I have a high-priority filter in ApplicationController like this:
# Prevents account sites from accessing to the public side. This filter
# assumes the root page is not under public, which is to be expected, and
# redirects there if needed.
if controller_name == 'public' && account_subdomain != 'www'
logger.info("attempt to access to a public action from an account site")
It does not do what you want, but that filter depicts a possible approach.
If your controllers do not mix public and private actions that filter may suffice. A set of controller names would be used instead of the hard-coded 'public' (my app has all the public stuff served by a single controller). If there are too many as you suggested in a previous mail, then you could have abstract controllers AbstractPublicController, AbstractPrivateController between ApplicationController and the rest, and test is_a?(AbstractPublicController).
The redirection would be different as well, but you see the idea.