diff --git a/core/core.services.yml b/core/core.services.yml
index 7d7449d..d40b69d 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -851,8 +851,13 @@ services:
     class: Drupal\Core\Utility\LinkGenerator
     arguments: ['@url_generator', '@module_handler', '@renderer']
   router:
-    class: Drupal\Core\Routing\AccessAwareRouter
-    arguments: ['@router.no_access_checks', '@access_manager', '@current_user']
+    class: \Drupal\Core\Routing\Router
+    arguments: ['@router.route_provider', '@path.current', '@url_generator', '@access_manager', '@current_user', TRUE]
+    tags:
+      - { name: service_collector, tag: non_lazy_route_enhancer, call: addRouteEnhancer }
+      - { name: service_collector, tag: non_lazy_route_filter, call: addRouteFilter }
+    calls:
+      - [setContext, ['@router.request_context']]
   router.dynamic:
     class: Symfony\Cmf\Component\Routing\DynamicRouter
     arguments: ['@router.request_context', '@router.matcher', '@url_generator']
@@ -861,7 +866,7 @@ services:
     deprecated: The "%service_id%" service is deprecated. You should use the 'router.no_access_checks' service instead.
   router.no_access_checks:
     class: \Drupal\Core\Routing\Router
-    arguments: ['@router.route_provider', '@path.current', '@url_generator']
+    arguments: ['@router.route_provider', '@path.current', '@url_generator', '@access_manager', '@current_user', FALSE]
     tags:
       - { name: service_collector, tag: non_lazy_route_enhancer, call: addRouteEnhancer }
       - { name: service_collector, tag: non_lazy_route_filter, call: addRouteFilter }
diff --git a/core/lib/Drupal/Core/Routing/AccessAwareRouter.php b/core/lib/Drupal/Core/Routing/AccessAwareRouter.php
deleted file mode 100644
index 5c3d931..0000000
--- a/core/lib/Drupal/Core/Routing/AccessAwareRouter.php
+++ /dev/null
@@ -1,146 +0,0 @@
-<?php
-
-namespace Drupal\Core\Routing;
-
-use Drupal\Core\Access\AccessManagerInterface;
-use Drupal\Core\Access\AccessResultReasonInterface;
-use Drupal\Core\Session\AccountInterface;
-use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
-use Symfony\Component\Routing\Matcher\RequestMatcherInterface;
-use Symfony\Component\Routing\RequestContext as SymfonyRequestContext;
-use Symfony\Component\Routing\RequestContextAwareInterface;
-use Symfony\Component\Routing\RouterInterface;
-
-/**
- * A router class for Drupal with access check and upcasting.
- */
-class AccessAwareRouter implements AccessAwareRouterInterface {
-
-  /**
-   * The router doing the actual routing.
-   *
-   * @var \Symfony\Component\Routing\Matcher\RequestMatcherInterface
-   */
-  protected $router;
-
-  /**
-   * The access manager.
-   *
-   * @var \Drupal\Core\Access\AccessManagerInterface
-   */
-  protected $accessManager;
-
-  /**
-   * The account to use in access checks.
-   *
-   * @var \Drupal\Core\Session\AccountInterface;
-   */
-  protected $account;
-
-  /**
-   * Constructs a router for Drupal with access check and upcasting.
-   *
-   * @param \Symfony\Component\Routing\Matcher\RequestMatcherInterface $router
-   *   The router doing the actual routing.
-   * @param \Drupal\Core\Access\AccessManagerInterface $access_manager
-   *   The access manager.
-   * @param \Drupal\Core\Session\AccountInterface $account
-   *   The account to use in access checks.
-   */
-  public function __construct(RequestMatcherInterface $router, AccessManagerInterface $access_manager, AccountInterface $account) {
-    $this->router = $router;
-    $this->accessManager = $access_manager;
-    $this->account = $account;
-  }
-
-  /**
-   * {@inheritdoc}
-   */
-  public function __call($name, $arguments) {
-    // Ensure to call every other function to the router.
-    return call_user_func_array([$this->router, $name], $arguments);
-  }
-
-  /**
-   * {@inheritdoc}
-   */
-  public function setContext(SymfonyRequestContext $context) {
-    if ($this->router instanceof RequestContextAwareInterface) {
-      $this->router->setContext($context);
-    }
-  }
-
-  /**
-   * {@inheritdoc}
-   */
-  public function getContext() {
-    if ($this->router instanceof RequestContextAwareInterface) {
-      return $this->router->getContext();
-    }
-  }
-
-  /**
-   * {@inheritdoc}
-   *
-   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
-   *   Thrown when access checking failed.
-   */
-  public function matchRequest(Request $request) {
-    $parameters = $this->router->matchRequest($request);
-    $request->attributes->add($parameters);
-    $this->checkAccess($request);
-    // We can not return $parameters because the access check can change the
-    // request attributes.
-    return $request->attributes->all();
-  }
-
-  /**
-   * Apply access check service to the route and parameters in the request.
-   *
-   * @param \Symfony\Component\HttpFoundation\Request $request
-   *   The request to access check.
-   */
-  protected function checkAccess(Request $request) {
-    // The cacheability (if any) of this request's access check result must be
-    // applied to the response.
-    $access_result = $this->accessManager->checkRequest($request, $this->account, TRUE);
-    // Allow a master request to set the access result for a subrequest: if an
-    // access result attribute is already set, don't overwrite it.
-    if (!$request->attributes->has(AccessAwareRouterInterface::ACCESS_RESULT)) {
-      $request->attributes->set(AccessAwareRouterInterface::ACCESS_RESULT, $access_result);
-    }
-    if (!$access_result->isAllowed()) {
-      throw new AccessDeniedHttpException($access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : NULL);
-    }
-  }
-
-  /**
-   * {@inheritdoc}
-   */
-  public function getRouteCollection() {
-    if ($this->router instanceof RouterInterface) {
-      return $this->router->getRouteCollection();
-    }
-  }
-
-  /**
-   * {@inheritdoc}
-   */
-  public function generate($name, $parameters = array(), $referenceType = self::ABSOLUTE_PATH) {
-    if ($this->router instanceof UrlGeneratorInterface) {
-      return $this->router->generate($name, $parameters, $referenceType);
-    }
-  }
-
-  /**
-   * {@inheritdoc}
-   *
-   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
-   *   Thrown when access checking failed.
-   */
-  public function match($pathinfo) {
-    return $this->matchRequest(Request::create($pathinfo));
-  }
-
-}
diff --git a/core/lib/Drupal/Core/Routing/Router.php b/core/lib/Drupal/Core/Routing/Router.php
index 80a31f7..fb59afd 100644
--- a/core/lib/Drupal/Core/Routing/Router.php
+++ b/core/lib/Drupal/Core/Routing/Router.php
@@ -2,12 +2,16 @@
 
