Can you post "ls -l" output for the shell script, java file, and the config files being used?
Here's my thought:
1. Create a separate user account and group ID.
2. Change ownership of the shell script, java file, and the configs to this UID and GID.
3. Provide read and execute permission on the shell script and java file. Read+write (if modification is required) for the config files. Make sure "others" do not have any permission on the files.
3. Create another group and add the users who should run the shell script in that.
4. Create ACL and assign this group execute permission on the shell script.
Here's the expected result:
The user tries to execute the shell script. As he belongs to the second group and has execute permission on the shell script through ACL, he would be able to do so. Now, as the SGID bit set, the script will run with the owner GID which provides execute permission to the java code and read+write permission to the config files even though the user's UID does not have any explicit permission on them. You have to make sure that the shell script does not contain anything which would give shell escape to the user.
hope this helps!