When capabilities are set and the user is not root, the linux kernel uses secure execution. When secure execution is used, the elf token $ORIGIN is not expanded, nor are environment variables used relevant to to dynamic linking. The java executable uses that particular dynamic linking token, so it cannot find the shared libraries.
I haven't yet tried it out, but a reasonable approach seem to be to run the server as root and reduce the capabilities of root down to minimum necessary. It's not as appealing as running under a non-root user, but with an appropriate use of secure bits seems to be safe. If anyone has any additional information on the security or feasibility of this approach, I would like to hear it.
[Message sent by forum member 'chriskhan']
http://forums.java.net/jive/thread.jspa?messageID=393052