TRACE is a necessary spec conformance for HTTP 1.1 and the doTrace method is declared out of necessity for conformance in the servlet base class javax.servlet.http.HttpServlet.

I suppose you could provide a security constraint for <http-method>TRACE</http-method>

I don't know that this has otherwise been addressed. The last recourse would be to either override the doTrace method for every servlet or provide a special HttpServlet class.