From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 14 Dec 2016 22:13:26 +0000 (+1300)
Subject: Refactor libauth Config object(s)
X-Git-Tag: M-staged-PR71~333^2~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc79fed82ca17273f1d8ae3351ff247d73c1b256;p=thirdparty%2Fsquid.git

Refactor libauth Config object(s)

* Rename auth_param config object to Auth::SchemeConfig
 + update filename to match

* Add auth/forward.h file for predefines and namespace docs

* Move auth_schemes config object to Auth:: namespace
---

diff --git a/src/SquidConfig.h b/src/SquidConfig.h
index 799a2aa657..5ff7e0795d 100644
--- a/src/SquidConfig.h
+++ b/src/SquidConfig.h
@@ -10,9 +10,6 @@
 #define SQUID_SQUIDCONFIG_H_
 
 #include "acl/forward.h"
-#if USE_AUTH
-#include "auth/SchemesConfig.h"
-#endif
 #include "base/RefCount.h"
 #include "base/YesNoNone.h"
 #include "ClientDelayConfig.h"
@@ -543,10 +540,6 @@ public:
         int v4_first;       ///< Place IPv4 first in the order of DNS results.
         ssize_t packet_max; ///< maximum size EDNS advertised for DNS replies.
     } dns;
-
-#if USE_AUTH
-    Auth::SchemesConfigs authSchemesConfigs;
-#endif
 };
 
 extern SquidConfig Config;
diff --git a/src/auth/Gadgets.cc b/src/auth/Gadgets.cc
index 460c3b16cc..0d41c7e97d 100644
--- a/src/auth/Gadgets.cc
+++ b/src/auth/Gadgets.cc
@@ -17,13 +17,13 @@
 #include "acl/FilledChecklist.h"
 #include "auth/AclProxyAuth.h"
 #include "auth/basic/User.h"
-#include "auth/Config.h"
 #include "auth/CredentialsCache.h"
 #include "auth/digest/User.h"
 #include "auth/Gadgets.h"
 #include "auth/negotiate/User.h"
 #include "auth/ntlm/User.h"
 #include "auth/Scheme.h"
+#include "auth/SchemeConfig.h"
 #include "auth/User.h"
 #include "auth/UserRequest.h"
 #include "client_side.h"
@@ -62,7 +62,7 @@ static void
 authenticateRegisterWithCacheManager(Auth::ConfigVector * config)
 {
     for (Auth::ConfigVector::iterator i = config->begin(); i != config->end(); ++i) {
-        Auth::Config *scheme = *i;
+        Auth::SchemeConfig *scheme = *i;
         scheme->registerWithCacheManager();
     }
 }
@@ -75,7 +75,7 @@ authenticateInit(Auth::ConfigVector * config)
         return;
 
     for (Auth::ConfigVector::iterator i = config->begin(); i != config->end(); ++i) {
-        Auth::Config *schemeCfg = *i;
+        Auth::SchemeConfig *schemeCfg = *i;
 
         if (schemeCfg->configured())
             schemeCfg->init(schemeCfg);
@@ -114,11 +114,11 @@ authenticateCachedUsersList()
     };
     std::vector<Auth::User::Pointer> v1, v2, rv, u1, u2;
 #if HAVE_AUTH_MODULE_BASIC
-    if (Auth::Config::Find("basic") != nullptr)
+    if (Auth::SchemeConfig::Find("basic") != nullptr)
         u1 = Auth::Basic::User::Cache()->sortedUsersList();
 #endif
 #if HAVE_AUTH_MODULE_DIGEST
-    if (Auth::Config::Find("digest") != nullptr)
+    if (Auth::SchemeConfig::Find("digest") != nullptr)
         u2 = Auth::Digest::User::Cache()->sortedUsersList();
 #endif
     if (u1.size() > 0 || u2.size() > 0) {
@@ -129,11 +129,11 @@ authenticateCachedUsersList()
         u2.clear();
     }
 #if HAVE_AUTH_MODULE_NEGOTIATE
-    if (Auth::Config::Find("negotiate") != nullptr)
+    if (Auth::SchemeConfig::Find("negotiate") != nullptr)
         u1 = Auth::Negotiate::User::Cache()->sortedUsersList();
 #endif
 #if HAVE_AUTH_MODULE_NTLM
-    if (Auth::Config::Find("ntlm") != nullptr)
+    if (Auth::SchemeConfig::Find("ntlm") != nullptr)
         u2 = Auth::Ntlm::User::Cache()->sortedUsersList();
 #endif
     if (u1.size() > 0 || u2.size() > 0) {
diff --git a/src/auth/Gadgets.h b/src/auth/Gadgets.h
index 006ef16955..9d68740188 100644
--- a/src/auth/Gadgets.h
+++ b/src/auth/Gadgets.h
@@ -11,7 +11,7 @@
 
 #if USE_AUTH
 
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/User.h"
 #include "hash.h"
 
diff --git a/src/auth/Makefile.am b/src/auth/Makefile.am
index f61083a3f5..a3b3b5caf6 100644
--- a/src/auth/Makefile.am
+++ b/src/auth/Makefile.am
@@ -19,17 +19,18 @@ noinst_LTLIBRARIES = libauth.la libacls.la
 libauth_la_SOURCES = \
 	Type.h \
 	Type.cc \
-	Config.cc \
-	Config.h \
 	CredentialsCache.h \
 	CredentialsCache.cc \
 	CredentialState.cc \
 	CredentialState.h \
+	forward.h \
 	Gadgets.cc \
 	Gadgets.h \
 	QueueNode.h \
 	Scheme.cc \
 	Scheme.h \
+	SchemeConfig.cc \
+	SchemeConfig.h \
 	SchemesConfig.h \
 	SchemesConfig.cc \
 	State.h \
diff --git a/src/auth/QueueNode.h b/src/auth/QueueNode.h
index 0b394efdd9..ed123117c1 100644
--- a/src/auth/QueueNode.h
+++ b/src/auth/QueueNode.h
@@ -9,6 +9,7 @@
 #ifndef SQUID_SRC_AUTH_QUEUENODE_H
 #define SQUID_SRC_AUTH_QUEUENODE_H
 
+#include "auth/forward.h"
 #include "cbdata.h"
 
 namespace Auth
diff --git a/src/auth/Scheme.cc b/src/auth/Scheme.cc
index 789da42954..268eaaba95 100644
--- a/src/auth/Scheme.cc
+++ b/src/auth/Scheme.cc
@@ -9,7 +9,7 @@
 /* DEBUG: section 29    Authenticator */
 
 #include "squid.h"
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/Gadgets.h"
 #include "auth/Scheme.h"
 #include "globals.h"
diff --git a/src/auth/Scheme.h b/src/auth/Scheme.h
index 4ddad468ae..674701e2ca 100644
--- a/src/auth/Scheme.h
+++ b/src/auth/Scheme.h
@@ -11,27 +11,16 @@
 
 #if USE_AUTH
 
+#include "auth/forward.h"
 #include "base/RefCount.h"
 
-#include <vector>
-
-/**
- \defgroup AuthSchemeAPI    Authentication Scheme API
- \ingroup AuthAPI
- */
-
 namespace Auth
 {
 
-class Config;
-
 /**
- * \ingroup AuthAPI
- * \ingroup AuthSchemeAPI
- * \par
  * I represent an authentication scheme. For now my children
  * store the scheme metadata.
- * \par
+ *
  * Should we need multiple configs of a single scheme,
  * a new class should be made, and the config specific calls on Auth::Scheme moved to it.
  */
@@ -66,7 +55,7 @@ public:
     /* per scheme methods */
     virtual char const *type() const = 0;
     virtual void shutdownCleanup() = 0;
-    virtual Auth::Config *createConfig() = 0;
+    virtual Auth::SchemeConfig *createConfig() = 0;
 
     // Not implemented
     Scheme(Scheme const &);
diff --git a/src/auth/Config.cc b/src/auth/SchemeConfig.cc
similarity index 88%
rename from src/auth/Config.cc
rename to src/auth/SchemeConfig.cc
index 2d45e572c0..36e5bd5913 100644
--- a/src/auth/Config.cc
+++ b/src/auth/SchemeConfig.cc
@@ -9,7 +9,8 @@
 /* DEBUG: section 29    Authenticator */
 
