+   * Check route against applicable access check services to determine whether
+   * it is accessible.
+   *
+   * @param Symfony\Component\Routing\Route $route
+   *    The route to check access to.
+   *
+   * @throws Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+   *    If any access check denies access or none explicitly approve.
+   */
+  public function check(Route $route) {
+    $access = FALSE;
+    $checks = $route->getOption('_access_checks');
+
+    // No checks == deny by default.
+    if (!empty($checks)) {
+      foreach ($checks as $service_id) {
+        if (empty($this->checks[$service_id])) {
+          $this->loadCheck($service_id);
+        }
+
+        $access = $this->checks[$service_id]->access($route);
+        if ($access === FALSE) {
+          // A check has denied access, no need to continue checking.
+          break;
+        }
+      }
+    }
+
+    // Access has been denied or not explicily approved.
+    if (!$access) {
+      throw new AccessDeniedHttpException();
+    }
+  }
+
+  /**
+   * Lazy-loads access check services.
+   *
+   * @param string $service_id
+   *    The service id of the access check service to load.
+   */
+  protected function loadCheck($service_id) {
+    if (!in_array($service_id, $this->checkIds)) {
+      throw new \InvalidArgumentException(sprintf('No check has been registered for %s', $service_id));
+    }
+
+    $this->checks[$service_id] = $this->container->get($service_id);
+  }
+
+}
diff --git a/core/lib/Drupal/Core/Access/DefaultAccessCheck.php b/core/lib/Drupal/Core/Access/DefaultAccessCheck.php
new file mode 100644
index 0000000..4dc53f7
--- /dev/null
+++ b/core/lib/Drupal/Core/Access/DefaultAccessCheck.php
@@ -0,0 +1,44 @@
+<?php
+
+/**
+ * @file
+ * Definition of Drupal\Core\Access\DefaultAccessCheck.
+ */
+
+namespace Drupal\Core\Access;
+
+use Symfony\Component\Routing\Route;
+
+/**
+ * Allows access to routes to be controlled by an '_access' boolean parameter.
+ */
+class DefaultAccessCheck implements AccessCheckInterface {
+
+  /**
+   * Declares whether the access check applies to a specific route or not.
+   *
+   * @param Symfony\Component\Routing\Route $route
+   *    The route to consider attaching to.
+   *
+   * @return boolean
+   *    True if check applies to passed route, false if not.
+   */
+  public function applies(Route $route) {
+    return $route->hasDefault('_access');
+  }
+
+  /**
+   * Checks for access to route.
+   *
+   * @param Symfony\Component\Routing\Route $route
+   *    The route to check against.
+   *
+   * @return mixed
+   *    TRUE if access is allowed.
+   *    FALSE if not.
+   *    NULL if no opinion.
+   */
+  public function access(Route $route) {
+    return $route->getDefault('_access');
+  }
+}
diff --git a/core/lib/Drupal/Core/Access/PermissionAccessCheck.php b/core/lib/Drupal/Core/Access/PermissionAccessCheck.php
new file mode 100644
index 0000000..eabed9e
--- /dev/null
+++ b/core/lib/Drupal/Core/Access/PermissionAccessCheck.php
@@ -0,0 +1,48 @@
+<?php
+
+/**
+ * @file
+ * Definition of Drupal\Core\Access\PermissionAccessCheck.
+ */
+
+namespace Drupal\Core\Access;
+
+use Symfony\Component\Routing\Route;
+
+/**
+ * Determines access to routes based on permissions defined via hook_permission().
+ */
+class PermissionAccessCheck implements AccessCheckInterface {
+
+  /**
+   * Declares whether the access check applies to a specific route or not.
+   * Applies to a route if it has a '_permission' property set.
+   *
+   * @param Symfony\Component\Routing\Route $route
+   *    The route to consider attaching to.
+   *
+   * @return boolean
+   *    True if check applies to passed route, false if not.
+   */
+  public function applies(Route $route) {
+    return $route->hasDefault('_permission');
+  }
+
+  /**
+   * Checks for access to route.
+   *
+   * @param Symfony\Component\Routing\Route $route
+   *    The route to check against.
+   *
+   * @return mixed
+   *    TRUE if access is allowed.
+   *    FALSE if not.
+   *    NULL if no opinion.
+   */
+  public function access(Route $route) {
+    $permission = $route->getDefault('_permission');
+    // @todo Replace user_access() with a correctly injected and session-using
+    //   alternative.
+    return user_access($permission);
+  }
+}
diff --git a/core/lib/Drupal/Core/CoreBundle.php b/core/lib/Drupal/Core/CoreBundle.php
index 0225c9b..7758434 100644
--- a/core/lib/Drupal/Core/CoreBundle.php
+++ b/core/lib/Drupal/Core/CoreBundle.php
@@ -8,6 +8,7 @@
 namespace Drupal\Core;
 
