It is supposed to be logged in to navigate inside Hawtio page. However, it is possible to specify a direct URL link (for example: "http://localhost:8181/hawtio/osgi") to somewhere and it will pass you without authentication.
It will not show and load any sensitive information but still it does not look OK.