diff --git a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
index 1a7ca6e..1fc668a 100644
--- a/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
+++ b/core/lib/Drupal/Core/Authentication/AuthenticationManager.php
@@ -7,9 +7,9 @@
 
 namespace Drupal\Core\Authentication;
 
+use Drupal\Core\Routing\RouteMatch;
 use Drupal\Core\Session\AnonymousUserSession;
 use Symfony\Component\HttpFoundation\Request;
-use Symfony\Cmf\Component\Routing\RouteObjectInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
 
 /**
@@ -88,8 +88,8 @@ public function authenticate(Request $request) {
 
     $account = NULL;
 
-    // Iterate the availlable providers.
-    foreach ($this->getSortedProviders() as $provider_id => $provider) {
+    // Iterate the allowed providers.
+    foreach ($this->filterProviders($this->getSortedProviders(), $request) as $provider_id => $provider) {
       if ($provider->applies($request)) {
         // Try to authenticate with this provider, skipping all others.
         $account = $provider->authenticate($request);
@@ -155,6 +155,36 @@ public function getSortedProviders() {
   }
 
   /**
+   * Filters a list of providers and only return those allowed on the request.
+   *
+   * @param \Drupal\Core\Authentication\AuthenticationProviderInterface[] $providers
+   *   An array of authentication provider objects.
+   * @param Request $request
+   *   The request object.
+   *
+   * @return \Drupal\Core\Authentication\AuthenticationProviderInterface[]
+   *   The filtered array authentication provider objects.
+   */
+  protected function filterProviders(array $providers, Request $request) {
+    $route = RouteMatch::createFromRequest($request)->getRouteObject();
+    $allowed_providers = array();
+    if ($route && $route->hasOption('_auth')) {
+      $allowed_providers = $route->getOption('_auth');
+    }
+    elseif ($default_provider = $this->defaultProviderId()) {
+      // @todo Mirrors the defective behavior of AuthenticationEnhancer and
+      // restricts the list of allowed providers to the default provider if no
+      // _auth was specified on the current route.
+      //
+      // This restriction will be removed by https://www.drupal.org/node/2286971
+      // See also https://www.drupal.org/node/2283637
+      $allowed_providers = array($default_provider);
+    }
+
+    return array_intersect_key($providers, array_flip($allowed_providers));
+  }
+
+  /**
    * Cleans up the authentication.
    *
    * Allow the triggered provider to clean up before the response is sent, e.g.
@@ -176,18 +206,11 @@ public function cleanup(Request $request) {
    * {@inheritdoc}
    */
   public function handleException(GetResponseForExceptionEvent $event) {
-    $request = $event->getRequest();
-
-    $route = $request->attributes->get(RouteObjectInterface::ROUTE_OBJECT);
-    $active_providers = ($route && $route->getOption('_auth')) ? $route->getOption('_auth') : array($this->defaultProviderId());
-
-    // Get the sorted list of active providers for the given route.
-    $providers = array_intersect($active_providers, array_keys($this->providers));
-
-    foreach ($providers as $provider_id) {
-      if ($this->providers[$provider_id]->handleException($event) == TRUE) {
+    foreach ($this->filterProviders($this->getSortedProviders(), $event->getRequest()) as $provider) {
+      if ($provider->handleException($event) == TRUE) {
         break;
       }
     }
   }
+
 }
diff --git a/core/modules/user/src/Access/LoginStatusCheck.php b/core/modules/user/src/Access/LoginStatusCheck.php
index fbceacd..5bd70aa 100644
--- a/core/modules/user/src/Access/LoginStatusCheck.php
+++ b/core/modules/user/src/Access/LoginStatusCheck.php
@@ -10,6 +10,7 @@
 use Drupal\Core\Routing\Access\AccessInterface;
 use Drupal\Core\Session\AccountInterface;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Routing\Route;
 
 /**
  * Determines access to routes based on login status of current user.
@@ -19,6 +20,8 @@ class LoginStatusCheck implements AccessInterface {
   /**
    * Checks access.
    *
+   * @param \Symfony\Component\Routing\Route $route
+   *   The route to check against.
    * @param \Symfony\Component\HttpFoundation\Request $request
    *   The request object.
    * @param \Drupal\Core\Session\AccountInterface $account
@@ -27,8 +30,10 @@ class LoginStatusCheck implements AccessInterface {
    * @return string
    *   A \Drupal\Core\Access\AccessInterface constant value.
    */
-  public function access(Request $request, AccountInterface $account) {
-    return ($request->attributes->get('_menu_admin') || $account->isAuthenticated()) ? static::ALLOW : static::DENY;
+  public function access(Route $route, Request $request, AccountInterface $account) {
+    $required_status = filter_var($route->getRequirement('_user_is_logged_in'), FILTER_VALIDATE_BOOLEAN);
+    $actual_status = $account->isAuthenticated();
+    return ($request->attributes->get('_menu_admin') || $required_status == $actual_status) ? static::ALLOW : static::DENY;
   }
 