 #include "squid.h"
-#include "auth/Config.h"
+#include "auth/forward.h"
+#include "auth/SchemeConfig.h"
 #include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
 #include "cache_cf.h"
@@ -30,12 +31,12 @@ Auth::ConfigVector Auth::TheConfig;
  * It may also be NULL reflecting that no user could be created.
  */
 Auth::UserRequest::Pointer
-Auth::Config::CreateAuthUser(const char *proxy_auth, AccessLogEntry::Pointer &al)
+Auth::SchemeConfig::CreateAuthUser(const char *proxy_auth, AccessLogEntry::Pointer &al)
 {
     assert(proxy_auth != NULL);
     debugs(29, 9, HERE << "header = '" << proxy_auth << "'");
 
-    Auth::Config *config = Find(proxy_auth);
+    Auth::SchemeConfig *config = Find(proxy_auth);
 
     if (config == NULL || !config->active()) {
         debugs(29, (shutting_down?3:DBG_IMPORTANT), (shutting_down?"":"WARNING: ") <<
@@ -55,8 +56,8 @@ Auth::Config::CreateAuthUser(const char *proxy_auth, AccessLogEntry::Pointer &al
     return config->decode(proxy_auth, rmb.hasContent() ? rmb.content() : NULL);
 }
 
-Auth::Config *
-Auth::Config::Find(const char *proxy_auth)
+Auth::SchemeConfig *
+Auth::SchemeConfig::Find(const char *proxy_auth)
 {
     for (Auth::ConfigVector::iterator  i = Auth::TheConfig.begin(); i != Auth::TheConfig.end(); ++i)
         if (strncasecmp(proxy_auth, (*i)->type(), strlen((*i)->type())) == 0)
@@ -65,8 +66,8 @@ Auth::Config::Find(const char *proxy_auth)
     return NULL;
 }
 
-Auth::Config *
-Auth::Config::GetParsed(const char *proxy_auth)
+Auth::SchemeConfig *
+Auth::SchemeConfig::GetParsed(const char *proxy_auth)
 {
     if (auto *cfg = Find(proxy_auth))
         return cfg;
@@ -76,11 +77,11 @@ Auth::Config::GetParsed(const char *proxy_auth)
 
 /** Default behaviour is to expose nothing */
 void
-Auth::Config::registerWithCacheManager(void)
+Auth::SchemeConfig::registerWithCacheManager(void)
 {}
 
 void
-Auth::Config::parse(Auth::Config * scheme, int, char *param_str)
+Auth::SchemeConfig::parse(Auth::SchemeConfig * scheme, int, char *param_str)
 {
     if (strcmp(param_str, "program") == 0) {
         if (authenticateProgram)
@@ -132,7 +133,7 @@ Auth::Config::parse(Auth::Config * scheme, int, char *param_str)
 }
 
 bool
-Auth::Config::dump(StoreEntry *entry, const char *name, Auth::Config *scheme) const
+Auth::SchemeConfig::dump(StoreEntry *entry, const char *name, Auth::SchemeConfig *scheme) const
 {
     if (!authenticateProgram)
         return false; // not configured
@@ -159,7 +160,7 @@ Auth::Config::dump(StoreEntry *entry, const char *name, Auth::Config *scheme) co
 }
 
 void
-Auth::Config::done()
+Auth::SchemeConfig::done()
 {
     delete keyExtras;
     keyExtras = NULL;
diff --git a/src/auth/Config.h b/src/auth/SchemeConfig.h
similarity index 87%
rename from src/auth/Config.h
rename to src/auth/SchemeConfig.h
index deae9bdaad..53fd1f5dff 100644
--- a/src/auth/Config.h
+++ b/src/auth/SchemeConfig.h
@@ -6,12 +6,13 @@
  * Please see the COPYING and CONTRIBUTORS files for details.
  */
 
-#ifndef SQUID_AUTH_CONFIG_H
-#define SQUID_AUTH_CONFIG_H
+#ifndef SQUID_SRC_AUTH_SCHEMECONFIG_H
+#define SQUID_SRC_AUTH_SCHEMECONFIG_H
 
 #if USE_AUTH
 
 #include "AccessLogEntry.h"
+#include "auth/forward.h"
 #include "auth/UserRequest.h"
 #include "helper/ChildConfig.h"
 
@@ -42,19 +43,19 @@ namespace Auth
  * If the children ever stop being singletons, implement the
  * ref counting...
  */
-class Config
+class SchemeConfig
 {
 
 public:
     static UserRequest::Pointer CreateAuthUser(const char *proxy_auth, AccessLogEntry::Pointer &al);
 
-    static Config *Find(const char *proxy_auth);
+    static SchemeConfig *Find(const char *proxy_auth);
     /// Call this method if you need a guarantee that all auth schemes has been
     /// already configured.
-    static Config *GetParsed(const char *proxy_auth);
-    Config() : authenticateChildren(20), authenticateProgram(NULL), keyExtras(NULL) {}
+    static SchemeConfig *GetParsed(const char *proxy_auth);
+    SchemeConfig() : authenticateChildren(20), authenticateProgram(NULL), keyExtras(NULL) {}
 
-    virtual ~Config() {}
+    virtual ~SchemeConfig() {}
 
     /**
      * Used by squid to determine whether the auth module has successfully initialised itself with the current configuration.
@@ -106,19 +107,19 @@ public:
      * would put in a config file to recreate the running configuration.
      * Returns whether the scheme is configured.
      */
-    virtual bool dump(StoreEntry *, const char *, Config *) const;
+    virtual bool dump(StoreEntry *, const char *, SchemeConfig *) const;
 
     /** add headers as needed when challenging for auth */
     virtual void fixHeader(UserRequest::Pointer, HttpReply *, Http::HdrType, HttpRequest *) = 0;
 
     /** prepare to handle requests */
-    virtual void init(Config *) = 0;
+    virtual void init(SchemeConfig *) = 0;
 
     /** expose any/all statistics to a CacheManager */
     virtual void registerWithCacheManager(void);
 
     /** parse config options */
-    virtual void parse(Config *, int, char *);
+    virtual void parse(SchemeConfig *, int, char *);
 
     /** the http string id */
     virtual const char * type() const = 0;
@@ -134,12 +135,10 @@ protected:
     SBuf realm;
 };
 
-typedef std::vector<Config *> ConfigVector;
-
 extern ConfigVector TheConfig;
 
 } // namespace Auth
 
 #endif /* USE_AUTH */
-#endif /* SQUID_AUTHCONFIG_H */
+#endif /* SQUID_SRC_AUTH_SCHEMECONFIG_H */
 
diff --git a/src/auth/SchemesConfig.cc b/src/auth/SchemesConfig.cc
index f86c6ecd1e..b80c30389d 100644
--- a/src/auth/SchemesConfig.cc
+++ b/src/auth/SchemesConfig.cc
@@ -7,11 +7,15 @@
  */
 
 #include "squid.h"
-#include "auth/Config.h"
 #include "auth/SchemesConfig.h"
 #include "fatal.h"
 #include "parser/Tokenizer.h"
 
+namespace Auth
+{
+std::vector<Auth::SchemesConfig> SchemeListConfig;
+}
+
 static void
 addUnique(const SBuf &scheme, std::vector<SBuf> &vec)
 {
@@ -41,7 +45,7 @@ Auth::SchemesConfig::expand()
     authConfigs.clear();
     transform(expanded.begin(), expanded.end(),
     back_inserter(authConfigs), [](SBuf &s) {
-        return Auth::Config::GetParsed(s.c_str());
+        return Auth::SchemeConfig::GetParsed(s.c_str());
     });
 }
 
diff --git a/src/auth/SchemesConfig.h b/src/auth/SchemesConfig.h
index 3392c98658..fb04bc5b3b 100644
--- a/src/auth/SchemesConfig.h
+++ b/src/auth/SchemesConfig.h
@@ -11,7 +11,7 @@
 