 namespace Drupal\Core\Routing;
 
+use Drupal\Core\Access\AccessManagerInterface;
+use Drupal\Core\Access\AccessResultReasonInterface;
 use Drupal\Core\Path\CurrentPathStack;
+use Drupal\Core\Session\AccountInterface;
 use Symfony\Cmf\Component\Routing\Enhancer\RouteEnhancerInterface as BaseRouteEnhancerInterface;
 use Symfony\Cmf\Component\Routing\LazyRouteCollection;
 use Symfony\Cmf\Component\Routing\NestedMatcher\RouteFilterInterface as BaseRouteFilterInterface;
 use Symfony\Cmf\Component\Routing\RouteProviderInterface as BaseRouteProviderInterface;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\Routing\Exception\MethodNotAllowedException;
 use Symfony\Component\Routing\Exception\ResourceNotFoundException;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface as BaseUrlGeneratorInterface;
@@ -31,6 +35,7 @@
  *    regex. See ::matchCollection().
  * 4. Enhance the list of route attributes, for example loading entity objects.
  *    See ::applyRouteEnhancers().
+ * 5. Finally it checks access.
  *
  * This implementation uses ideas of the following routers:
  * - \Symfony\Cmf\Component\Routing\DynamicRouter
@@ -41,7 +46,7 @@
  * @see \Drupal\Core\Routing\UrlMatcher
  * @see \Symfony\Cmf\Component\Routing\NestedMatcher\NestedMatcher
  */
-class Router extends UrlMatcher implements RequestMatcherInterface, RouterInterface {
+class Router extends UrlMatcher implements RequestMatcherInterface, RouterInterface, AccessAwareRouterInterface {
 
