Camel is extending the Geronimo servlet in which HTTP TRACE is allowed.
We should disable TRACE by default.
I'm attaching a potential fix for this issue. No time left today for me to verify 100%
There is also camel-http4 which has a http consumer that needs a tweak.
Merged to 2.7 branch here http://fusesource.com/forge/git/camel.git/?p=camel.git;a=commit;h=71118a735b0ce20ed7a88231bf7cd563f3eef8c5
Also merged to 2.8, 2.9, and trunk.