Grails Controller and URL Mapping Magic

Grails 3.0.1 here. I'm looking to accomplish a specific URL/controller structure. My app deploys at the root context (/), meaning locally it runs as http://localhost:8080, and non-locally as http://someserver.example.org.

I want everything under /app/* to be authenticated and considered to be part of the "core app" (requires login). Anything outside of that URL is considered to be a part of the public website (unauthenticated). However, I want /app/ itself to just be a placeholder of sorts; I do not want it to be a Grails controller. Hence:

• http://localhost:8080/app may be configured (UrlMappings?) to bring up a login page
• http://localhost:8080/app/<controller>/<action> follows typical Grails controller/action suit, and would invoke the correct controller action

Hence http://localhost:8080/app/order/create would be authenticated and, if logged in, invoke the OrderController#create action, which might render a createOrder.gsp.

I'm wondering what the Grails 3.x approach is to:

1. Allowing /app/ to exist, but not as a controller (like I said, perhaps just redirecting/mapping to a login page)
2. Allowing anything underneath /app/ to follow the controller/action paradigm

Thoughts on how to implement this?

Update

class UrlMappings {
    static mappings = {
        "/$controller/$action?/$id?(.$format)?"{
            constraints {
                // apply constraints here
            }
        }

        "/app/$controller/$action?/$id?" {
            ???
        }

        "/"(view:"/index")
        "500"(view:'/error')
        "404"(view:'/notFound')
    }
}