 #if USE_AUTH
 
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 
 namespace Auth
 {
@@ -43,7 +43,7 @@ public:
     const char *rawSchemes;
 };
 
-typedef std::vector<SchemesConfig> SchemesConfigs;
+extern std::vector<Auth::SchemesConfig> SchemeListConfig;
 
 } // namespace Auth
 
diff --git a/src/auth/User.cc b/src/auth/User.cc
index e06b192408..53528537ce 100644
--- a/src/auth/User.cc
+++ b/src/auth/User.cc
@@ -11,7 +11,7 @@
 #include "squid.h"
 #include "acl/Acl.h"
 #include "acl/Gadgets.h"
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/CredentialsCache.h"
 #include "auth/Gadgets.h"
 #include "auth/User.h"
@@ -22,7 +22,7 @@
 #include "SquidTime.h"
 #include "Store.h"
 
-Auth::User::User(Auth::Config *aConfig, const char *aRequestRealm) :
+Auth::User::User(Auth::SchemeConfig *aConfig, const char *aRequestRealm) :
     auth_type(Auth::AUTH_UNKNOWN),
     config(aConfig),
     ipcount(0),
diff --git a/src/auth/User.h b/src/auth/User.h
index 30e738b49f..02a5fd7253 100644
--- a/src/auth/User.h
+++ b/src/auth/User.h
@@ -12,6 +12,7 @@
 #if USE_AUTH
 
 #include "auth/CredentialState.h"
+#include "auth/forward.h"
 #include "auth/Type.h"
 #include "base/CbcPointer.h"
 #include "base/RefCount.h"
@@ -25,9 +26,6 @@ class StoreEntry;
 namespace Auth
 {
 
-class Config;
-class CredentialsCache;
-
 /**
  * This is the main user related structure. It stores user-related data,
  * and is persistent across requests. It can even persist across
@@ -41,7 +39,7 @@ public:
     typedef RefCount<User> Pointer;
 
 protected:
-    User(Auth::Config *, const char *requestRealm);
+    User(Auth::SchemeConfig *, const char *requestRealm);
 public:
     virtual ~User();
 
@@ -49,7 +47,7 @@ public:
     /** \deprecated this determines what scheme owns the user data. */
     Auth::Type auth_type;
     /** the config for this user */
-    Auth::Config *config;
+    Auth::SchemeConfig *config;
     dlink_list proxy_match_cache;
     size_t ipcount;
     long expiretime;
diff --git a/src/auth/UserRequest.cc b/src/auth/UserRequest.cc
index 5647219ca8..8b36eb88d0 100644
--- a/src/auth/UserRequest.cc
+++ b/src/auth/UserRequest.cc
@@ -14,7 +14,7 @@
 
 #include "squid.h"
 #include "acl/FilledChecklist.h"
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/Scheme.h"
 #include "auth/SchemesConfig.h"
 #include "auth/User.h"
@@ -338,7 +338,7 @@ Auth::UserRequest::authenticate(Auth::UserRequest::Pointer * auth_user_request,
         }
 
         if (proxy_auth && request->auth_user_request == NULL && conn != NULL && conn->getAuth() != NULL) {
-            Auth::Config * scheme = Auth::Config::Find(proxy_auth);
+            Auth::SchemeConfig * scheme = Auth::SchemeConfig::Find(proxy_auth);
 
             if (conn->getAuth()->user() == NULL || conn->getAuth()->user()->config != scheme) {
                 debugs(29, DBG_IMPORTANT, "WARNING: Unexpected change of authentication scheme from '" <<
@@ -354,7 +354,7 @@ Auth::UserRequest::authenticate(Auth::UserRequest::Pointer * auth_user_request,
             /* beginning of a new request check */
             debugs(29, 4, HERE << "No connection authentication type");
 
-            *auth_user_request = Auth::Config::CreateAuthUser(proxy_auth, al);
+            *auth_user_request = Auth::SchemeConfig::CreateAuthUser(proxy_auth, al);
             if (*auth_user_request == NULL)
                 return AUTH_ACL_CHALLENGE;
             else if (!(*auth_user_request)->valid()) {
@@ -467,13 +467,13 @@ Auth::UserRequest::tryToAuthenticateAndSetAuthUser(Auth::UserRequest::Pointer *
 static Auth::ConfigVector &
 schemesConfig(HttpRequest *request, HttpReply *rep)
 {
-    if (::Config.accessList.authSchemes) {
+    if (!Auth::SchemeListConfig.empty()) {
         ACLFilledChecklist ch(NULL, request, NULL);
         ch.reply = rep;
         HTTPMSGLOCK(ch.reply);
         const allow_t answer = ch.fastCheck(::Config.accessList.authSchemes);
         if (answer == ACCESS_ALLOWED)
-            return ::Config.authSchemesConfigs.at(answer.kind).authConfigs;
+            return Auth::SchemeListConfig.at(answer.kind).authConfigs;
     }
     return Auth::TheConfig;
 }
@@ -514,11 +514,9 @@ Auth::UserRequest::addReplyAuthHeader(HttpReply * rep, Auth::UserRequest::Pointe
             /* add the scheme specific challenge header to the response */
             auth_user_request->user()->config->fixHeader(auth_user_request, rep, type, request);
         else {
-            /* call each configured & running authscheme */
+            /* call each configured & running auth scheme */
             Auth::ConfigVector &configs = schemesConfig(request, rep);
-            for (Auth::ConfigVector::iterator i = configs.begin(); i != configs.end(); ++i) {
-                Auth::Config *scheme = *i;
-
+            for (auto *scheme : configs) {
                 if (scheme->active()) {
                     if (auth_user_request != NULL && auth_user_request->scheme()->type() == scheme->type())
                         scheme->fixHeader(auth_user_request, rep, type, request);
diff --git a/src/auth/basic/Config.cc b/src/auth/basic/Config.cc
index 41e47f38d2..4237b6e3ef 100644
--- a/src/auth/basic/Config.cc
+++ b/src/auth/basic/Config.cc
@@ -96,7 +96,7 @@ Auth::Basic::Config::rotateHelpers()
 void
 Auth::Basic::Config::done()
 {
-    Auth::Config::done();
+    Auth::SchemeConfig::done();
 
     authbasic_initialised = 0;
 
@@ -112,9 +112,9 @@ Auth::Basic::Config::done()
 }
 
 bool
-Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
+Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
 {
-    if (!Auth::Config::dump(entry, name, scheme))
+    if (!Auth::SchemeConfig::dump(entry, name, scheme))
         return false; // not configured
 
     storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
@@ -133,7 +133,7 @@ Auth::Basic::Config::Config() :
 }
 
 void
-Auth::Basic::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
+Auth::Basic::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
 {
     if (strcmp(param_str, "credentialsttl") == 0) {
         parse_time_t(&credentialsTTL);
@@ -142,7 +142,7 @@ Auth::Basic::Config::parse(Auth::Config * scheme, int n_configured, char *param_
     } else if (strcmp(param_str, "utf8") == 0) {
         parse_onoff(&utf8);
     } else
-        Auth::Config::parse(scheme, n_configured, param_str);
+        Auth::SchemeConfig::parse(scheme, n_configured, param_str);
 }
 
 static void
@@ -279,7 +279,7 @@ Auth::Basic::Config::decode(char const *proxy_auth, const char *aRequestRealm)
 /** Initialize helpers and the like for this auth scheme. Called AFTER parsing the
  * config file */
 void
-Auth::Basic::Config::init(Auth::Config *)
+Auth::Basic::Config::init(Auth::SchemeConfig *)
 {
     if (authenticateProgram) {
         authbasic_initialised = 1;
diff --git a/src/auth/basic/Config.h b/src/auth/basic/Config.h
index 009987a6e6..fa71ce572d 100644
--- a/src/auth/basic/Config.h
+++ b/src/auth/basic/Config.h
@@ -11,7 +11,7 @@
 
 #if HAVE_AUTH_MODULE_BASIC
 
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
 #include "helper/forward.h"
@@ -22,7 +22,7 @@ namespace Basic
 {
 