 use Drupal\Core\DependencyInjection\Compiler\RegisterKernelListenersPass;
+use Drupal\Core\DependencyInjection\Compiler\RegisterAccessChecksPass;
 use Drupal\Core\DependencyInjection\Compiler\RegisterMatchersPass;
 use Drupal\Core\DependencyInjection\Compiler\RegisterNestedMatchersPass;
 use Symfony\Component\DependencyInjection\Definition;
@@ -67,6 +68,7 @@ public function build(ContainerBuilder $container) {
     $container->register('router.dumper', 'Drupal\Core\Routing\MatcherDumper')
       ->addArgument(new Reference('database'));
     $container->register('router.builder', 'Drupal\Core\Routing\RouteBuilder')
+      ->addArgument(new Reference('dispatcher'))
       ->addArgument(new Reference('router.dumper'))
       ->addArgument(new Reference('lock'));
 
@@ -101,8 +103,17 @@ public function build(ContainerBuilder $container) {
     $container->register('view_subscriber', 'Drupal\Core\EventSubscriber\ViewSubscriber')
       ->addArgument(new Reference('content_negotiation'))
       ->addTag('event_subscriber');
+    $container->register('legacy_access_subscriber', 'Drupal\Core\EventSubscriber\LegacyAccessSubscriber')
+      ->addTag('event_subscriber');
+    $container->register('access_manager', 'Drupal\Core\Access\AccessManager')
+      ->addMethodCall('setContainer', array(new Reference('service_container')));
     $container->register('access_subscriber', 'Drupal\Core\EventSubscriber\AccessSubscriber')
+      ->addArgument(new Reference('access_manager'))
       ->addTag('event_subscriber');
+    $container->register('access_check.default', 'Drupal\Core\Access\DefaultAccessCheck')
+      ->addTag('access_check');
+    $container->register('access_check.permission', 'Drupal\Core\Access\PermissionAccessCheck')
+      ->addTag('access_check');
     $container->register('maintenance_mode_subscriber', 'Drupal\Core\EventSubscriber\MaintenanceModeSubscriber')
       ->addTag('event_subscriber');
     $container->register('path_subscriber', 'Drupal\Core\EventSubscriber\PathSubscriber')
@@ -129,6 +140,8 @@ public function build(ContainerBuilder $container) {
     $container->addCompilerPass(new RegisterNestedMatchersPass());
     // Add a compiler pass for registering event subscribers.
     $container->addCompilerPass(new RegisterKernelListenersPass(), PassConfig::TYPE_AFTER_REMOVING);
+
+    $container->addCompilerPass(new RegisterAccessChecksPass());
   }
 
 }
diff --git a/core/lib/Drupal/Core/DependencyInjection/Compiler/RegisterAccessChecksPass.php b/core/lib/Drupal/Core/DependencyInjection/Compiler/RegisterAccessChecksPass.php
new file mode 100644
index 0000000..0ae3585
--- /dev/null
+++ b/core/lib/Drupal/Core/DependencyInjection/Compiler/RegisterAccessChecksPass.php
@@ -0,0 +1,22 @@
+<?php
+
+/**
+ * @file
+ */
+
+namespace Drupal\Core\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+
+class RegisterAccessChecksPass implements CompilerPassInterface {
+  public function process(ContainerBuilder $container) {
+    if (!$container->hasDefinition('access_manager')) {
+      return;
+    }
+    $access_manager = $container->getDefinition('access_manager');
+    foreach ($container->findTaggedServiceIds('access_check') as $id => $attributes) {
+      $access_manager->addMethodCall('AddCheckService', array($id));
+    }
+  }
+}
diff --git a/core/lib/Drupal/Core/EventSubscriber/AccessSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/AccessSubscriber.php
index 4f1dc75..cb1cb76 100644
--- a/core/lib/Drupal/Core/EventSubscriber/AccessSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/AccessSubscriber.php
@@ -11,6 +11,9 @@
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Drupal\Core\Routing\RoutingEvents;
+use Drupal\Core\Routing\Event\RoutesEvent;
+use Drupal\Core\Access\AccessManager;
 