 }
diff --git a/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php
index c27e3c9..263ef62 100644
--- a/core/modules/user/src/Controller/UserController.php
+++ b/core/modules/user/src/Controller/UserController.php
@@ -26,20 +26,18 @@ class UserController extends ControllerBase {
    * @param \Symfony\Component\HttpFoundation\Request $request
    *   The current request.
    *
-   * @return \Symfony\Component\HttpFoundation\RedirectResponse|array
-   *   Returns either a redirect to the user page or the render
-   *   array of the login form.
+   * @return \Symfony\Component\HttpFoundation\RedirectResponse
+   *   Returns either a redirect to the user page (if the user is authenticated)
+   *   or a redirect to the login page.
    */
   public function userPage(Request $request) {
-    $user = $this->currentUser();
-    if ($user->id()) {
-      $response = $this->redirect('user.view', array('user' => $user->id()));
+    $user_id = $this->currentUser()->id();
+    if ($user_id) {
+      return $this->redirect('user.view', array('user' => $user_id));
     }
     else {
-      $form_builder = $this->formBuilder();
-      $response = $form_builder->getForm('Drupal\user\Form\UserLoginForm');
+      return $this->redirect('user.login');
     }
-    return $response;
   }
 
   /**
diff --git a/core/modules/user/src/EventSubscriber/AccessDeniedSubscriber.php b/core/modules/user/src/EventSubscriber/AccessDeniedSubscriber.php
new file mode 100644
index 0000000..61d6bf1
--- /dev/null
+++ b/core/modules/user/src/EventSubscriber/AccessDeniedSubscriber.php
@@ -0,0 +1,98 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\user\EventSubscriber\AccessDeniedSubscriber.
+ */
+
+namespace Drupal\user\EventSubscriber;
+
+use Drupal\Core\Session\AccountInterface;
+use Drupal\Core\Routing\RouteMatch;
+use Drupal\Core\Routing\UrlGeneratorInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+/**
+ * Redirects authenticated users from login/register form to the profile.
+ */
+class AccessDeniedSubscriber implements EventSubscriberInterface {
+
+  /**
+   * The current user.
+   *
+   * @var \Drupal\Core\Session\AccountInterface
+   */
+  protected $account;
+
+  /**
+   * The URL generator.
+   *
+   * @var \Drupal\Core\Routing\UrlGeneratorInterface
+   */
+  protected $urlGenerator;
+
+  /**
+   * Constructs a new redirect subscriber.
+   *
+   * @param \Drupal\Core\Session\AccountInterface $account
+   *   The current user.
+   * @param \Drupal\Core\Routing\UrlGeneratorInterface $url_generator
+   *   The URL generator.
+   */
+  public function __construct(AccountInterface $account, URLGeneratorInterface $url_generator) {
+    $this->account = $account;
+    $this->urlGenerator = $url_generator;
+  }
+
+  /**
+   * Redirects authenticated users from login/register form to the profile.
+   *
+   * @param \Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent $event
+   *   The event to process.
+   */
+  public function onException(GetResponseForExceptionEvent $event) {
+    $exception = $event->getException();
+    if ($exception instanceof AccessDeniedHttpException && $this->account->isAuthenticated()) {
+      $route_name = RouteMatch::createFromRequest($event->getRequest())->getRouteName();
+      switch ($route_name) {
+        case 'user.login';
+          // Redirect an authenticated user to the profile page.
+          $event->setResponse(new RedirectResponse($this->url('user.view', array('user' => $this->account->id()), array('absolute' => TRUE))));
+          break;
+
+        case 'user.register';
+          // Redirect an authenticated user to the profile form.
+          $event->setResponse(new RedirectResponse($this->url('user.edit', array('user' => $this->account->id()), array('absolute' => TRUE))));
+          break;
+      }
+    }
+  }
+
+  /**
+   * Generates a URL or path for a specific route based on the given parameters.
+   *
+   * @see \Drupal\Core\Routing\UrlGeneratorInterface::generateFromRoute() for
+   *   details on the arguments, usage, and possible exceptions.
+   *
+   * @return string
+   *   The generated URL for the given route.
+   *
+   * @todo: Use UrlGeneratorTrait (see https://www.drupal.org/node/2282161)
+   */
+  protected function url($route_name, $route_parameters = array(), $options = array()) {
+    return $this->urlGenerator->generateFromRoute($route_name, $route_parameters, $options);
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function getSubscribedEvents() {
+    $events[KernelEvents::EXCEPTION][] = array('onException');
+    return $events;
+  }
+
+}
diff --git a/core/modules/user/src/EventSubscriber/MaintenanceModeSubscriber.php b/core/modules/user/src/EventSubscriber/MaintenanceModeSubscriber.php
index 1e8d114..8d944b3 100644
--- a/core/modules/user/src/EventSubscriber/MaintenanceModeSubscriber.php
+++ b/core/modules/user/src/EventSubscriber/MaintenanceModeSubscriber.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\user\EventSubscriber;
 