 /** Basic authentication configuration data */
-class Config : public Auth::Config
+class Config : public Auth::SchemeConfig
 {
 public:
     Config();
@@ -31,10 +31,10 @@ public:
     virtual Auth::UserRequest::Pointer decode(char const *proxy_auth, const char *requestRealm);
     virtual void done();
     virtual void rotateHelpers();
-    virtual bool dump(StoreEntry *, const char *, Auth::Config *) const;
+    virtual bool dump(StoreEntry *, const char *, Auth::SchemeConfig *) const;
     virtual void fixHeader(Auth::UserRequest::Pointer, HttpReply *, Http::HdrType, HttpRequest *);
-    virtual void init(Auth::Config *);
-    virtual void parse(Auth::Config *, int, char *);
+    virtual void init(Auth::SchemeConfig *);
+    virtual void parse(Auth::SchemeConfig *, int, char *);
     void decode(char const *httpAuthHeader, Auth::UserRequest::Pointer);
     virtual void registerWithCacheManager(void);
     virtual const char * type() const;
diff --git a/src/auth/basic/Scheme.cc b/src/auth/basic/Scheme.cc
index 1de163c8f4..d8fa978e0c 100644
--- a/src/auth/basic/Scheme.cc
+++ b/src/auth/basic/Scheme.cc
@@ -40,10 +40,10 @@ Auth::Basic::Scheme::shutdownCleanup()
     debugs(29, DBG_CRITICAL, "Shutdown: Basic authentication.");
 }
 
-Auth::Config *
+Auth::SchemeConfig *
 Auth::Basic::Scheme::createConfig()
 {
     Auth::Basic::Config *newCfg = new Auth::Basic::Config;
-    return dynamic_cast<Auth::Config*>(newCfg);
+    return dynamic_cast<Auth::SchemeConfig*>(newCfg);
 }
 
diff --git a/src/auth/basic/Scheme.h b/src/auth/basic/Scheme.h
index 251eebee87..274e492e4d 100644
--- a/src/auth/basic/Scheme.h
+++ b/src/auth/basic/Scheme.h
@@ -31,7 +31,7 @@ public:
     /* per scheme */
     virtual char const *type() const;
     virtual void shutdownCleanup();
-    virtual Auth::Config *createConfig();
+    virtual Auth::SchemeConfig *createConfig();
     /* Not implemented */
     Scheme(Scheme const &);
     Scheme &operator=(Scheme const &);
diff --git a/src/auth/basic/User.cc b/src/auth/basic/User.cc
index 8312710b1c..2b336726ec 100644
--- a/src/auth/basic/User.cc
+++ b/src/auth/basic/User.cc
@@ -14,7 +14,7 @@
 #include "SquidConfig.h"
 #include "SquidTime.h"
 
-Auth::Basic::User::User(Auth::Config *aConfig, const char *aRequestRealm) :
+Auth::Basic::User::User(Auth::SchemeConfig *aConfig, const char *aRequestRealm) :
     Auth::User(aConfig, aRequestRealm),
     passwd(NULL),
     queue(NULL),
diff --git a/src/auth/basic/User.h b/src/auth/basic/User.h
index 54bc846402..461f295d64 100644
--- a/src/auth/basic/User.h
+++ b/src/auth/basic/User.h
@@ -17,7 +17,7 @@
 namespace Auth
 {
 
-class Config;
+class SchemeConfig;
 class QueueNode;
 
 namespace Basic
@@ -29,7 +29,7 @@ class User : public Auth::User
     MEMPROXY_CLASS(Auth::Basic::User);
 
 public:
-    User(Auth::Config *, const char *requestRealm);
+    User(Auth::SchemeConfig *, const char *requestRealm);
     virtual ~User();
     bool authenticated() const;
     bool valid() const;
diff --git a/src/auth/basic/UserRequest.cc b/src/auth/basic/UserRequest.cc
index 34f876282f..1621c09e53 100644
--- a/src/auth/basic/UserRequest.cc
+++ b/src/auth/basic/UserRequest.cc
@@ -59,7 +59,7 @@ Auth::Basic::UserRequest::authenticate(HttpRequest *, ConnStateData *, Http::Hdr
         return;
 
     /* are we about to recheck the credentials externally? */
-    if ((user()->expiretime + static_cast<Auth::Basic::Config*>(Auth::Config::Find("basic"))->credentialsTTL) <= squid_curtime) {
+    if ((user()->expiretime + static_cast<Auth::Basic::Config*>(Auth::SchemeConfig::Find("basic"))->credentialsTTL) <= squid_curtime) {
         debugs(29, 4, HERE << "credentials expired - rechecking");
         return;
     }
@@ -86,7 +86,7 @@ Auth::Basic::UserRequest::module_direction()
         return Auth::CRED_LOOKUP;
 
     case Auth::Ok:
-        if (user()->expiretime + static_cast<Auth::Basic::Config*>(Auth::Config::Find("basic"))->credentialsTTL <= squid_curtime)
+        if (user()->expiretime + static_cast<Auth::Basic::Config*>(Auth::SchemeConfig::Find("basic"))->credentialsTTL <= squid_curtime)
             return Auth::CRED_LOOKUP;
         return Auth::CRED_VALID;
 
@@ -107,7 +107,7 @@ Auth::Basic::UserRequest::startHelperLookup(HttpRequest *request, AccessLogEntry
     assert(basic_auth != NULL);
     debugs(29, 9, HERE << "'" << basic_auth->username() << ":" << basic_auth->passwd << "'");
 
-    if (static_cast<Auth::Basic::Config*>(Auth::Config::Find("basic"))->authenticateProgram == NULL) {
+    if (static_cast<Auth::Basic::Config*>(Auth::SchemeConfig::Find("basic"))->authenticateProgram == NULL) {
         debugs(29, DBG_CRITICAL, "ERROR: No Basic authentication program configured.");
         handler(data);
         return;
diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
index 0ad3a408f7..5c20ee4c0e 100644
--- a/src/auth/digest/Config.cc
+++ b/src/auth/digest/Config.cc
@@ -215,7 +215,7 @@ authenticateDigestNonceSetup(void)
     if (!digest_nonce_cache) {
         digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
         assert(digest_nonce_cache);
-        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->nonceGCInterval, 1);
     }
 }
 
@@ -278,8 +278,8 @@ authenticateDigestNonceCacheCleanup(void *)
 
     debugs(29, 3, "Finished cleaning the nonce cache.");
 
-    if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->active())
-        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+    if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->active())
+        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->nonceGCInterval, 1);
 }
 
 static void
@@ -366,12 +366,12 @@ authDigestNonceIsValid(digest_nonce_h * nonce, char nc[9])
     }
 
     /* is the nonce-count ok ? */
-    if (!static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->CheckNonceCount) {
+    if (!static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->CheckNonceCount) {
         /* Ignore client supplied NC */
         intnc = nonce->nc + 1;
     }
 
-    if ((static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->NonceStrictness && intnc != nonce->nc + 1) ||
+    if ((static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->NonceStrictness && intnc != nonce->nc + 1) ||
             intnc < nonce->nc + 1) {
         debugs(29, 4, "Nonce count doesn't match");
         nonce->flags.valid = false;
@@ -399,10 +399,10 @@ authDigestNonceIsStale(digest_nonce_h * nonce)
         return -1;
 
     /* has it's max duration expired? */
-    if (nonce->noncedata.creationtime + static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->noncemaxduration < current_time.tv_sec) {
+    if (nonce->noncedata.creationtime + static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxduration < current_time.tv_sec) {
         debugs(29, 4, "Nonce is too old. " <<
                nonce->noncedata.creationtime << " " <<
-               static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->noncemaxduration << " " <<
+               static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxduration << " " <<
                current_time.tv_sec);
 
         nonce->flags.valid = false;
@@ -415,7 +415,7 @@ authDigestNonceIsStale(digest_nonce_h * nonce)
         return -1;
     }
 
