@@ -, +, @@ 
---
 java/jakarta/el/ImportHandler.java | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)
--- a/java/jakarta/el/ImportHandler.java	
+++ a/java/jakarta/el/ImportHandler.java	
@@ -19,6 +19,8 @@ package jakarta.el;
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -33,6 +35,9 @@ public class ImportHandler {
 
     private static final Map<String,Set<String>> standardPackages = new HashMap<>();
 
+    private static final boolean IS_SECURITY_ENABLED =
+    (System.getSecurityManager() != null);
+
     static {
         // Servlet 5.0
         Set<String> servletClassNames = new HashSet<>();
@@ -452,7 +457,21 @@ public class ImportHandler {
              * for the case where the class does exist is a lot less than the
              * overhead we save by not calling loadClass().
              */
-            if (cl.getResource(path) == null) {
+            Boolean isResourceNull;
+            if (IS_SECURITY_ENABLED) {
+                isResourceNull = AccessController.doPrivileged(
+                    new PrivilegedAction<Boolean>() {
+
+                    @Override
+                    public Boolean run() {
+                        return cl.getResource(path) == null;
+                    }
+                    
+                });
+            } else {
+                isResourceNull =  cl.getResource(path) == null;
+            }
+            if (isResourceNull) {
                 return null;
             }
         } catch (ClassCircularityError cce) {
@@ -489,4 +508,4 @@ public class ImportHandler {
      */
     private static class NotFound {
     }
-}
+}
--