   /**
    * The route provider responsible for the first-pass match.
@@ -86,6 +91,27 @@ class Router extends UrlMatcher implements RequestMatcherInterface, RouterInterf
   protected $urlGenerator;
 
   /**
+   * The access manager.
+   *
+   * @var \Drupal\Core\Access\AccessManagerInterface
+   */
+  protected $accessManager;
+
+  /**
+   * The current user.
+   *
+   * @var \Drupal\Core\Session\AccountInterface
+   */
+  protected $account;
+
+  /**
+   * Whether to check access.
+   *
+   * @var bool
+   */
+  protected $checkAccess;
+
+  /**
    * Constructs a new Router.
    *
    * @param \Symfony\Cmf\Component\Routing\RouteProviderInterface $route_provider
@@ -94,11 +120,20 @@ class Router extends UrlMatcher implements RequestMatcherInterface, RouterInterf
    *   The current path stack.
    * @param \Symfony\Component\Routing\Generator\UrlGeneratorInterface $url_generator
    *   The URL generator.
+   * @param \Drupal\Core\Access\AccessManagerInterface $access_manager
+   *   The access manager.
+   * @param \Drupal\Core\Session\AccountInterface $account
+   *   The current user.
+   * @param bool $check_access
+   *   Whether to check access.
    */
-  public function __construct(BaseRouteProviderInterface $route_provider, CurrentPathStack $current_path, BaseUrlGeneratorInterface $url_generator) {
+  public function __construct(BaseRouteProviderInterface $route_provider, CurrentPathStack $current_path, BaseUrlGeneratorInterface $url_generator, AccessManagerInterface $access_manager, AccountInterface $account, $check_access = TRUE) {
     parent::__construct($current_path);
     $this->routeProvider = $route_provider;
     $this->urlGenerator = $url_generator;
+    $this->accessManager = $access_manager;
+    $this->account = $account;
+    $this->checkAccess = $check_access;
   }
 
   /**
@@ -151,7 +186,15 @@ public function matchRequest(Request $request) {
     $collection = $this->applyRouteFilters($collection, $request);
 
     if ($ret = $this->matchCollection(rawurldecode($this->currentPath->getPath($request)), $collection)) {
-      return $this->applyRouteEnhancers($ret, $request);
+      $parameters = $this->applyRouteEnhancers($ret, $request);
+      $request->attributes->add($parameters);
+
+      // Checking access here. ::checkAccess might throw an exception, when
+      // access is not granted.
+      if ($this->checkAccess) {
+        $this->checkAccess($request);
+      }
+      return $request->attributes->all();
     }
 
     throw 0 < count($this->allow)
@@ -284,6 +327,29 @@ protected function sortFilters() {
   }
 
   /**
+   * Apply access check service to the route and parameters in the request.
+   *
+   * @param \Symfony\Component\HttpFoundation\Request $request
+   *   The request to access check.
+   *
+   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+   *   Thrown when access was not allowed.
+   */
+  protected function checkAccess(Request $request) {
+    // The cacheability (if any) of this request's access check result must be
+    // applied to the response.
+    $access_result = $this->accessManager->checkRequest($request, $this->account, TRUE);
+    // Allow a master request to set the access result for a subrequest: if an
+    // access result attribute is already set, don't overwrite it.
+    if (!$request->attributes->has(AccessAwareRouterInterface::ACCESS_RESULT)) {
+      $request->attributes->set(AccessAwareRouterInterface::ACCESS_RESULT, $access_result);
+    }
+    if (!$access_result->isAllowed()) {
+      throw new AccessDeniedHttpException($access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : NULL);
+    }
+  }
+
+  /**
    * {@inheritdoc}
    */
   public function getRouteCollection() {