-    if (nonce->nc > static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->noncemaxuses) {
+    if (nonce->nc > static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxuses) {
         debugs(29, 4, "Nonce count over user limit");
         nonce->flags.valid = false;
         return -1;
@@ -440,7 +440,7 @@ authDigestNonceLastRequest(digest_nonce_h * nonce)
         return -1;
     }
 
-    if (nonce->nc >= static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->noncemaxuses - 1) {
+    if (nonce->nc >= static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxuses - 1) {
         debugs(29, 4, "Nonce count about to hit user limit");
         return -1;
     }
@@ -478,9 +478,9 @@ Auth::Digest::Config::rotateHelpers()
 }
 
 bool
-Auth::Digest::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
+Auth::Digest::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
 {
-    if (!Auth::Config::dump(entry, name, scheme))
+    if (!Auth::SchemeConfig::dump(entry, name, scheme))
         return false;
 
     storeAppendPrintf(entry, "%s %s nonce_max_count %d\n%s %s nonce_max_duration %d seconds\n%s %s nonce_garbage_interval %d seconds\n",
@@ -546,7 +546,7 @@ Auth::Digest::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, Ht
 /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
  * config file */
 void
-Auth::Digest::Config::init(Auth::Config *)
+Auth::Digest::Config::init(Auth::SchemeConfig *)
 {
     if (authenticateProgram) {
         authenticateDigestNonceSetup();
@@ -577,7 +577,7 @@ Auth::Digest::Config::registerWithCacheManager(void)
 void
 Auth::Digest::Config::done()
 {
-    Auth::Config::done();
+    Auth::SchemeConfig::done();
 
     authdigest_initialised = 0;
 
@@ -605,7 +605,7 @@ Auth::Digest::Config::Config() :
 {}
 
 void
-Auth::Digest::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
+Auth::Digest::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
 {
     if (strcmp(param_str, "program") == 0) {
         if (authenticateProgram)
@@ -629,7 +629,7 @@ Auth::Digest::Config::parse(Auth::Config * scheme, int n_configured, char *param
     } else if (strcmp(param_str, "utf8") == 0) {
         parse_onoff(&utf8);
     } else
-        Auth::Config::parse(scheme, n_configured, param_str);
+        Auth::SchemeConfig::parse(scheme, n_configured, param_str);
 }
 
 const char *
@@ -726,7 +726,7 @@ authDigestLogUsername(char *username, Auth::UserRequest::Pointer auth_user_reque
 
     /* log the username */
     debugs(29, 9, "Creating new user for logging '" << (username?username:"[no username]") << "'");
-    Auth::User::Pointer digest_user = new Auth::Digest::User(static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest")), requestRealm);
+    Auth::User::Pointer digest_user = new Auth::Digest::User(static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest")), requestRealm);
     /* save the credentials */
     digest_user->username(username);
     /* set the auth_user type */
diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h
index a4591ce0ee..e7cee4d75a 100644
--- a/src/auth/digest/Config.h
+++ b/src/auth/digest/Config.h
@@ -11,7 +11,7 @@
 
 #if HAVE_AUTH_MODULE_DIGEST
 
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
 #include "helper/forward.h"
@@ -71,7 +71,7 @@ namespace Digest
 {
 
 /** Digest Authentication configuration data */
-class Config : public Auth::Config
+class Config : public Auth::SchemeConfig
 {
 public:
     Config();
@@ -80,10 +80,10 @@ public:
     virtual Auth::UserRequest::Pointer decode(char const *proxy_auth, const char *requestRealm);
     virtual void done();
     virtual void rotateHelpers();
-    virtual bool dump(StoreEntry *, const char *, Auth::Config *) const;
+    virtual bool dump(StoreEntry *, const char *, Auth::SchemeConfig *) const;
     virtual void fixHeader(Auth::UserRequest::Pointer, HttpReply *, Http::HdrType, HttpRequest *);
-    virtual void init(Auth::Config *);
-    virtual void parse(Auth::Config *, int, char *);
+    virtual void init(Auth::SchemeConfig *);
+    virtual void parse(Auth::SchemeConfig *, int, char *);
     virtual void registerWithCacheManager(void);
     virtual const char * type() const;
 
diff --git a/src/auth/digest/Scheme.cc b/src/auth/digest/Scheme.cc
index ed481d674e..dab004b168 100644
--- a/src/auth/digest/Scheme.cc
+++ b/src/auth/digest/Scheme.cc
@@ -43,10 +43,10 @@ Auth::Digest::Scheme::shutdownCleanup()
     debugs(29, DBG_CRITICAL, "Shutdown: Digest authentication.");
 }
 
-Auth::Config *
+Auth::SchemeConfig *
 Auth::Digest::Scheme::createConfig()
 {
     Auth::Digest::Config *digestCfg = new Auth::Digest::Config;
-    return dynamic_cast<Auth::Config*>(digestCfg);
+    return dynamic_cast<Auth::SchemeConfig*>(digestCfg);
 }
 
diff --git a/src/auth/digest/Scheme.h b/src/auth/digest/Scheme.h
index 9fa4746a80..a5c8679f97 100644
--- a/src/auth/digest/Scheme.h
+++ b/src/auth/digest/Scheme.h
@@ -31,7 +31,7 @@ public:
     /* per scheme */
     virtual char const *type () const;
     virtual void shutdownCleanup();
-    virtual Auth::Config *createConfig();
+    virtual Auth::SchemeConfig *createConfig();
 
     /* Not implemented */
     Scheme(Scheme const &);
diff --git a/src/auth/digest/User.cc b/src/auth/digest/User.cc
index 5dcd28cf97..4c0a9cbd87 100644
--- a/src/auth/digest/User.cc
+++ b/src/auth/digest/User.cc
@@ -15,7 +15,7 @@
 #include "SquidConfig.h"
 #include "SquidTime.h"
 
-Auth::Digest::User::User(Auth::Config *aConfig, const char *aRequestRealm) :
+Auth::Digest::User::User(Auth::SchemeConfig *aConfig, const char *aRequestRealm) :
     Auth::User(aConfig, aRequestRealm),
     HA1created(0)
 {
@@ -55,7 +55,7 @@ Auth::Digest::User::ttl() const
     if (latest_nonce == -1)
         return min(-1, global_ttl);
 
-    int32_t nonce_ttl = latest_nonce - current_time.tv_sec + static_cast<Config*>(Auth::Config::Find("digest"))->noncemaxduration;
+    int32_t nonce_ttl = latest_nonce - current_time.tv_sec + static_cast<Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxduration;
 
     return min(nonce_ttl, global_ttl);
 }
diff --git a/src/auth/digest/User.h b/src/auth/digest/User.h
index a02d79791f..a479567b6e 100644
--- a/src/auth/digest/User.h
+++ b/src/auth/digest/User.h
@@ -26,7 +26,7 @@ class User : public Auth::User
     MEMPROXY_CLASS(Auth::Digest::User);
 
 public:
-    User(Auth::Config *, const char *requestRealm);
+    User(Auth::SchemeConfig *, const char *requestRealm);
     virtual ~User();
     int authenticated() const;
     virtual int32_t ttl() const override;
diff --git a/src/auth/digest/UserRequest.cc b/src/auth/digest/UserRequest.cc
index 3afebb4d4c..d1ea412e89 100644
--- a/src/auth/digest/UserRequest.cc
+++ b/src/auth/digest/UserRequest.cc
@@ -127,7 +127,7 @@ Auth::Digest::UserRequest::authenticate(HttpRequest * request, ConnStateData *,
             return;
         }
 
-        if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->PostWorkaround && request->method != Http::METHOD_GET) {
+        if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->PostWorkaround && request->method != Http::METHOD_GET) {
             /* Ugly workaround for certain very broken browsers using the
              * wrong method to calculate the request-digest on POST request.
              * This should be deleted once Digest authentication becomes more
@@ -233,7 +233,7 @@ Auth::Digest::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int acce
         return;
 #endif
 
