I'm implementing ServiceStack's Roles and Permissions. I send

{"UserName":"JASON1","Permissions":["CanAccess"],"Roles":["Admin"]}

via http://localhost:15465/api/json/reply/AssignRoles but i got following error:

{
  "AllRoles": [],
  "AllPermissions": [],
  "ResponseStatus": {
    "ErrorCode": "Invalid Role",
    "Message": "Invalid Role",
    "StackTrace": "[AssignRoles: 3/11/2015 11:12:02 PM]:\n[REQUEST: {UserName:JASON1,Permissions:[CanAccess],Roles:[Admin]}]\nServiceStack.HttpError: Invalid Role\r\n   at ServiceStack.RequiredRoleAttribute.AssertRequiredRoles(IRequest req, String[] requiredRoles)\r\n   at ServiceStack.Auth.AssignRolesService.Post(AssignRoles request)\r\n   at lambda_method(Closure , Object , Object )\r\n   at ServiceStack.Host.ServiceRunner`1.Execute(IRequest request, Object instance, TRequest requestDto)",
    "Errors": []
  }
}

what will be the solutions and where are some built in roles and permissions? i couldn't find any information? Thanks.

The AssignRolesService shouldn't be called by anyone, by default it can only be called by someone in the RoleNames.Admin, i.e. Admin Role.

Use custom Assign Roles Service

You can ignore this default behavior by instead using your own custom Service to assign roles which is just a wrapper around the IAuthRepository.AssignRoles() API, e.g:

public class CustomRolesService : Service
{
    public IAuthRepository AuthRepo { get; set; }

    public object Post(AssignRoles request)
    {
        var userAuth = AuthRepo.GetUserAuthByUserName(request.UserName);
        if (userAuth == null)
            throw HttpError.NotFound(request.UserName);

        AuthRepo.AssignRoles(userAuth, request.Roles, request.Permissions);

        return new AssignRolesResponse();
    }
}

Master AuthSecret

To help with development ServiceStack also supports specifying a master password with:

SetConfig(new HostConfig { AdminAuthSecret = "secretz" });

Which then lets you by-pass any protected service with the QueryString:

?authsecret=secretz