I have partially implemented a solution using an grails filter and a session listener that required me to modify the web.xml. The session listener tells me when the session has ended, and the grails filter tells me when any controller has been called for the first time with an authenticated user.
It appeared to me that both were required because either grails or the acegi plugin creates a new session automatically so I needed to the grails filter to determine when the session actually has an authenticated user.
I am saying all of this to say, is there an easier approach that does not require a filter and a sessionListener. Just looking to clean up the code so when I need to get back to it later it will still make sense