-    if ((static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
+    if ((static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->authenticateProgram) && authDigestNonceLastRequest(nonce)) {
         flags.authinfo_sent = true;
         Auth::Digest::User *digest_user = dynamic_cast<Auth::Digest::User *>(user().getRaw());
         if (!digest_user)
@@ -291,14 +291,14 @@ Auth::Digest::UserRequest::startHelperLookup(HttpRequest *request, AccessLogEntr
     assert(user() != NULL && user()->auth_type == Auth::AUTH_DIGEST);
     debugs(29, 9, HERE << "'\"" << user()->username() << "\":\"" << realm << "\"'");
 
-    if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->authenticateProgram == NULL) {
+    if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->authenticateProgram == NULL) {
         debugs(29, DBG_CRITICAL, "ERROR: No Digest authentication program configured.");
         handler(data);
         return;
     }
 
     const char *keyExtras = helperRequestKeyExtras(request, al);
-    if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->utf8) {
+    if (static_cast<Auth::Digest::Config*>(Auth::SchemeConfig::Find("digest"))->utf8) {
         char userstr[1024];
         latin1_to_utf8(userstr, sizeof(userstr), user()->username());
         if (keyExtras)
diff --git a/src/auth/forward.h b/src/auth/forward.h
new file mode 100644
index 0000000000..3701be749f
--- /dev/null
+++ b/src/auth/forward.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+#ifndef SQUID_SRC_AUTH_FORWARD_H
+#define SQUID_SRC_AUTH_FORWARD_H
+
+#if USE_AUTH
+
+#include <vector>
+
+/// HTTP Authentication
+namespace Auth
+{
+
+class CredentialsCache;
+
+class Scheme;
+class SchemeConfig;
+typedef std::vector<Auth::SchemeConfig *> ConfigVector;
+
+} // namespace Auth
+
+#endif /* USE_AUTH */
+#endif /* SQUID_SRC_AUTH_FORWARD_H */
+
diff --git a/src/auth/negotiate/Config.cc b/src/auth/negotiate/Config.cc
index 71927fc414..a0c9b358ba 100644
--- a/src/auth/negotiate/Config.cc
+++ b/src/auth/negotiate/Config.cc
@@ -62,7 +62,7 @@ Auth::Negotiate::Config::rotateHelpers()
 void
 Auth::Negotiate::Config::done()
 {
-    Auth::Config::done();
+    Auth::SchemeConfig::done();
 
     authnegotiate_initialised = 0;
 
@@ -83,9 +83,9 @@ Auth::Negotiate::Config::done()
 }
 
 bool
-Auth::Negotiate::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
+Auth::Negotiate::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
 {
-    if (!Auth::Config::dump(entry, name, scheme))
+    if (!Auth::SchemeConfig::dump(entry, name, scheme))
         return false;
 
     storeAppendPrintf(entry, "%s negotiate keep_alive %s\n", name, keep_alive ? "on" : "off");
@@ -96,7 +96,7 @@ Auth::Negotiate::Config::Config() : keep_alive(1)
 { }
 
 void
-Auth::Negotiate::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
+Auth::Negotiate::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
 {
     if (strcmp(param_str, "program") == 0) {
         if (authenticateProgram)
@@ -108,7 +108,7 @@ Auth::Negotiate::Config::parse(Auth::Config * scheme, int n_configured, char *pa
     } else if (strcmp(param_str, "keep_alive") == 0) {
         parse_onoff(&keep_alive);
     } else
-        Auth::Config::parse(scheme, n_configured, param_str);
+        Auth::SchemeConfig::parse(scheme, n_configured, param_str);
 }
 
 const char *
@@ -122,7 +122,7 @@ Auth::Negotiate::Config::type() const
  * Called AFTER parsing the config file
  */
 void
-Auth::Negotiate::Config::init(Auth::Config *)
+Auth::Negotiate::Config::init(Auth::SchemeConfig *)
 {
     if (authenticateProgram) {
 
@@ -256,7 +256,7 @@ authenticateNegotiateStats(StoreEntry * sentry)
 Auth::UserRequest::Pointer
 Auth::Negotiate::Config::decode(char const *proxy_auth, const char *aRequestRealm)
 {
-    Auth::Negotiate::User *newUser = new Auth::Negotiate::User(Auth::Config::Find("negotiate"), aRequestRealm);
+    Auth::Negotiate::User *newUser = new Auth::Negotiate::User(Auth::SchemeConfig::Find("negotiate"), aRequestRealm);
     Auth::UserRequest *auth_user_request = new Auth::Negotiate::UserRequest();
     assert(auth_user_request->user() == NULL);
 
diff --git a/src/auth/negotiate/Config.h b/src/auth/negotiate/Config.h
index 4c681d565c..24b370b094 100644
--- a/src/auth/negotiate/Config.h
+++ b/src/auth/negotiate/Config.h
@@ -11,7 +11,7 @@
 
 #if HAVE_AUTH_MODULE_NEGOTIATE
 
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
 #include "helper/forward.h"
@@ -22,7 +22,7 @@ namespace Negotiate
 {
 
 /** Negotiate Authentication configuration data */
-class Config : public Auth::Config
+class Config : public Auth::SchemeConfig
 {
 public:
     Config();
@@ -31,10 +31,10 @@ public:
     virtual Auth::UserRequest::Pointer decode(char const *proxy_auth, const char *requestRealm);
     virtual void done();
     virtual void rotateHelpers();
-    virtual bool dump(StoreEntry *, const char *, Auth::Config *) const;
+    virtual bool dump(StoreEntry *, const char *, Auth::SchemeConfig *) const;
     virtual void fixHeader(Auth::UserRequest::Pointer, HttpReply *, Http::HdrType, HttpRequest *);
-    virtual void init(Auth::Config *);
-    virtual void parse(Auth::Config *, int, char *);
+    virtual void init(Auth::SchemeConfig *);
+    virtual void parse(Auth::SchemeConfig *, int, char *);
     virtual void registerWithCacheManager(void);
     virtual const char * type() const;
 
diff --git a/src/auth/negotiate/Scheme.cc b/src/auth/negotiate/Scheme.cc
index 280dfa9773..c7078cd9f9 100644
--- a/src/auth/negotiate/Scheme.cc
+++ b/src/auth/negotiate/Scheme.cc
@@ -40,10 +40,10 @@ Auth::Negotiate::Scheme::shutdownCleanup()
     debugs(29, DBG_CRITICAL, "Shutdown: Negotiate authentication.");
 }
 
-Auth::Config *
+Auth::SchemeConfig *
 Auth::Negotiate::Scheme::createConfig()
 {
     Auth::Negotiate::Config *negotiateCfg = new Auth::Negotiate::Config;
-    return dynamic_cast<Auth::Config*>(negotiateCfg);
+    return dynamic_cast<Auth::SchemeConfig*>(negotiateCfg);
 }
 
diff --git a/src/auth/negotiate/Scheme.h b/src/auth/negotiate/Scheme.h
index 2fa72f05b5..54d12f3006 100644
--- a/src/auth/negotiate/Scheme.h
+++ b/src/auth/negotiate/Scheme.h
@@ -31,7 +31,7 @@ public:
     /* per scheme */
     virtual char const *type() const;
     virtual void shutdownCleanup();
-    virtual Auth::Config *createConfig();
+    virtual Auth::SchemeConfig *createConfig();
 
     /* Not implemented */
     Scheme (Scheme const &);
diff --git a/src/auth/negotiate/User.cc b/src/auth/negotiate/User.cc
index b708c2d1f0..1c9f7e5d48 100644
--- a/src/auth/negotiate/User.cc
+++ b/src/auth/negotiate/User.cc
@@ -7,12 +7,12 @@
  */
 
 #include "squid.h"
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/CredentialsCache.h"
 #include "auth/negotiate/User.h"
 #include "Debug.h"
 
-Auth::Negotiate::User::User(Auth::Config *aConfig, const char *aRequestRealm) :
+Auth::Negotiate::User::User(Auth::SchemeConfig *aConfig, const char *aRequestRealm) :
     Auth::User(aConfig, aRequestRealm)
 {
 }
diff --git a/src/auth/negotiate/User.h b/src/auth/negotiate/User.h
index 7be74607b6..c5203b364e 100644
--- a/src/auth/negotiate/User.h
+++ b/src/auth/negotiate/User.h
@@ -16,7 +16,7 @@
 namespace Auth
 {
 