 /**
  * Access subscriber for controller requests.
@@ -18,21 +21,41 @@
 class AccessSubscriber implements EventSubscriberInterface {
 
   /**
-   * Verifies that the current user can access the requested path.
+   * Constructs a new AccessCheckManager.
    *
-   * @todo This is a total hack to keep our current access system working. It
-   *   should be replaced with something robust and injected at some point.
+   * @param AccessCheckManager $access_check_manager
+   *   The access check manager that will be responsible for applying
+   *   AccessCheckers against routes.
+   */
+  public function __construct(AccessManager $access_manager) {
+    $this->accessManager = $access_manager;
+  }
+
+  /**
+   * Verifies that the current user can access the requested path.
    *
    * @param Symfony\Component\HttpKernel\Event\GetResponseEvent $event
    *   The Event to process.
    */
   public function onKernelRequestAccessCheck(GetResponseEvent $event) {
+    $request = $event->getRequest();
+    if (!$request->attributes->has('_route_object')) {
+      // If no Route is available it is likely a static resource and access is
+      // handled elsewhere.
+      return;
+    }
 
-    $router_item = $event->getRequest()->attributes->get('drupal_menu_item');
+    $this->accessManager->check($request->attributes->get('_route_object'));
+  }
 
-    if (isset($router_item['access']) && !$router_item['access']) {
-      throw new AccessDeniedHttpException();
-    }
+  /**
+   * Apply access checks to routes.
+   *
+   * @param Drupal\Core\Routing\Event\RoutesEvent $event
+   *    The event to process.
+   */
+  public function onRoutingRouteAlterSetAccessCheck(RoutesEvent $event) {
+    $this->accessManager->setChecks($event->getRoutes());
   }
 
   /**
@@ -43,6 +66,8 @@ public function onKernelRequestAccessCheck(GetResponseEvent $event) {
    */
   static function getSubscribedEvents() {
     $events[KernelEvents::REQUEST][] = array('onKernelRequestAccessCheck', 30);
+    // Setting very low priority to ensure access checks are run after alters.
+    $events[RoutingEvents::ROUTE_ALTER][] = array('onRoutingRouteAlterSetAccessCheck', 900);
 
     return $events;
   }
diff --git a/core/lib/Drupal/Core/EventSubscriber/LegacyAccessSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/LegacyAccessSubscriber.php
new file mode 100644
index 0000000..707de62
--- /dev/null
+++ b/core/lib/Drupal/Core/EventSubscriber/LegacyAccessSubscriber.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ * @file
+ * Definition of Drupal\Core\EventSubscriber\LegacyAccessSubscriber.
+ */
+
+namespace Drupal\Core\EventSubscriber;
+
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+/**
+ * Access subscriber for legacy controller requests.
+ */
+class LegacyAccessSubscriber implements EventSubscriberInterface {
+
+  /**
+   * Verifies that the current user can access the requested path.
+   *
+   * @todo This is a total hack to keep our current access system working. It
+   *   should be replaced with something robust and injected at some point.
+   *
+   * @param Symfony\Component\HttpKernel\Event\GetResponseEvent $event
+   *   The Event to process.
+   */
+  public function onKernelRequestAccessCheck(GetResponseEvent $event) {
+
+    $router_item = $event->getRequest()->attributes->get('drupal_menu_item');
+
+    if (isset($router_item['access']) && !$router_item['access']) {
+      throw new AccessDeniedHttpException();
+    }
+  }
+
+  /**
+   * Registers the methods in this class that should be listeners.
+   *
+   * @return array
+   *   An array of event listener definitions.
+   */
+  static function getSubscribedEvents() {
+    $events[KernelEvents::REQUEST][] = array('onKernelRequestAccessCheck', 30);
+
+    return $events;
+  }
+}
diff --git a/core/lib/Drupal/Core/Routing/Event/RoutesEvent.php b/core/lib/Drupal/Core/Routing/Event/RoutesEvent.php
new file mode 100644
index 0000000..3dff57e
--- /dev/null
+++ b/core/lib/Drupal/Core/Routing/Event/RoutesEvent.php
@@ -0,0 +1,37 @@
+<?php
+
+/**
+ * @file
+ * Definition of Drupal\Core\Routing\Event\RoutesEvent.
+ */
+
+namespace Drupal\Core\Routing\Event;
+
+use Symfony\Component\EventDispatcher\Event;
+use Symfony\Component\Routing\RouteCollection;
+
+/**
+ * Event fired when a collection of routes have been added to the route builder
+ * and are about to be saved.
+ */
+class RoutesEvent extends Event {
+
+  /**
+   * A collection of routes about to be saved.
+   * @var Symfony\Component\Routing\RouteCollection
+   */
+  private $routes;
+
+  public function __construct(RouteCollection $routes) {
+    $this->routes = $routes;
+  }
+
+  /**
+   * Returns the routes that are about to be saved.
+   *
+   * @return Symfony\Component\Routing\RouteCollection
+   */
+  public function getRoutes() {
+    return $this->routes;
+  }
+}
diff --git a/core/lib/Drupal/Core/Routing/FirstEntryFinalMatcher.php b/core/lib/Drupal/Core/Routing/FirstEntryFinalMatcher.php
index 45d0888..c57422e 100644
--- a/core/lib/Drupal/Core/Routing/FirstEntryFinalMatcher.php
+++ b/core/lib/Drupal/Core/Routing/FirstEntryFinalMatcher.php
@@ -53,7 +53,7 @@ public function matchRequest(Request $request) {
 
