SOAP service list API is exposed to non-authorized guest users

Issue

SOAP service list API found at http://[host]:[port]/api/axis is exposed to external guest users even with it configured to display locally only.
The following property is set in portal-ext.properties: axis.servlet.hosts.allowed=127.0.0.1

To prevent external access, typically we would recommend a block at the web server tier.
For the SOAP service list, remove 127.0.0.1 from axis.servlet.hosts.allowed property, as it allows Apache to expose the API even in non-local environments.