-class Config;
+class SchemeConfig;
 
 namespace Negotiate
 {
@@ -27,7 +27,7 @@ class User : public Auth::User
     MEMPROXY_CLASS(Auth::Negotiate::User);
 
 public:
-    User(Auth::Config *, const char *requestRealm);
+    User(Auth::SchemeConfig *, const char *requestRealm);
     virtual ~User();
     virtual int32_t ttl() const override;
 
diff --git a/src/auth/negotiate/UserRequest.cc b/src/auth/negotiate/UserRequest.cc
index 130e744619..7564cce68c 100644
--- a/src/auth/negotiate/UserRequest.cc
+++ b/src/auth/negotiate/UserRequest.cc
@@ -128,7 +128,7 @@ Auth::Negotiate::UserRequest::startHelperLookup(HttpRequest *, AccessLogEntry::P
     assert(user() != NULL);
     assert(user()->auth_type == Auth::AUTH_NEGOTIATE);
 
-    if (static_cast<Auth::Negotiate::Config*>(Auth::Config::Find("negotiate"))->authenticateProgram == NULL) {
+    if (static_cast<Auth::Negotiate::Config*>(Auth::SchemeConfig::Find("negotiate"))->authenticateProgram == NULL) {
         debugs(29, DBG_CRITICAL, "ERROR: No Negotiate authentication program configured.");
         handler(data);
         return;
diff --git a/src/auth/ntlm/Config.cc b/src/auth/ntlm/Config.cc
index 5d9fb1e6f0..b723c01b1c 100644
--- a/src/auth/ntlm/Config.cc
+++ b/src/auth/ntlm/Config.cc
@@ -54,7 +54,7 @@ Auth::Ntlm::Config::rotateHelpers()
 void
 Auth::Ntlm::Config::done()
 {
-    Auth::Config::done();
+    Auth::SchemeConfig::done();
 
     authntlm_initialised = 0;
 
@@ -75,9 +75,9 @@ Auth::Ntlm::Config::done()
 }
 
 bool
-Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
+Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
 {
-    if (!Auth::Config::dump(entry, name, scheme))
+    if (!Auth::SchemeConfig::dump(entry, name, scheme))
         return false;
 
     storeAppendPrintf(entry, "%s ntlm keep_alive %s\n", name, keep_alive ? "on" : "off");
@@ -88,7 +88,7 @@ Auth::Ntlm::Config::Config() : keep_alive(1)
 { }
 
 void
-Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
+Auth::Ntlm::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
 {
     if (strcmp(param_str, "program") == 0) {
         if (authenticateProgram)
@@ -100,7 +100,7 @@ Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_s
     } else if (strcmp(param_str, "keep_alive") == 0) {
         parse_onoff(&keep_alive);
     } else
-        Auth::Config::parse(scheme, n_configured, param_str);
+        Auth::SchemeConfig::parse(scheme, n_configured, param_str);
 }
 
 const char *
@@ -112,7 +112,7 @@ Auth::Ntlm::Config::type() const
 /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
  * config file */
 void
-Auth::Ntlm::Config::init(Auth::Config *)
+Auth::Ntlm::Config::init(Auth::SchemeConfig *)
 {
     if (authenticateProgram) {
 
@@ -236,7 +236,7 @@ authenticateNTLMStats(StoreEntry * sentry)
 Auth::UserRequest::Pointer
 Auth::Ntlm::Config::decode(char const *proxy_auth, const char *aRequestRealm)
 {
-    Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm);
+    Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm);
     Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
     assert(auth_user_request->user() == NULL);
 
diff --git a/src/auth/ntlm/Config.h b/src/auth/ntlm/Config.h
index fe1978e13c..22282896c3 100644
--- a/src/auth/ntlm/Config.h
+++ b/src/auth/ntlm/Config.h
@@ -11,7 +11,7 @@
 
 #if HAVE_AUTH_MODULE_NTLM
 
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
 #include "helper/forward.h"
@@ -25,7 +25,7 @@ namespace Ntlm
 {
 
 /** NTLM Authentication configuration data */
-class Config : public Auth::Config
+class Config : public Auth::SchemeConfig
 {
 public:
     Config();
@@ -34,10 +34,10 @@ public:
     virtual Auth::UserRequest::Pointer decode(char const *proxy_auth, const char *requestRealm);
     virtual void done();
     virtual void rotateHelpers();
-    virtual bool dump(StoreEntry *, const char *, Auth::Config *) const;
+    virtual bool dump(StoreEntry *, const char *, Auth::SchemeConfig *) const;
     virtual void fixHeader(Auth::UserRequest::Pointer, HttpReply *, Http::HdrType, HttpRequest *);
-    virtual void init(Auth::Config *);
-    virtual void parse(Auth::Config *, int, char *);
+    virtual void init(Auth::SchemeConfig *);
+    virtual void parse(Auth::SchemeConfig *, int, char *);
     virtual void registerWithCacheManager(void);
     virtual const char * type() const;
 
diff --git a/src/auth/ntlm/Scheme.cc b/src/auth/ntlm/Scheme.cc
index 249337ffa8..10bb070bf8 100644
--- a/src/auth/ntlm/Scheme.cc
+++ b/src/auth/ntlm/Scheme.cc
@@ -40,10 +40,10 @@ Auth::Ntlm::Scheme::shutdownCleanup()
     debugs(29, DBG_CRITICAL, "Shutdown: NTLM authentication.");
 }
 
-Auth::Config *
+Auth::SchemeConfig *
 Auth::Ntlm::Scheme::createConfig()
 {
     Auth::Ntlm::Config *ntlmCfg = new Auth::Ntlm::Config;
-    return dynamic_cast<Auth::Config*>(ntlmCfg);
+    return dynamic_cast<Auth::SchemeConfig*>(ntlmCfg);
 }
 
diff --git a/src/auth/ntlm/Scheme.h b/src/auth/ntlm/Scheme.h
index 5b4dd88843..5dd365bd60 100644
--- a/src/auth/ntlm/Scheme.h
+++ b/src/auth/ntlm/Scheme.h
@@ -31,7 +31,7 @@ public:
     /* per scheme */
     virtual char const *type() const;
     virtual void shutdownCleanup();
-    virtual Auth::Config *createConfig();
+    virtual Auth::SchemeConfig *createConfig();
 
     /* Not implemented */
     Scheme (Scheme const &);
diff --git a/src/auth/ntlm/User.cc b/src/auth/ntlm/User.cc
index df0753863b..f0e3045dd6 100644
--- a/src/auth/ntlm/User.cc
+++ b/src/auth/ntlm/User.cc
@@ -7,12 +7,12 @@
  */
 
 #include "squid.h"
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/CredentialsCache.h"
 #include "auth/ntlm/User.h"
 #include "Debug.h"
 
-Auth::Ntlm::User::User(Auth::Config *aConfig, const char *aRequestRealm) :
+Auth::Ntlm::User::User(Auth::SchemeConfig *aConfig, const char *aRequestRealm) :
     Auth::User(aConfig, aRequestRealm)
 {
 }
diff --git a/src/auth/ntlm/User.h b/src/auth/ntlm/User.h
index c61024f146..d07da57af6 100644
--- a/src/auth/ntlm/User.h
+++ b/src/auth/ntlm/User.h
@@ -16,7 +16,7 @@
 namespace Auth
 {
 
-class Config;
+class SchemeConfig;
 
 namespace Ntlm
 {
@@ -27,7 +27,7 @@ class User : public Auth::User
     MEMPROXY_CLASS(Auth::Ntlm::User);
 
 public:
-    User(Auth::Config *, const char *requestRealm);
+    User(Auth::SchemeConfig *, const char *requestRealm);
     virtual ~User();
     virtual int32_t ttl() const override;
 
diff --git a/src/auth/ntlm/UserRequest.cc b/src/auth/ntlm/UserRequest.cc
index 5e9a379a28..d354cde098 100644
--- a/src/auth/ntlm/UserRequest.cc
+++ b/src/auth/ntlm/UserRequest.cc
@@ -124,7 +124,7 @@ Auth::Ntlm::UserRequest::startHelperLookup(HttpRequest *, AccessLogEntry::Pointe
     assert(data);
     assert(handler);
 