       preg_match($compiled->getRegex(), $path, $matches);
 
-      return array_merge($this->mergeDefaults($matches, $route->getDefaults()), array('_route' => $name));
+      return array_merge($this->mergeDefaults($matches, $route->getDefaults()), array('_route' => $name, '_route_object' => $route));
     }
   }
 
diff --git a/core/lib/Drupal/Core/Routing/RouteBuilder.php b/core/lib/Drupal/Core/Routing/RouteBuilder.php
index 3a27767..815f9c9 100644
--- a/core/lib/Drupal/Core/Routing/RouteBuilder.php
+++ b/core/lib/Drupal/Core/Routing/RouteBuilder.php
@@ -7,8 +7,12 @@
 
 namespace Drupal\Core\Routing;
 
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Symfony\Component\Routing\RouteCompilerInterface;
+use Symfony\Component\Routing\Route;
 use Drupal\Core\Lock\LockBackendInterface;
 use Symfony\Component\Routing\Matcher\Dumper\MatcherDumperInterface;
+use Drupal\Core\Routing\Event\RoutesEvent;
 
 /**
  * Managing class for rebuilding the router table.
@@ -33,14 +37,17 @@ class RouteBuilder {
   protected $lock;
 
   /**
-   * Construcs the RouteBuilder using the passed MatcherDumperInterface.
+   * Constructs the RouteBuilder using the passed MatcherDumperInterface.
    *
+   * @param \Symfony\Component\EventDispatcher\EventDispatcherInterface $dispatcher
+   *   The dispatcher used to dispatch events.
    * @param \Symfony\Component\Routing\Matcher\Dumper\MatcherDumperInterface $dumper
    *   The matcher dumper used to store the route information.
    * @param \Drupal\Core\Lock\LockBackendInterface $lock
    *   The lock backend.
    */
-  public function __construct(MatcherDumperInterface $dumper, LockBackendInterface $lock) {
+  public function __construct(EventDispatcherInterface $dispatcher, MatcherDumperInterface $dumper, LockBackendInterface $lock) {
+    $this->dispatcher = $dispatcher;
     $this->dumper = $dumper;
     $this->lock = $lock;
   }
@@ -64,6 +71,10 @@ public function rebuild() {
       $routes = call_user_func($module . '_route_info');
       drupal_alter('router_info', $routes, $module);
       $this->dumper->addRoutes($routes);
+
+      // Allow components to manipulate routes before they are saved.
+      $this->dispatcher->dispatch(RoutingEvents::ROUTE_ALTER, new RoutesEvent($routes));
+
       $this->dumper->dump(array('route_set' => $module));
     }
     $this->lock->release('router_rebuild');
diff --git a/core/lib/Drupal/Core/Routing/RoutingEvents.php b/core/lib/Drupal/Core/Routing/RoutingEvents.php
new file mode 100644
index 0000000..2409e4b
--- /dev/null
+++ b/core/lib/Drupal/Core/Routing/RoutingEvents.php
@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * @file
+ * Definition of Drupal\Core\Routing\RoutingEvents.
+ */
+
+namespace Drupal\Core\Routing;
+
+/**
+ * Contains all events thrown in the core routing component.
+ */
+final class RoutingEvents
+{
+    /**
+     * The ROUTE_ALTER event is fired when a collection of routes have been
+     * added to the route builder.
+     *
+     * This event is used to process new routes before they get saved.
+     *
+     * @var string
+     *
+     * @api
+     */
+    const ROUTE_ALTER = 'routing.route_alter';
+}
diff --git a/core/modules/system/lib/Drupal/system/Tests/Routing/RouterPermissionTest.php b/core/modules/system/lib/Drupal/system/Tests/Routing/RouterPermissionTest.php
new file mode 100644
index 0000000..3050e4f
--- /dev/null
+++ b/core/modules/system/lib/Drupal/system/Tests/Routing/RouterPermissionTest.php
@@ -0,0 +1,56 @@
+<?php
+
+/**
+ * @file
+ * Definition of Drupal\system\Tests\Routing\RouterTest.
+ */
+
+namespace Drupal\system\Tests\Routing;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Description of RouterPermissionTest