+use Drupal\Core\Routing\RouteMatch;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
@@ -19,7 +20,7 @@
 class MaintenanceModeSubscriber implements EventSubscriberInterface {
 
   /**
-   * Determine whether the page is configured to be offline.
+   * Logout users if site is in maintenance mode.
    *
    * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
    *   The event to process.
@@ -28,7 +29,8 @@ public function onKernelRequestMaintenance(GetResponseEvent $event) {
     $user = \Drupal::currentUser();
     $request = $event->getRequest();
     $site_status = $request->attributes->get('_maintenance');
-    $path = $request->attributes->get('_system_path');
+    $route_match = RouteMatch::createFromRequest($request);
+    $route_name = $route_match->getRouteName();
     if ($site_status == CoreMaintenanceModeSubscriber::SITE_OFFLINE) {
       // If the site is offline, log out unprivileged users.
       if ($user->isAuthenticated() && !$user->hasPermission('access site in maintenance mode')) {
@@ -39,44 +41,24 @@ public function onKernelRequestMaintenance(GetResponseEvent $event) {
       }
 
       if ($user->isAnonymous()) {
-        switch ($path) {
-          case 'user':
-            // Forward anonymous user to login page.
-            $event->setResponse(new RedirectResponse(url('user/login', array('absolute' => TRUE))));
-            return;
-          case 'user/login':
-          case 'user/password':
+        switch ($route_name) {
+          case 'user.login':
+          case 'user.page':
+          case 'user.pass':
+          case 'user.reset':
             // Disable offline mode.
             $request->attributes->set('_maintenance', CoreMaintenanceModeSubscriber::SITE_ONLINE);
             break;
-          default:
-            if (strpos($path, 'user/reset/') === 0) {
-              // Disable offline mode.
-              $request->attributes->set('_maintenance', CoreMaintenanceModeSubscriber::SITE_ONLINE);
-            }
-            break;
         }
       }
     }
-    if ($user->isAuthenticated()) {
-      if ($path == 'user/login') {
-        // If user is logged in, redirect to 'user' instead of giving 403.
-        $event->setResponse(new RedirectResponse(url('user', array('absolute' => TRUE))));
-        return;
-      }
-      if ($path == 'user/register') {
-        // Authenticated user should be redirected to user edit page.
-        $event->setResponse(new RedirectResponse(url('user/' . $user->id() . '/edit', array('absolute' => TRUE))));
-        return;
-      }
-    }
   }
 
   /**
    * {@inheritdoc}
    */
   public static function getSubscribedEvents() {
-    $events[KernelEvents::REQUEST][] = array('onKernelRequestMaintenance', 35);
+    $events[KernelEvents::REQUEST][] = array('onKernelRequestMaintenance', 31);
     return $events;
   }
 
diff --git a/core/modules/user/src/RegisterForm.php b/core/modules/user/src/RegisterForm.php
index ddbbcc0..3e642f9 100644
--- a/core/modules/user/src/RegisterForm.php
+++ b/core/modules/user/src/RegisterForm.php
@@ -40,11 +40,6 @@ public function form(array $form, array &$form_state) {
       '#value' => $admin,
     );
 
-    // If we aren't admin but already logged on, go to the user page instead.
-    if (!$admin && $user->isAuthenticated()) {
-      return new RedirectResponse(url('user/' . \Drupal::currentUser()->id(), array('absolute' => TRUE)));
-    }
-
     $form['#attached']['library'][] = 'core/jquery.cookie';
     $form['#attributes']['class'][] = 'user-info-from-cookie';
 
diff --git a/core/modules/user/user.routing.yml b/core/modules/user/user.routing.yml
index 55c57d1..110bdaf 100644
--- a/core/modules/user/user.routing.yml
+++ b/core/modules/user/user.routing.yml
@@ -145,7 +145,7 @@ user.login:
     _form: '\Drupal\user\Form\UserLoginForm'
     _title: 'Log in'
   requirements:
-    _access: 'TRUE'
+    _user_is_logged_in: 'FALSE'
 
 user.edit:
   path: '/user/{user}/edit'
diff --git a/core/modules/user/user.services.yml b/core/modules/user/user.services.yml
index 1e8f9b3..1c1a1c5 100644
--- a/core/modules/user/user.services.yml
+++ b/core/modules/user/user.services.yml
@@ -40,6 +40,11 @@ services:
     class: Drupal\user\EventSubscriber\MaintenanceModeSubscriber
     tags:
       - { name: event_subscriber }
+  user_access_denied_subscriber:
+    class: Drupal\user\EventSubscriber\AccessDeniedSubscriber
+    arguments: ['@current_user', '@url_generator']
+    tags:
+      - { name: event_subscriber }
   theme.negotiator.admin_theme:
     class: Drupal\user\Theme\AdminNegotiator
     arguments: ['@current_user', '@config.factory', '@entity.manager', '@router.admin_context']