-    if (static_cast<Auth::Ntlm::Config*>(Auth::Config::Find("ntlm"))->authenticateProgram == NULL) {
+    if (static_cast<Auth::Ntlm::Config*>(Auth::SchemeConfig::Find("ntlm"))->authenticateProgram == NULL) {
         debugs(29, DBG_CRITICAL, "ERROR: NTLM Start: no NTLM program configured.");
         handler(data);
         return;
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 7ab12505a8..3f1ae523de 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -18,6 +18,7 @@
 #include "acl/Tree.h"
 #include "anyp/PortCfg.h"
 #include "anyp/UriScheme.h"
+#include "auth/SchemesConfig.h"
 #include "AuthReg.h"
 #include "base/RunnersRegistry.h"
 #include "cache_cf.h"
@@ -78,7 +79,7 @@
 #include "ssl/support.h"
 #endif
 #if USE_AUTH
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/Scheme.h"
 #include "auth/SchemesConfig.h"
 #endif
@@ -938,15 +939,15 @@ configDoConfigure(void)
      * state will be preserved.
      */
     if (Config.pipeline_max_prefetch > 0) {
-        Auth::Config *nego = Auth::Config::Find("Negotiate");
-        Auth::Config *ntlm = Auth::Config::Find("NTLM");
+        Auth::SchemeConfig *nego = Auth::SchemeConfig::Find("Negotiate");
+        Auth::SchemeConfig *ntlm = Auth::SchemeConfig::Find("NTLM");
         if ((nego && nego->active()) || (ntlm && ntlm->active())) {
             debugs(3, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: pipeline_prefetch breaks NTLM and Negotiate authentication. Forced pipeline_prefetch 0.");
             Config.pipeline_max_prefetch = 0;
         }
     }
 
-    for (auto &authSchemes: Config.authSchemesConfigs) {
+    for (auto &authSchemes : Auth::SchemeListConfig) {
         authSchemes.expand();
         if (authSchemes.authConfigs.empty()) {
             debugs(3, DBG_CRITICAL, "auth_schemes: at least one scheme name is required; got: " << authSchemes.rawSchemes);
@@ -1792,7 +1793,7 @@ parse_authparam(Auth::ConfigVector * config)
     }
 
     /* find a configuration for the scheme in the currently parsed configs... */
-    Auth::Config *schemeCfg = Auth::Config::Find(type_str);
+    Auth::SchemeConfig *schemeCfg = Auth::SchemeConfig::Find(type_str);
 
     if (schemeCfg == NULL) {
         /* Create a configuration based on the scheme info */
@@ -1805,7 +1806,7 @@ parse_authparam(Auth::ConfigVector * config)
         }
 
         config->push_back(theScheme->createConfig());
-        schemeCfg = Auth::Config::Find(type_str);
+        schemeCfg = Auth::SchemeConfig::Find(type_str);
         if (schemeCfg == NULL) {
             debugs(3, DBG_CRITICAL, "Parsing Config File: Corruption configuring authentication scheme '" << type_str << "'.");
             self_destruct();
@@ -1831,8 +1832,8 @@ free_authparam(Auth::ConfigVector * cfg)
 static void
 dump_authparam(StoreEntry * entry, const char *name, Auth::ConfigVector cfg)
 {
-    for (Auth::ConfigVector::iterator  i = cfg.begin(); i != cfg.end(); ++i)
-        (*i)->dump(entry, name, (*i));
+    for (auto *scheme : cfg)
+        scheme->dump(entry, name, scheme);
 }
 
 static void
@@ -1844,15 +1845,15 @@ parse_AuthSchemes(acl_access **authSchemes)
         self_destruct();
         return;
     }
-    Config.authSchemesConfigs.push_back(Auth::SchemesConfig(tok, ConfigParser::LastTokenWasQuoted()));
-    const allow_t action = allow_t(ACCESS_ALLOWED, Config.authSchemesConfigs.size() - 1);
+    Auth::SchemeListConfig.emplace_back(tok, ConfigParser::LastTokenWasQuoted());
+    const allow_t action = allow_t(ACCESS_ALLOWED, Auth::SchemeListConfig.size() - 1);
     ParseAclWithAction(authSchemes, action, "auth_schemes");
 }
 
 static void
 free_AuthSchemes(acl_access **authSchemes)
 {
-    Config.authSchemesConfigs.clear();
+    Auth::SchemeListConfig.clear();
     free_acl_access(authSchemes);
 }
 
@@ -1861,7 +1862,7 @@ dump_AuthSchemes(StoreEntry *entry, const char *name, acl_access *authSchemes)
 {
     if (authSchemes)
         dump_SBufList(entry, authSchemes->treeDump(name, [](const allow_t &action) {
-        return Config.authSchemesConfigs.at(action.kind).rawSchemes;
+        return Auth::SchemeListConfig.at(action.kind).rawSchemes;
     }));
 }
 
diff --git a/src/tests/stub_libauth.cc b/src/tests/stub_libauth.cc
index 5cfa53a876..bac9f86706 100644
--- a/src/tests/stub_libauth.cc
+++ b/src/tests/stub_libauth.cc
@@ -12,11 +12,14 @@
 #include "STUB.h"
 
 #if USE_AUTH
-#include "auth/Config.h"
-Auth::UserRequest::Pointer Auth::Config::CreateAuthUser(const char *, AccessLogEntry::Pointer &al) STUB_RETVAL(NULL)
-Auth::Config * Auth::Config::Find(const char *) STUB_RETVAL(NULL)
-void Auth::Config::registerWithCacheManager(void) STUB_NOP
-Auth::ConfigVector Auth::TheConfig;
+#include "auth/SchemeConfig.h"
+namespace Auth
+{
+Auth::UserRequest::Pointer SchemeConfig::CreateAuthUser(const char *, AccessLogEntry::Pointer &al) STUB_RETVAL(NULL)
+Auth::SchemeConfig * SchemeConfig::Find(const char *) STUB_RETVAL(NULL)
+void SchemeConfig::registerWithCacheManager(void) STUB_NOP
+Auth::ConfigVector TheConfig;
+}
 
 #include "auth/Gadgets.h"
 int authenticateActiveSchemeCount(void) STUB_RETVAL(0)
@@ -34,7 +37,7 @@ std::vector<Auth::Scheme::Pointer> & Auth::Scheme::GetSchemes() STUB_RETVAL(*_Sc
 void Auth::Scheme::FreeAll() STUB
 
 #include "auth/User.h"
-Auth::User::User(Auth::Config *, const char *) STUB
+Auth::User::User(Auth::SchemeConfig *, const char *) STUB
 Auth::CredentialState Auth::User::credentials() const STUB_RETVAL(credentials_state)
 void Auth::User::credentials(CredentialState) STUB
 void Auth::User::absorb(Auth::User::Pointer) STUB
@@ -75,7 +78,11 @@ Auth::Scheme::Pointer Auth::UserRequest::scheme() const STUB_RETVAL(NULL)
 void Auth::Init() STUB_NOP
 
 #include "auth/SchemesConfig.h"
-void Auth::SchemesConfig::expand() STUB
+namespace Auth
+{
+std::vector<Auth::SchemesConfig> SchemeListConfig;
+void SchemesConfig::expand() STUB
+}
 
 #endif /* USE_AUTH */
 
diff --git a/src/tests/testAuth.cc b/src/tests/testAuth.cc
index e54c985c96..c053cc4172 100644
--- a/src/tests/testAuth.cc
+++ b/src/tests/testAuth.cc
@@ -10,7 +10,7 @@
 
 #if USE_AUTH
 
-#include "auth/Config.h"
+#include "auth/SchemeConfig.h"
 #include "auth/Gadgets.h"
 #include "auth/Scheme.h"
 #include "auth/UserRequest.h"