+ *
+ */
+/**
+ * Functional class for the full integrated routing system.
+ */
+class RouterPermissionTest extends WebTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  public static $modules = array('block', 'router_test');
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Router Permission tests',
+      'description' => 'Function Tests for the routing permission system.',
+      'group' => 'Routing',
+    );
+  }
+
+  /**
+   * Confirms that the router can get to a controller.
+   */
+  public function testPermissionAccessDenied() {
+
+    $this->drupalGet('router_test/test5');
+    $this->assertResponse(403, 'Access denied for a route where we don\'t have a permission');
+  }
+
+  /**
+   * Confirms that our default controller logic works properly.
+   */
+  public function testPermissionAccessPassed() {
+
+    $user = $this->drupalCreateUser(array('access test5'));
+
+    $this->drupalGet('router_test/test5');
+    $this->assertRaw('test5', 'The correct string was returned because the route was successful.');
+
+  }
+}
diff --git a/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/TestControllers.php b/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/TestControllers.php
index fa92fd8..ca6605a 100644
--- a/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/TestControllers.php
+++ b/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/TestControllers.php
@@ -30,4 +30,8 @@ public function test4($value) {
     return $value;
   }
 
+  public function test5() {
+    return new Response('test5');
+  }
+
 }
diff --git a/core/modules/system/tests/modules/router_test/router_test.module b/core/modules/system/tests/modules/router_test/router_test.module
index 4da939d..2d2b1f7 100644
--- a/core/modules/system/tests/modules/router_test/router_test.module
+++ b/core/modules/system/tests/modules/router_test/router_test.module
@@ -4,6 +4,18 @@
 use Symfony\Component\Routing\RouteCollection;
 
 /**
+ * Implements hook_permission().
+ */
+function router_test_permission() {
+  return array(
+    'access test5' =>  array(
+      'title' => t('Access test5 route'),
+      'description' => t('Test permission only.'),
+    ),
+  );
+}
+
+/**
  * Implements hook_router_info().
  */
 function router_test_route_info() {
@@ -20,15 +32,23 @@ function router_test_route_info() {
   $collection->add('router_test_2', $route);
 
   $route = new Route('router_test/test3/{value}', array(
-    '_content' => '\Drupal\router_test\TestControllers::test3'
+    '_content' => '\Drupal\router_test\TestControllers::test3',
+    '_access' => TRUE,
   ));
   $collection->add('router_test_3', $route);
 
   $route = new Route('router_test/test4/{value}', array(
     '_content' => '\Drupal\router_test\TestControllers::test4',
     'value' => 'narf',
+    '_access' => TRUE,
   ));
   $collection->add('router_test_4', $route);
 
+  $route = new Route('router_test/test5', array(
+    '_controller' => '\Drupal\router_test\TestControllers::test5',
+    '_permission' => 'access test5',
+  ));
+  $collection->add('router_test_5', $route);
+
   return $collection;
 }
diff --git a/core/update.php b/core/update.php
index 968e8f4..83c6c10 100644
--- a/core/update.php
+++ b/core/update.php
@@ -458,6 +458,7 @@ function update_check_requirements($skip_warnings = FALSE) {
 $container->register('router.dumper', '\Drupal\Core\Routing\MatcherDumper')
   ->addArgument(new Reference('database'));
 $container->register('router.builder', 'Drupal\Core\Routing\RouteBuilder')
+  ->addArgument(new Reference('dispatcher'))
   ->addArgument(new Reference('router.dumper'))
   ->addArgument(new Reference('lock'));